Disclosure of Invention
The invention aims to solve the problem that the traditional network attack detection method is high in operation and maintenance processing cost.
The invention is realized by the following technical scheme:
a network attack warning method comprises the following steps:
detecting whether a target host is attacked by a network or not and determining the attack type of the network attack;
if the target host is attacked by the network, detecting whether the network attack is successful and determining attack action of the successful network attack;
and if the network attack is successful, generating first alarm information comprising the attack type of the network attack and the attack action of the network attack, otherwise, generating second alarm information comprising the attack type of the network attack.
Optionally, the detecting whether the target host is under a network attack and determining an attack type of the network attack includes:
collecting network data of the target host;
extracting features to be detected from the network data;
and importing the features to be detected into a pre-established artificial intelligence model, classifying the features to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result.
Optionally, the extracting the feature to be detected from the network data includes:
extracting request data from the network data, wherein the request data is used for initiating a request service to the target host;
and extracting the features to be detected from the request data.
Optionally, before the introducing the feature to be detected into the artificial intelligence model established in advance, the method further includes:
and establishing the artificial intelligence model.
Optionally, the establishing the artificial intelligence model includes:
collecting model training data;
extracting the characteristics of the known network attacks from the model training data to obtain attack characteristic data;
classifying the attack characteristic data to obtain a training sample;
and carrying out model training according to the training samples to obtain the artificial intelligence model.
Optionally, the collecting model training data includes:
and collecting one or more combinations of the attack data disclosed by the Internet, the vulnerability data disclosed by the Internet, the attack data collected by the target host and the vulnerability data collected by the target host.
Optionally, the performing model training according to the training sample includes:
and performing model training by adopting a naive Bayes algorithm according to the training sample.
Optionally, the detecting whether the network attack is successful includes:
extracting features to be compared from the network data corresponding to the network attack;
comparing the features to be compared with more than one attack response rule, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host;
and if the features to be compared are matched with the attack response rule, judging that the network attack is successful.
Optionally, the extracting the features to be compared from the network data corresponding to the network attack includes:
extracting second response data from the network data, wherein the second response data is used for the target host to answer the request service;
and extracting the features to be compared from the second response data.
Optionally, the extracting the features to be compared from the network data corresponding to the network attack includes:
extracting request data and second response data from the network data, wherein the request data is used for initiating a request service to the target host, and the second response data is used for responding the request service by the target host;
and extracting the features to be compared from the request data and the second response data.
Optionally, before comparing the features to be compared with more than one attack response rule, the method further includes:
a feature library is established that includes the one or more attack response rules.
Optionally, the establishing a feature library including the one or more attack response rules includes:
creating a database;
correspondingly extracting more than one attack response characteristic from more than one first response data;
each attack response characteristic is described in a deterministic manner to form more than one attack response rule;
and storing the more than one attack response rule into the database to obtain the feature library.
Optionally, the feature library includes N sub-feature libraries, where N is an integer not less than 2, and the establishing the feature library including the one or more attack response rules includes:
creating N databases;
correspondingly extracting more than two attack response characteristics from more than two first response data;
each attack response characteristic is described in a deterministic manner to form more than two attack response rules;
and storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
Optionally, the comparing the features to be compared with more than one attack response rule includes:
and comparing the characteristics to be compared with more than one attack response rule in a sub-characteristic library corresponding to the attack type of the network attack.
Optionally, the performing deterministic description on each attack response feature includes:
and performing deterministic description on each attack response characteristic by adopting a regular expression.
Optionally, before comparing the features to be compared with more than one attack response rule, the method further includes:
establishing an incidence relation between each attack response rule and an attack action;
the attack action of determining a successful network attack comprises:
and determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action.
Optionally, after generating the first warning information or the second warning information, the method further includes:
and sending the first alarm information or the second alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging.
Optionally, after generating the first warning information or the second warning information, the method further includes:
adding a corresponding attack chain tag to the first alarm information or the second alarm information according to the alarm content, wherein the attack chain tag is used for representing an attack stage of the network attack in an attack chain;
counting each attack chain label of the same attack event, and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and generating attack route information according to the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event, wherein the attack route information comprises the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event.
Optionally, the adding a corresponding attack chain tag to the first alarm information or the second alarm information according to the alarm content includes:
and determining an attack chain label corresponding to the first alarm information or the second alarm information from a pre-established label library according to the alarm content.
Optionally, the attack chain tag includes more than two levels, and adding a corresponding attack chain tag to the first alarm information or the second alarm information according to the alarm content includes:
and determining each level of label corresponding to the first alarm information or the second alarm information from a pre-established label library according to the alarm content, wherein M attack chain labels are stored in the label library, the M attack chain labels are divided into more than two levels, and M is an integer greater than 4.
Optionally, the attack route information further includes start and end times of each attack stage, and after the attack route information is generated according to the total number of network attacks in each attack stage of the attack event, the number of successful network attacks, and the attack action of the successful network attack, the method further includes:
and displaying the attack route information according to the sequence of the starting time of each attack stage.
Based on the same inventive concept, the invention also provides a network attack warning system, which comprises:
the system comprises a first detection module, a second detection module and a third detection module, wherein the first detection module is used for detecting whether a target host is attacked by a network and determining the attack type of the network attack;
the second detection module is used for detecting whether the network attack is successful or not and determining the attack action of the successful network attack when the target host machine is attacked by the network attack;
and the alarm information generation module is used for generating first alarm information comprising the attack type of the network attack and the attack action of the network attack when the network attack is successful, and otherwise, generating second alarm information comprising the attack type of the network attack.
Optionally, the first detecting module includes:
the acquisition module is used for acquiring the network data of the target host;
the first extraction module is used for extracting the features to be detected from the network data;
and the importing module is used for importing the characteristics to be detected into a pre-established artificial intelligence model, classifying the characteristics to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result.
Optionally, the first extraction module includes:
a first extraction unit, configured to extract request data from the network data, where the request data is used to initiate a request service to the target host;
and the second extraction unit is used for extracting the features to be detected from the request data.
Optionally, the network attack warning system further includes:
and the model creating module is used for building the artificial intelligence model before the features to be detected are led into the artificial intelligence model built in advance.
Optionally, the model creating module includes:
the collection module is used for collecting model training data;
the second extraction module is used for extracting the characteristics of the known network attack from the model training data to obtain attack characteristic data;
the classification module is used for classifying the attack characteristic data to obtain a training sample;
and the training module is used for carrying out model training according to the training samples to obtain the artificial intelligence model.
