CN108881263A - A kind of network attack result detection method and system - Google Patents
A kind of network attack result detection method and system Download PDFInfo
- Publication number
- CN108881263A CN108881263A CN201810713254.6A CN201810713254A CN108881263A CN 108881263 A CN108881263 A CN 108881263A CN 201810713254 A CN201810713254 A CN 201810713254A CN 108881263 A CN108881263 A CN 108881263A
- Authority
- CN
- China
- Prior art keywords
- attack
- response
- network
- feature
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 119
- 230000004044 response Effects 0.000 claims abstract description 295
- 238000000605 extraction Methods 0.000 claims description 54
- 238000003860 storage Methods 0.000 claims description 22
- 238000004590 computer program Methods 0.000 claims description 11
- 241001269238 Data Species 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 4
- 238000012549 training Methods 0.000 description 57
- 238000013473 artificial intelligence Methods 0.000 description 40
- 238000000034 method Methods 0.000 description 21
- 238000002347 injection Methods 0.000 description 20
- 239000007924 injection Substances 0.000 description 20
- 239000000284 extract Substances 0.000 description 18
- 230000006870 function Effects 0.000 description 15
- 238000010586 diagram Methods 0.000 description 13
- 230000009545 invasion Effects 0.000 description 9
- 238000004422 calculation algorithm Methods 0.000 description 7
- 230000008676 import Effects 0.000 description 7
- 238000012163 sequencing technique Methods 0.000 description 6
- 238000012546 transfer Methods 0.000 description 6
- 238000012512 characterization method Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000008595 infiltration Effects 0.000 description 4
- 238000001764 infiltration Methods 0.000 description 4
- 230000033001 locomotion Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000003542 behavioural effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 238000004140 cleaning Methods 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000013145 classification model Methods 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 230000004069 differentiation Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000011835 investigation Methods 0.000 description 2
- 230000003044 adaptive effect Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000739 chaotic effect Effects 0.000 description 1
- 238000007635 classification algorithm Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000035772 mutation Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of network attack result detection method and system, the network attack result detection method includes:Feature to be compared is extracted from the network data of destination host;The feature to be compared is compared with more than one attack-response rule, wherein the attack-response rule is formed according to the first response data, and first response data is for the response that under fire host requests successful attack;If the feature to be compared matches with the attack-response rule, determine the destination host by successful network attack.Network attack result detection method and system provided by the invention, can accurately identify successful network attack, provide effective network attack information for network management personnel.
Description
Technical field
The present invention relates to technical field of network security, and in particular to a kind of network attack result detection method and system.
Background technique
Continuous universal with internet with the continuous development of computer technology, network attack form emerges one after another, network
Security issues become increasingly urgent, caused by social influence and economic loss it is increasing, Cyberthreat is detected and is proposed with defence
New demand and challenge.Exception of network traffic is the pass of one of current main network security threats and network security monitoring
Key object.It quickly and accurately finds exception flow of network, malicious code is promptly and accurately captured, is analyzed, is tracked and monitors, it can
To provide knowledge support for network safety situation index evaluation and immune decision, to improve the entirety of network security emergency organization
Responding ability.
Traditional network attack detecting method is usually only detected whether there are network attack, without going identification successful
Network attack, thus the warning information of a large amount of inaccuracy can be generated, and can not Effective selection go out effective information, O&M processing at
This is very high.
Summary of the invention
To be solved by this invention is the high problem of traditional network attack detecting method O&M processing cost.
The present invention is achieved through the following technical solutions:
A kind of network attack result detection method, including:
Feature to be compared is extracted from the network data of destination host;
The feature to be compared is compared with more than one attack-response rule, wherein the attack-response rule
It is formed according to the first response data, first response data is for the response that under fire host requests successful attack;
If the feature to be compared matches with the attack-response rule, determine the destination host by successful
Network attack.
Optionally, feature to be compared is extracted in the network data from destination host includes:
The second response data is extracted from the network data, wherein second response data is used for the target master
Machine response request service;
The feature to be compared is extracted from second response data.