Optionally, the model training data includes one or more combinations of attack data published by the internet, vulnerability data published by the internet, attack data collected by the target host, and vulnerability data collected by the target host.
Optionally, the training module is a naive bayes algorithm module.
Optionally, the second detecting module includes:
the third extraction module is used for extracting the features to be compared from the network data corresponding to the network attack;
the comparison module is used for comparing the features to be compared with more than one attack response rule, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host;
the judging module is used for judging that the network attack is successful when the features to be compared are matched with the attack response rule;
and the attack action determining module is used for determining the attack action of the successful network attack.
Optionally, the third extraction module includes:
a third extracting unit, configured to extract second response data from the network data, where the second response data is used for the target host to answer the request service;
and the fourth extraction unit is used for extracting the features to be compared from the second response data.
Optionally, the third extraction module includes:
a fifth extracting unit, configured to extract request data and second response data from the network data, where the request data is used to initiate a request service to the target host, and the second response data is used for the target host to answer the request service;
a sixth extracting unit, configured to extract the feature to be compared from the request data and the second response data.
Optionally, the network attack warning system further includes:
and the feature library creating module is used for creating a feature library containing more than one attack response rule before the features to be compared are compared with the more than one attack response rule.
Optionally, the feature library creating module includes:
the database creating module is used for creating a database;
the fourth extraction module is used for correspondingly extracting more than one attack response characteristic from more than one first response data;
the rule forming module is used for performing deterministic description on each attack response characteristic to form more than one attack response rule;
and the storage module is used for storing the more than one attack response rule into the database to obtain the feature library.
Optionally, the feature library includes N sub-feature libraries, where N is an integer not less than 2, and the feature library creating module includes:
the database creating module is used for creating N databases;
the fourth extraction module is used for correspondingly extracting more than two attack response characteristics from more than two pieces of first response data;
the rule forming module is used for performing deterministic description on each attack response characteristic to form more than two attack response rules;
and the storage module is used for storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
Optionally, the comparison module is configured to compare the feature to be compared with one or more attack response rules in a sub-feature library corresponding to the attack type of the network attack.
Optionally, the rule forming module is a regular expression writing module.
Optionally, the network attack warning system further includes:
the incidence relation establishing module is used for establishing the incidence relation between each attack response rule and the attack action before the characteristics to be compared are compared with more than one attack response rule;
and the attack action determining module is used for determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action.
Optionally, the network attack warning system further includes:
and the sending module is used for sending the first alarm information or the second alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging after the first alarm information or the second alarm information is generated.
Optionally, the network attack warning system further includes:
a tag adding module, configured to add, after the first alarm information or the second alarm information is generated, a corresponding attack chain tag to the first alarm information or the second alarm information according to alarm content, where the attack chain tag is used to represent an attack stage of the network attack in an attack chain;
the statistical module is used for counting each attack chain label of the same attack event and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and the route information generating module is used for generating attack route information according to the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event, wherein the attack route information comprises the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event.
Optionally, the tag adding module is configured to determine, according to the alarm content, an attack chain tag corresponding to the first alarm information or the second alarm information from a pre-established tag library.
Optionally, the attack chain tag includes more than two levels, and the tag adding module is configured to determine, according to the alarm content, each level of tag corresponding to the first alarm information or the second alarm information from a pre-established tag library, where the tag library stores M attack chain tags, the M attack chain tags are divided into more than two levels, and M is an integer greater than 4.
Optionally, the attack route information further includes start and end times of each attack phase, and the network attack warning system further includes:
and the display module is used for displaying the attack route information according to the sequence of the starting time of each attack stage after the attack route information is generated according to the total times of network attacks, the successful times of network attacks and the successful attack actions of the network attacks in each attack stage of the attack event.
Based on the same inventive concept, the present invention also provides a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the above network attack warning method.
Based on the same inventive concept, the invention also provides computer equipment which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the network attack warning method.
Compared with the prior art, the invention has the following advantages and beneficial effects:
the network attack warning method and the system provided by the invention firstly detect whether a target host computer is attacked by a network and determine the attack type of the network attack; when the target host is detected to be attacked by the network, whether the network attack is successful or not is detected, and attack action of the successful network attack is determined, so that first alarm information comprising the attack type of the network attack and the attack action of the network attack is generated or second alarm information comprising the attack type of the network attack is generated according to whether the network attack is successful or not. By the network attack warning method and the network attack warning system, successful network attacks can be screened out, so that network management personnel can know which types of network attacks the target host computer suffers and can also know the specific attack actions of the successful network attacks, effective network attack information is provided for the network management personnel, operation and maintenance efficiency can be improved, and real bugs can be found.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to examples and accompanying drawings, and the exemplary embodiments and descriptions thereof are only used for explaining the present invention and are not meant to limit the present invention.
Example 1
The present embodiment provides a network attack warning method, and fig. 1 is a schematic flow diagram of the network attack warning method, where the network attack warning method includes:
step S11, detecting whether the target host computer is attacked by the network and determining the attack type of the network attack;
step S12, if the target host computer is attacked by the network attack, detecting whether the network attack is successful and determining the attack action of the successful network attack;
step S13, if the network attack is successful, generating first warning information including the attack type of the network attack and the attack action of the network attack, otherwise, generating second warning information including the attack type of the network attack.
The target host may be a server providing various services, a personal computer capable of implementing specific functions, or other network devices capable of providing network services. The target host may receive request data sent by the terminal device and used for initiating a request service to the target host, perform corresponding data processing according to the request data to obtain second response data, that is, the second response data is used for the target host to respond to the request service, and feed back the second response data to the terminal device. The terminal device may be various electronic devices having a display function and supporting an interactive function, including but not limited to a smart phone, a tablet computer, a personal computer, a desktop computer, and the like. In a specific application scenario of the present invention for detecting a network attack, an attacker who initiates the network attack is usually a user who maliciously sends a large amount of data requests. The terminal device utilized by the attacker may be an electronic device with powerful computing functions, and may even be a server.
And detecting whether the target host is under network attack or not, wherein a traditional network attack detection method can be adopted. In consideration of the defects of high false negative rate and poor flexibility of the conventional network attack detection method, the embodiment provides a specific method for detecting whether the target host is attacked by the network attack. Fig. 2 is a schematic flowchart of a process for detecting whether the target host is under a network attack, where the detecting whether the target host is under a network attack includes:
step S21, collecting the network data of the target host;
step S22, extracting the features to be detected from the network data;
step S23, the features to be detected are imported into a pre-established artificial intelligence model, the features to be detected are classified through the artificial intelligence model, and whether the target host is attacked by the network and the attack type of the network attack are determined according to the classification result.
Specifically, the network data of the target host may be acquired in a network sniffing manner, or may be acquired in a network port mirroring manner. The network sniffing mode is to set the network card of the target host computer to be in a hybrid mode and capture the network data of the target host computer by calling a network packet intercepting tool. The network port mirroring mode is to map the acquisition port of the target host to another port and copy data in real time, so as to obtain the network data of the target host. Of course, the specific implementation manner of collecting the network data of the target host is not limited to the above two manners, and this embodiment does not limit this.
And after the network data are collected, extracting the features to be detected from the network data. The network data includes the request data and the second response data, and as described above, the request data is used to initiate a request service to the target host, and is data sent to the target host by a terminal device; the second response data is used for the target host to answer the request service, and is data sent by the target host to the terminal device. The feature to be detected may be obtained by directly extracting the feature of the request data from the network data, or may be obtained by extracting the request data from the network data first and then extracting the feature to be detected from the request data, which is not limited in this embodiment. The characteristics to be detected can comprise one or more of request time, IP information, port information, protocol type, packet sending frequency, mail address, file name and target URL address. It should be noted that the features to be detected can be flexibly set according to actual situations, and this embodiment does not limit this.
According to the difference of the transmission protocols adopted between the target host and the terminal device, for example, the transmission protocols include but are not limited to hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and the structure of the request data is also different. Taking an HTTP-type network request as an example, the request data includes the following three parts: a request line, which is composed of three parts of a method (e.g. POST), a Uniform Resource Identifier (URI), and a protocol version (e.g. HTTP 1.1); a request header for informing the target host of information requested by the terminal device, including but not limited to the browser type from which the request was made, a list of content types that the terminal device can identify, and the name of the requested host; a request body. After the network data is collected, analyzing each field in the HTTP request head, searching the field content needing to be detected, namely extracting the characteristics to be detected.
After the characteristics to be detected are obtained, the characteristics to be detected are led into a pre-established artificial intelligence model, and classification is carried out on the characteristics to be detected through the artificial intelligence model to obtain a classification result. The artificial intelligence model can be a machine learning classification model, such as a naive Bayes classification model, and can also be a deep learning classification model. If the classification result is that the to-be-detected features do not belong to any network attack of a known attack type and do not belong to a network attack of an unknown attack type, determining that the target host is not attacked by the network attack; if the classification result is that the to-be-detected feature belongs to a network attack of a certain known attack type, determining that the target host is subjected to the network attack of the attack type; and if the classification result is that the to-be-detected feature belongs to a network attack of an unknown attack type, determining that the target host is subjected to the network attack of the unknown attack type.
In the method for detecting whether the target host is under the network attack, because the artificial intelligence model is a classification model using an artificial intelligence technology and has the capabilities of self-learning, self-organization, self-adaptation and the like, a novel or variant network attack can be effectively discovered, the defect that the conventional network attack detection method cannot detect unknown network attacks is effectively overcome, the overall network attack detection capability is improved, the missing report rate can be reduced, and the attack type of the network attack can be determined according to the classification result.
Further, before the features to be detected are imported into a pre-established artificial intelligence model, the artificial intelligence model also needs to be established. FIG. 3 is a schematic flow chart of the process of building the artificial intelligence model, which includes:
step S31, collecting model training data;
step S32, extracting the characteristics of the known network attack from the model training data to obtain attack characteristic data;
step S33, classifying the attack characteristic data to obtain a training sample;
and step S34, performing model training according to the training samples to obtain the artificial intelligence model.
Specifically, the model training data includes one or more combinations of internet published attack data, internet published vulnerability data, attack data collected by the target host, and vulnerability data collected by the target host. The attack data is extracted from the existing network attack case, and the vulnerability data is extracted from the existing vulnerability case. The attack data and the vulnerability data can be disclosed by the Internet, or can be analyzed and refined by the target host according to the network attack events suffered in the past.
After the model training data are obtained, extracting the characteristics of the known network attacks from the model training data to obtain attack characteristic data. Further, the extracted attack characteristic data may include one or more of request time, IP information, port information, protocol type, packet sending frequency, mail address, file name, and target URL address. It should be noted that the attack characteristic data can be flexibly set according to actual situations, and this embodiment does not limit this. After the attack characteristic data is obtained, classifying according to the attack type of the network attack to which the attack characteristic data belongs to form a training sample, wherein the attack type of the network attack comprises but is not limited to SQL injection attack and XSS attack.
And performing model training according to the training samples, namely calculating the occurrence frequency of the network attacks of each attack type in the training samples and the conditional probability estimation of each attack characteristic data division on the network attacks of each attack type, and recording the calculation result to obtain the artificial intelligence model. In this embodiment, the algorithm used for model training is a naive bayes algorithm. The naive Bayes algorithm has good performance on small-scale data, is suitable for multi-classification tasks and is suitable for incremental training. Of course, other machine learning classification algorithms or deep learning classification algorithms may also be used for model training, for example, a decision tree algorithm may also be used for model training, which is not limited in this embodiment.
After detecting that the target host is attacked by the network, in this embodiment, a rule matching manner is adopted to detect whether the network attack is successful. Fig. 4 is a schematic flowchart of detecting whether the network attack is successful, where the detecting whether the network attack is successful includes:
step S41, extracting the feature to be compared from the network data corresponding to the network attack;
step S42, comparing the feature to be compared with more than one attack response rule, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host;
step S43, if the feature to be compared matches the attack response rule, determining that the network attack is successful.
Specifically, each successful network attack has its uniqueness, which is manifested primarily by the attacked host's response to a successful attack request. Therefore, the extraction of the features to be compared is to extract the features of the second response data. The extracting of the feature to be compared may be directly extracting the feature of the second response data from the network data, or may be extracting the second response data from the network data first and then extracting the feature to be compared from the second response data, which is not limited in this embodiment.
Still taking the HTTP type network response as an example, the second response data includes the following three parts: a status line consisting of three parts, a protocol version (e.g., HTTP 1.1), a status code, and a status code description; a response header including, but not limited to, the name of the application, the version of the application, the response body type, the response body length, and the encoding used for the response body; a response body. After the network data is collected, analyzing each field in the HTTP response head, searching the field content needing to be compared, and extracting the features to be compared.
Further, whether a network attack is successful or not can be judged, reverse derivation can be carried out from the perspective of an attacker, and the accuracy of identifying whether the network attack is successful or not is improved by responding to the characteristics of the content reverse-derivation attack request. Therefore, the feature to be compared may also be extracted from the second response data and the request data together. Specifically, the request data and the second response data may be extracted from the network data, and then the features to be compared may be extracted from the request data and the second response data. Still taking the HTTP type network request and the HTTP type network response as examples, after the network data is collected, analyzing each field in the HTTP request header and the HTTP response header, and finding out the content of the field to be compared, that is, extracting the feature to be compared.
And after the features to be compared are obtained, comparing the features to be compared with more than one attack response rule. Still taking an HTTP type transmission protocol as an example, if the feature to be compared matches with a certain attack response rule, determining that the HTTP request is a malicious attack and the network attack on the target host is successful; if the characteristics to be compared cannot be matched with any attack response rule, the HTTP request is judged to be invalid network attack, and the HTTP request can be directly ignored.
Further, a feature library may be established in advance, and the feature library is used for storing the more than one attack response rule. The attack response rule stored in the feature library is formed according to the first response data, the first response data is used for responding to the successful attack request by the attacked host, namely, the attack response rule is generated in advance according to the response characteristic of the attack response corresponding to the existing successful attack request. Fig. 5 is a schematic flowchart of a process for creating the feature library provided in this embodiment, where the creating the feature library includes:
step S51, creating a database;
step S52, correspondingly extracting more than one attack response characteristic from more than one first response data;
step S53, each attack response characteristic is described in a deterministic manner to form more than one attack response rule;
step S54, storing the one or more attack response rules in the database, and obtaining the feature library.
Specifically, the database is created as a blank storage space. The first response data is used for the attacked host to respond to the successful attack request, and can be collected from the attack data disclosed by the internet and/or the attack data collected by the target host. For example, the attacker sends a floor () function error injection attack request to the attacked host, and the floor () function error injection attack request succeeds, and the response of the attacked host to the floor () function error injection attack request is the first response data. For the network attacks of the same attack type, the network attacks can be divided according to different specific attack actions. For example, for SQL injection attacks, the method further includes count () function error injection, rand () function error injection, floor () function error injection, and the like. For each network attack of the attack action, one first response data can be correspondingly collected, so that more than one attack response characteristic can be correspondingly extracted from more than one first response data, namely, one attack response characteristic can be correspondingly extracted from each first response data. Similar to the attack profile data, the attack response profile may include one or more of a request time, IP information, port information, protocol type, packet frequency, mail address, file name, and target URL address in combination. It should be noted that the attack response characteristics may also be flexibly set according to actual situations, and this embodiment does not limit this.
And after the attack response characteristics are obtained, performing deterministic description on each attack response characteristic, wherein the deterministic description is described according to a preset rule. In this embodiment, each attack response feature may be described deterministically by using a conventional regular expression, or complex logics such as an operation logic and a matching logic may be added to the regular expression, so as to improve the accuracy of the matching result. After the attack response rules are obtained, all the attack response rules are stored in the database, namely corresponding data are written in the blank storage space, and then the feature library is obtained.
Further, the feature library may further include N sub-feature libraries, each sub-feature library correspondingly stores all attack response rules of the same attack type, where N is an integer not less than 2. Based on this, fig. 6 is another schematic flow chart of establishing the feature library provided in this embodiment, where the establishing the feature library includes:
step S61, creating N databases;
step S62, correspondingly extracting more than two attack response characteristics from more than two first response data;
step S63, each attack response characteristic is described in a deterministic manner to form more than two attack response rules;
and step S64, storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
Specifically, the steps S61 to S63 can refer to the descriptions of the steps S51 to S53, and are not repeated herein. After more than two attack response rules are obtained, according to the attack type to which each attack response rule belongs, the attack response rules belonging to the same attack type are stored in the same database, and the sub-feature library is obtained. In this embodiment, the sub-feature library may be a basic feature library, an SQL injection feature library, an XSS dynamic feature library, and a tool fingerprint library, where the basic feature library stores command features and file features, the SQL injection feature library stores features of an SQL injection attack, the XSS dynamic feature library stores features of an XSS dynamic attack, and the tool fingerprint library stores a mare connection fingerprint and a kitchen knife fingerprint. It should be noted that the sub-feature library can be flexibly set according to actual situations, and this embodiment does not limit this.
For the feature library established by the process shown in fig. 6, the comparing the features to be compared with more than one attack response rule specifically includes: and comparing the characteristics to be compared with more than one attack response rule in the sub-characteristic library corresponding to the attack type of the network attack. For example, if the attack type of the network attack is SQL injection attack, the feature to be compared is compared with more than one attack response rule in the SQL injection feature library; and if the attack type of the network attack is XSS dynamic attack, comparing the characteristics to be compared with more than one attack response rule in an XSS dynamic characteristic library. By setting the feature library into a plurality of sub-feature libraries, the number of attack response rules for comparing with the features to be compared can be reduced, and the comparison efficiency between the features to be compared and the attack response rules can be improved only by matching with the attack response rules in a certain sub-feature library.
And correspondingly obtaining an attack response rule for the network attack of each attack action, so that the attack action corresponding to the attack response rule matched with the feature to be compared is determined as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action by establishing the incidence relation between each attack response rule and the attack action. For example, the attack action corresponding to the attack response rule matched with the feature to be compared is error-reported and injected as floor () function, and the attack action of the successful network attack is error-reported and injected as floor () function.
After detecting whether the network attack is successful, alarm information can be generated according to the detection result. Specifically, if the network attack is successful, generating first alarm information, where the first alarm information includes an attack type of the network attack and an attack action of the network attack; and if the network attack is unsuccessful, generating second alarm information, wherein the second alarm information comprises the attack type of the network attack. For example, when the target host is attacked by SQL injection but the attack is unsuccessful, the second warning information is generated, and the second warning information may be "attacked by SQL injection"; when the target host is attacked by SQL injection and the attack is successful, the specific attack action is to use floor () function to report error injection, and generate the first alarm information, where the first alarm information may be "attacked by SQL injection and floor () function to report error injection".
Further, after the first warning information or the second warning information is generated, the first warning information or the second warning information may also be sent to a network manager. For example, the first warning information or the second warning information may be sent to a designated mailbox address by a mail, may be sent to a designated mobile terminal by a short message, may be directly displayed on the target host in a dialog box, and may be sent to a network manager by an instant messaging. Of course, the first warning information or the second warning information may be sent to a network manager in any one of the above manners, or the first warning information or the second warning information may be sent to the network manager in any combination of several manners.
The network alarm method provided by the embodiment can screen out successful network attacks, so that a network manager can know which types of network attacks the target host suffers, can know specific attack actions of the successful network attacks, and provides effective network attack information for the network manager, thereby improving operation and maintenance efficiency and finding real bugs.
Example 2
The embodiment 1 adopts an alarm mode that one network attack corresponds to one alarm message, that is, one network attack is detected, and one alarm message is generated correspondingly. However, the isolated alarm information does not accurately reflect the security status of the target host, and such attack exposure does not provide a general assurance of the attack process. Therefore, the present embodiment provides another network attack warning method. Compared with the network attack warning method provided in embodiment 1, after generating the first warning information or the second warning information, this embodiment further includes:
adding a corresponding attack chain tag to the first alarm information or the second alarm information according to the alarm content, wherein the attack chain tag is used for representing an attack stage of the network attack in an attack chain;
counting each attack chain label of the same attack event, and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and generating attack route information according to the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event, wherein the attack route information comprises the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event.
According to different attack stages of the network attack suffered by the target host, the alarm content of the alarm information is different, namely the alarm content of the alarm information reveals the attack purpose which is to be realized by the network attack corresponding to the alarm information, and the alarm information of different alarm contents corresponds to different attack stages. Therefore, the attack stage can be determined according to the alarm content of the alarm information corresponding to the network attack suffered by the target host. The alarm content of the first alarm information comprises the attack type of the network attack and the attack action of the network attack, and the alarm content of the second alarm information comprises the attack type of the network attack. Specifically, according to the alarm content, an attack chain tag corresponding to the first alarm information or the second alarm information is determined from a pre-established tag library. M attack chain labels are stored in the label stock, and each attack chain label correspondingly represents one attack stage in an attack chain. The attack chain refers to a series of cyclic processes of an attacker to detect damage to a target host, and generally consists of several different attack stages. For example, the attack chain may consist of six attack phases, namely a scout phase, an intrusion phase, a command control phase, a lateral penetration phase, a data leakage phase and a trace cleanup phase, i.e. M has a value of 6. Correspondingly, the M attack chain labels are a scout label, an intrusion label, a command control label, a transverse infiltration label, a data leakage label and a trace clearing label. Of course, the division of the attack chain is not limited to this manner, and may be flexibly set according to actual situations.
As mentioned above, the alarm information of different alarm contents corresponds to different attack stages, and each attack chain tag corresponds to one attack stage, so that the association relationship between the alarm information of different alarm contents and different attack chain tags can be pre-established according to the published network attack event. According to the alarm content, an attack chain label corresponding to the first alarm information or the second alarm information can be determined from a pre-established label library. Taking the attack type of the network attack in the first alarm information or the second alarm information as a PHP code execution attack as an example, the PHP code execution attack is in a command control phase in an attack chain, and therefore an attack chain tag added to the first alarm information or the second alarm information is a command control tag. Further, the attack chain tag may be added as an attribute of the first alarm information or the second alarm information.
After adding corresponding attack chain labels to all the alarm information of an attack event, the total times of network attacks in each attack stage of the attack event can be obtained by counting the number of the same attack chain labels in all the attack chain labels. For example, by counting the number of the reconnaissance labels, the total number of network attacks in the reconnaissance phase of the attack event can be obtained; and counting the number of the intrusion labels to obtain the total times of the network attacks in the intrusion stage of the attack event. And counting the number of the same attack chain tags in the attack chain tags corresponding to all the first alarm information to obtain the successful network attack times in each attack stage of the attack event. And combining the attack action of the network attack in the first alarm information to obtain the successful attack action of the network attack in each attack stage of the attack event.
Taking the example that the target host is attacked by the network for 10 times in the attack event, 4 pieces of first alarm information and 6 pieces of second alarm information are correspondingly generated, and attack chain labels corresponding to the 4 pieces of first alarm information are respectively: invasion label, command control label and command control label, the attack chain label that 6 second alarm information correspond respectively is: a scout tag, an intrusion tag, and a command control tag. By counting 10 attack chain labels, the target host is known to be attacked 3 times by the network in the reconnaissance stage, 4 times by the network in the intrusion stage and 3 times by the network in the command control stage; by counting the attack chain labels corresponding to the 4 first alarm messages, it can be known that the target host is successfully attacked 2 times in the intrusion phase and 2 times in the command control phase.
And generating the attack route information after obtaining the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event. Further, the attack route information may further include start and end times of each attack stage, and after the attack route information is generated, the attack route information may be displayed according to a sequence of the start times of each attack stage. The starting time of each attack stage is the first network attack time of the attack stage, and the ending time of each attack stage is the last network attack time of the attack stage. Or taking the above target host is attacked by the network for 10 times, if the start-stop time of the reconnaissance phase is 2018-3-1503: 20-2018-3-1915: 12, the start-stop time of the invasion stage is 2018-3-1707: 38-2018-3-2105: 21, the starting time and the ending time of the command control phase are 2018-3-2014: 47-2018-3-2018: 21, the network attack route information generated according to the statistical result can be displayed as "2018-3-1503: 20-2018-3-1915: 12, a detection stage: 3 times; 2018-3-1707: 38-2018-3-2105: 21, invasion stage, 4 times; 2018-3-2014: 47-2018-3-2018: 21, command control phase, 4 times ". Of course, the attack route information may also include information such as an IP address of the target host and a duration of the entire attack event, as shown in fig. 7, which is not limited in this embodiment.
Further, since each attack stage in the attack chain may also be divided into several smaller attack stages, each smaller attack stage is also characterized by an attack chain tag. Correspondingly, the attack chain tag may include more than two levels, and adding a corresponding attack chain tag to the first alarm information or the second alarm information according to the alarm content includes: and determining each level of label corresponding to the alarm information from a pre-established label library according to the alarm content, wherein M attack chain labels are stored in the label library, the M attack chain labels are divided into more than two levels, and M is an integer greater than 4.
Fig. 8 is a schematic diagram of a tag library provided in this embodiment, where attack chain tags in the tag library are divided into three levels. The first-level labels comprise a reconnaissance label, an intrusion label, a command control label, a transverse permeation label, a data leakage label and a trace cleaning label. The secondary labels corresponding to the reconnaissance labels comprise port scanning labels, information leakage labels, IP scanning labels and sub-domain name collection labels; the secondary labels corresponding to the intrusion labels comprise a vulnerability detection label, a vulnerability utilization label, a service denial label, a brute force cracking label and a high-risk operation label; the secondary labels corresponding to the command control labels comprise a host controlled label, a hacker tool uploading label, a server transfer behavior label, a right-lifting label, a virus killing software closing label and a host information acquisition label; the transverse penetration label comprises an intranet investigation label, a sniffing attack label, an intranet vulnerability detection label and an intranet vulnerability utilization label; the secondary labels corresponding to the data leakage labels comprise file downloading labels and library dragging behavior labels; and the secondary labels corresponding to the trace clearing labels comprise a backdoor deleting label, a closing attack service label and a clearing log label. And the third-level label corresponding to the high-risk operation label comprises a database operation label and a weak password successful login label.
By setting the attack chain tags to multiple levels, the attack phases in the attack chain can be described in more detail, thereby presenting the network administrator with the entire process of the attack event in more detail. It should be noted that the tag library may be created by the target host, or may be created by another host, and the target host may directly invoke the tag library from another host when needing to add the corresponding attack chain tag. Further, the corresponding attack chain tag may also be directly added to the first alarm information or the second alarm information without creating the tag library.
After the attack route information is generated, the attack route information can be sent to a network manager in one or more combination modes of mails, short messages, dialog boxes and instant messaging. By adding the corresponding attack chain tag to the first alarm information or the second alarm information and counting the total times of network attacks, the times of successful network attacks and the attack actions of successful network attacks in each attack stage of the attack event according to the attack chain tag, the attack event can be divided again according to the attack chain of the event, the whole process of the attack event can be presented to network management personnel in the attack stage from the perspective of big data analysis, and the chaos of an attack line is avoided.
Example 3
The present embodiment provides a network attack warning system, which includes: the system comprises a first detection module, a second detection module and a third detection module, wherein the first detection module is used for detecting whether a target host is attacked by a network and determining the attack type of the network attack; the second detection module is used for detecting whether the network attack is successful or not and determining the attack action of the successful network attack when the target host machine is attacked by the network attack; and the alarm information generation module is used for generating first alarm information comprising the attack type of the network attack and the attack action of the network attack when the network attack is successful, and otherwise, generating second alarm information comprising the attack type of the network attack.
Further, the first detection module comprises: the acquisition module is used for acquiring the network data of the target host; the first extraction module is used for extracting the features to be detected from the network data; and the importing module is used for importing the characteristics to be detected into a pre-established artificial intelligence model, classifying the characteristics to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result.
Further, the first extraction module comprises: a first extraction unit, configured to extract request data from the network data, where the request data is used to initiate a request service to the target host; and the second extraction unit is used for extracting the features to be detected from the request data.
Further, the network attack warning system further includes: and the model creating module is used for building the artificial intelligence model before the features to be detected are led into the artificial intelligence model built in advance. Specifically, the model creation module includes: the collection module is used for collecting model training data; the second extraction module is used for extracting the characteristics of the known network attack from the model training data to obtain attack characteristic data; the classification module is used for classifying the attack characteristic data to obtain a training sample; and the training module is used for carrying out model training according to the training samples to obtain the artificial intelligence model.
Further, the second detection module includes: the third extraction module is used for extracting the features to be compared from the network data corresponding to the network attack; the comparison module is used for comparing the features to be compared with more than one attack response rule, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host; the judging module is used for judging that the network attack is successful when the features to be compared are matched with the attack response rule; and the attack action determining module is used for determining the attack action of the successful network attack.
Further, the third extraction module comprises: a third extracting unit, configured to extract second response data from the network data, where the second response data is used for the target host to answer the request service; and the fourth extraction unit is used for extracting the features to be compared from the second response data.
Further, the third extraction module comprises: a fifth extracting unit, configured to extract request data and second response data from the network data, where the request data is used to initiate a request service to the target host, and the second response data is used for the target host to answer the request service; a sixth extracting unit, configured to extract the feature to be compared from the request data and the second response data.
Further, the network attack warning system further includes: and the feature library creating module is used for creating a feature library containing more than one attack response rule before the features to be compared are compared with the more than one attack response rule. Specifically, the feature library creation module may include: the database creating module is used for creating a database; the fourth extraction module is used for correspondingly extracting more than one attack response characteristic from more than one first response data; the rule forming module is used for performing deterministic description on each attack response characteristic to form more than one attack response rule; and the storage module is used for storing the more than one attack response rule into the database to obtain the feature library.
The feature library may include N sub-feature libraries, where N is an integer not less than 2, and based on this, the feature library creating module may also include: the database creating module is used for creating N databases; the fourth extraction module is used for correspondingly extracting more than two attack response characteristics from more than two pieces of first response data; the rule forming module is used for performing deterministic description on each attack response characteristic to form more than two attack response rules; and the storage module is used for storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
Further, the network attack warning system further includes: the incidence relation establishing module is used for establishing the incidence relation between each attack response rule and the attack action before the characteristics to be compared are compared with more than one attack response rule; and the attack action determining module is used for determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action.
Further, the network attack warning system further includes: and the sending module is used for sending the first alarm information or the second alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging after the first alarm information or the second alarm information is generated.
The specific working principle of the network attack warning system may refer to the description of each step in embodiment 1, and this embodiment is not described herein again.
Example 4
In this embodiment, another network attack warning system is provided, and compared with the network attack warning system provided in embodiment 3, the network attack warning system further includes: a tag adding module, configured to add, after the first alarm information or the second alarm information is generated, a corresponding attack chain tag to the first alarm information or the second alarm information according to alarm content, where the attack chain tag is used to represent an attack stage of the network attack in an attack chain; the statistical module is used for counting each attack chain label of the same attack event and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event; and the route information generating module is used for generating attack route information according to the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event, wherein the attack route information comprises the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event.
Further, the attack chain tags include more than two levels, the tag adding module is used for determining each level of tags corresponding to the alarm information from a pre-established tag library according to the alarm content, wherein the tag library stores more than M attack chain tags, the M attack chain tags are divided into more than two levels, and M is an integer greater than 4.
Further, the attack route information further includes start and stop times of each attack stage, and the artificial intelligence based network attack detection system further includes: and the display module is used for displaying the attack route information according to the sequence of the starting time of each attack stage.
The specific working principle of the network attack warning system may refer to the description of each step in embodiment 2, and this embodiment is not described herein again.
Example 5
This embodiment provides a computer-readable storage medium, on which a computer program is stored, and any one of the network attack warning methods provided in embodiment 1 or embodiment 2 of the present invention may be stored in one computer-readable storage medium if it is implemented in the form of a software functional unit and sold or used as an independent product. Based on such understanding, the present invention implements all or part of the processes in any network attack warning method provided in embodiment 1 or embodiment 2, and may also be implemented by instructing related hardware through a computer program. The computer program may be stored in a computer readable storage medium, which when executed by a processor, may implement the steps of the various method embodiments described above.
Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying said computer program code, medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, etc. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
The invention discloses A1, a network attack warning method, comprising:
detecting whether a target host is attacked by a network or not and determining the attack type of the network attack;
if the target host is attacked by the network, detecting whether the network attack is successful and determining attack action of the successful network attack;
and if the network attack is successful, generating first alarm information comprising the attack type of the network attack and the attack action of the network attack, otherwise, generating second alarm information comprising the attack type of the network attack.
A2, the method for alarming network attack according to A1, wherein the detecting whether the target host is under the network attack and determining the attack type of the network attack comprises:
collecting network data of the target host;
extracting features to be detected from the network data;
and importing the features to be detected into a pre-established artificial intelligence model, classifying the features to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result.
A3, the method for alarming network attack according to A2, wherein the extracting the features to be detected from the network data includes:
extracting request data from the network data, wherein the request data is used for initiating a request service to the target host;
and extracting the features to be detected from the request data.
A4, the method for alarming network attack according to A2, wherein before the feature to be detected is imported into a pre-established artificial intelligence model, the method further comprises:
and establishing the artificial intelligence model.
A5, the method for alarming network attack according to A4, wherein the establishing the artificial intelligence model comprises:
collecting model training data;
extracting the characteristics of the known network attacks from the model training data to obtain attack characteristic data;
classifying the attack characteristic data to obtain a training sample;
and carrying out model training according to the training samples to obtain the artificial intelligence model.
A6, the method for alarming network attack according to A5, wherein the collecting model training data includes:
and collecting one or more combinations of the attack data disclosed by the Internet, the vulnerability data disclosed by the Internet, the attack data collected by the target host and the vulnerability data collected by the target host.
A7, the method for alarming network attack according to A5, wherein the training model according to the training samples comprises:
and performing model training by adopting a naive Bayes algorithm according to the training sample.
A8, the method for alarming network attack according to A1, wherein the detecting whether the network attack is successful comprises:
extracting features to be compared from the network data corresponding to the network attack;
comparing the features to be compared with more than one attack response rule, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host;
and if the features to be compared are matched with the attack response rule, judging that the network attack is successful.
A9, the method for alarming network attack according to A8, wherein the extracting the features to be compared from the network data corresponding to the network attack comprises:
extracting second response data from the network data, wherein the second response data is used for the target host to answer the request service;
and extracting the features to be compared from the second response data.
A10, the method for alarming network attack according to A8, wherein the extracting the features to be compared from the network data corresponding to the network attack comprises:
extracting request data and second response data from the network data, wherein the request data is used for initiating a request service to the target host, and the second response data is used for responding the request service by the target host;
and extracting the features to be compared from the request data and the second response data.
A11, the method for alarming network attack according to A8, further comprising, before comparing the features to be compared with one or more attack response rules:
a feature library is established that includes the one or more attack response rules.
A12, the method for alarming network attack according to A11, wherein the establishing a feature library containing the one or more attack response rules comprises:
creating a database;
correspondingly extracting more than one attack response characteristic from more than one first response data;
each attack response characteristic is described in a deterministic manner to form more than one attack response rule;
and storing the more than one attack response rule into the database to obtain the feature library.
A13, the method for alarming network attack according to A11, wherein the feature library comprises N sub-feature libraries, N is an integer not less than 2, and the establishing the feature library containing the more than one attack response rules comprises:
creating N databases;
correspondingly extracting more than two attack response characteristics from more than two first response data;
each attack response characteristic is described in a deterministic manner to form more than two attack response rules;
and storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
A14, the method for alarming network attack according to A13, wherein the comparing the characteristics to be compared with more than one attack response rule comprises:
and comparing the characteristics to be compared with more than one attack response rule in a sub-characteristic library corresponding to the attack type of the network attack.
A15, the network attack warning method according to A12 or A13, wherein the deterministically describing each attack response characteristic comprises:
and performing deterministic description on each attack response characteristic by adopting a regular expression.
A16, the method for alarming network attack according to A12 or A13, before the comparing the features to be compared with more than one attack response rule, further comprising:
establishing an incidence relation between each attack response rule and an attack action;
the attack action of determining a successful network attack comprises:
and determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action.
A17, the network attack warning method according to A1, further comprising, after generating the first warning information or the second warning information:
and sending the first alarm information or the second alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging.
A18, the network attack warning method according to A1, further comprising, after generating the first warning information or the second warning information:
adding a corresponding attack chain tag to the first alarm information or the second alarm information according to the alarm content, wherein the attack chain tag is used for representing an attack stage of the network attack in an attack chain;
counting each attack chain label of the same attack event, and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and generating attack route information according to the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event, wherein the attack route information comprises the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event.
A19, the method for alarming network attack according to A18, wherein the adding of the corresponding attack chain label to the first alarm information or the second alarm information according to the alarm content includes:
and determining an attack chain label corresponding to the first alarm information or the second alarm information from a pre-established label library according to the alarm content.
A20, the method for alarming network attack according to A18, wherein the attack chain label includes more than two levels, and the adding the corresponding attack chain label to the first alarm information or the second alarm information according to the alarm content includes:
and determining each level of label corresponding to the first alarm information or the second alarm information from a pre-established label library according to the alarm content, wherein M attack chain labels are stored in the label library, the M attack chain labels are divided into more than two levels, and M is an integer greater than 4.
A21, the method for alarming network attack according to a18, wherein the attack route information further includes start and stop times of each attack stage, and after the attack route information is generated according to the total number of network attacks in each attack stage of the attack event, the number of successful network attacks, and the attack action of the successful network attack, the method further includes:
and displaying the attack route information according to the sequence of the starting time of each attack stage.
The invention also discloses B22, a network attack warning system, comprising:
the system comprises a first detection module, a second detection module and a third detection module, wherein the first detection module is used for detecting whether a target host is attacked by a network and determining the attack type of the network attack;
the second detection module is used for detecting whether the network attack is successful or not and determining the attack action of the successful network attack when the target host machine is attacked by the network attack;
and the alarm information generation module is used for generating first alarm information comprising the attack type of the network attack and the attack action of the network attack when the network attack is successful, and otherwise, generating second alarm information comprising the attack type of the network attack.
B23, the network attack warning system according to B22, the first detection module includes:
the acquisition module is used for acquiring the network data of the target host;
the first extraction module is used for extracting the features to be detected from the network data;
and the importing module is used for importing the characteristics to be detected into a pre-established artificial intelligence model, classifying the characteristics to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result.
B24, the network attack warning system according to B23, the first extraction module includes:
a first extraction unit, configured to extract request data from the network data, where the request data is used to initiate a request service to the target host;
and the second extraction unit is used for extracting the features to be detected from the request data.
B25, the network attack warning system according to B23, further comprising:
and the model creating module is used for building the artificial intelligence model before the features to be detected are led into the artificial intelligence model built in advance.
B26, the network attack warning system according to B25, the model creating module includes:
the collection module is used for collecting model training data;
the second extraction module is used for extracting the characteristics of the known network attack from the model training data to obtain attack characteristic data;
the classification module is used for classifying the attack characteristic data to obtain a training sample;
and the training module is used for carrying out model training according to the training samples to obtain the artificial intelligence model.
B27, the network attack warning system according to B26, wherein the model training data comprises one or more combinations of Internet published attack data, Internet published vulnerability data, attack data collected by the target host and vulnerability data collected by the target host.
B28, the network attack warning system according to B26, wherein the training module is a naive Bayes algorithm module.
B29, the network attack warning system according to B22, the second detection module includes:
the third extraction module is used for extracting the features to be compared from the network data corresponding to the network attack;
the comparison module is used for comparing the features to be compared with more than one attack response rule, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host;
the judging module is used for judging that the network attack is successful when the features to be compared are matched with the attack response rule;
and the attack action determining module is used for determining the attack action of the successful network attack.
B30, the network attack warning system according to B29, the third extraction module includes:
a third extracting unit, configured to extract second response data from the network data, where the second response data is used for the target host to answer the request service;
and the fourth extraction unit is used for extracting the features to be compared from the second response data.
B31, the network attack warning system according to B29, the third extraction module includes:
a fifth extracting unit, configured to extract request data and second response data from the network data, where the request data is used to initiate a request service to the target host, and the second response data is used for the target host to answer the request service;
a sixth extracting unit, configured to extract the feature to be compared from the request data and the second response data.
B32, the network attack warning system according to B29, further comprising:
and the feature library creating module is used for creating a feature library containing more than one attack response rule before the features to be compared are compared with the more than one attack response rule.
B33, the system for alarming network attack according to B32, wherein the feature library creating module comprises:
the database creating module is used for creating a database;
the fourth extraction module is used for correspondingly extracting more than one attack response characteristic from more than one first response data;
the rule forming module is used for performing deterministic description on each attack response characteristic to form more than one attack response rule;
and the storage module is used for storing the more than one attack response rule into the database to obtain the feature library.
B34, the system for alarming network attack according to B32, wherein the feature library comprises N sub-feature libraries, N is an integer not less than 2, and the feature library creating module comprises:
the database creating module is used for creating N databases;
the fourth extraction module is used for correspondingly extracting more than two attack response characteristics from more than two pieces of first response data;
the rule forming module is used for performing deterministic description on each attack response characteristic to form more than two attack response rules;
and the storage module is used for storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
B35, according to the network attack warning system of B34, the comparison module is used for comparing the feature to be compared with more than one attack response rule in a sub-feature library corresponding to the attack type of the network attack.
B36, the network attack warning system according to B33 or B34, wherein the rule forming module is a regular expression writing module.
B37, the network attack warning system according to B33 or B34, further comprising:
the incidence relation establishing module is used for establishing the incidence relation between each attack response rule and the attack action before the characteristics to be compared are compared with more than one attack response rule;
and the attack action determining module is used for determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action.
B38, the network attack warning system according to B22, further comprising:
and the sending module is used for sending the first alarm information or the second alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging after the first alarm information or the second alarm information is generated.
B39, the network attack warning system according to B22, further comprising:
a tag adding module, configured to add, after the first alarm information or the second alarm information is generated, a corresponding attack chain tag to the first alarm information or the second alarm information according to alarm content, where the attack chain tag is used to represent an attack stage of the network attack in an attack chain;
the statistical module is used for counting each attack chain label of the same attack event and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and the route information generating module is used for generating attack route information according to the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event, wherein the attack route information comprises the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event.
B40, according to the network attack warning system of B39, the tag adding module is configured to determine an attack chain tag corresponding to the first warning information or the second warning information from a pre-established tag library according to the warning content.
B41, the network attack warning system according to B39, wherein the attack chain labels include more than two levels, the label adding module is configured to determine, according to the warning content, each level of labels corresponding to the first warning information or the second warning information from a pre-established label library, wherein the label library stores M attack chain labels, the M attack chain labels are divided into more than two levels, and M is an integer greater than 4.
B42, the network attack warning system according to B39, wherein the attack route information further includes start and stop times of each attack stage, further including:
and the display module is used for displaying the attack route information according to the sequence of the starting time of each attack stage after the attack route information is generated according to the total times of network attacks, the successful times of network attacks and the successful attack actions of the network attacks in each attack stage of the attack event.
The invention also discloses C43, a computer readable storage medium, on which a computer program is stored, characterized in that the program, when executed by a processor, implements a network attack warning method as set forth in any one of A1 to A21.
The invention also discloses D44 and computer equipment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, and is characterized in that the processor implements the network attack warning method of any one of A1-A21 when executing the program.