Optionally, feature to be compared is extracted in the network data from destination host includes:
Request data and the second response data are extracted from the network data, wherein the request data is used for institute
It states destination host and initiates request service, second response data is for destination host response request service;
The feature to be compared is extracted from the request data and second response data.
Optionally, it is described the feature to be compared is compared with more than one attack-response rule before, also wrap
It includes:
Establish the feature database comprising one above attack-response rule.
Optionally, the feature database of the foundation comprising one above attack-response rule includes:
Create database;
It is corresponding from more than one first response data to extract more than one attack-response feature;
Each being determined property of attack-response feature is described, more than one attack-response rule is formed;
By one above attack-response rule storage into the database, the feature database is obtained.
Optionally, the feature database includes N number of subcharacter library, and N is the integer not less than 2, and described establish includes described one
The feature database of a above attack-response rule includes:
Create N number of database;
It is corresponding from more than two first response datas to extract more than two attack-response features;
Each being determined property of attack-response feature is described, more than two attack-response rules are formed;
The attack-response rule for belonging to same attack type in described two above attack-response rules is stored to identical
Database in, obtain the subcharacter library.
Optionally, described to include to the description of each being determined property of attack-response feature:
Each being determined property of attack-response feature is described using regular expression.
Optionally, it is described the feature to be compared is compared with more than one attack-response rule before, also wrap
It includes:
Establish the incidence relation between each attack-response rule and attack;
After the judgement destination host is by successful network attack, further include:
It, will be with the feature to be compared according to the incidence relation between each attack-response rule and attack
Attack corresponding to the attack-response rule matched, is determined as the attack of the successful network attack.
Optionally, before feature to be compared being extracted in the network data from destination host, further include:
Whether the destination host is detected by network attack according to the network data;
If the destination host is extracted to be compared by the network attack, execution from the network data of destination host
Characterization step.
Optionally, it is described according to the network data detect the destination host whether by network attack included:
Feature to be detected is extracted from the network data;
The feature to be detected is imported into the artificial intelligence model pre-established, by the artificial intelligence model to described
Feature to be detected is sorted out, and determines whether the destination host is attacked by network attack and the network according to categorization results
The attack type hit.
Optionally, described to extract feature to be detected from the network data and include:
Request data is extracted from the network data, wherein the request data is used to initiate to the destination host
Request service;
The feature to be detected is extracted from the request data.
Optionally, before the artificial intelligence model for pre-establishing the feature importing to be detected, further include:
Establish the artificial intelligence model.
Optionally, described to establish the artificial intelligence model and include:
Collect model training data;
The feature that known network attack is extracted from the model training data, obtains attack signature data;
Classify to the attack signature data, obtains training sample;
Model training is carried out according to the training sample, obtains the artificial intelligence model.
Optionally, the collection model training data include:
The published attack data in internet, the published loophole data in internet, the destination host is collected to have acquired
Attack data and one of the loophole data that have acquired of the destination host or multiple combinations.
Optionally, described to include according to training sample progress model training:
According to the training sample, model training is carried out using NB Algorithm.
Optionally, it is described the feature to be compared is compared with more than one attack-response rule after, also wrap
It includes:
Generate warning information, wherein the warning information includes the attack type of the network attack, the network attack
Whether successful and successfully network attack attack.
Optionally, after the generation warning information, further include:
The warning information is sent by one of mail, short message, dialog box and instant messaging or multiple combinations
To network management personnel.
Optionally, after the generation warning information, further include:
It is that the warning information adds corresponding attack chain label according to the warning content of the warning information, wherein institute
It states attack chain label and is used to characterize network attack phase of the attack locating in attack chain;
Each attack chain label of same attack is counted, the net for being in each phase of the attack of the attack is obtained
The attack of network attack total degree, successful network attack number and successful network attack;
According in the network attack total degree of each phase of the attack of the attack, successful network attack number with
And successfully the attack of network attack generates attack route information, wherein the attack route information includes in described
The network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack are attacked
Hit movement.
Optionally, the warning content according to the warning information is that the warning information adds corresponding attack chain mark
Label include:
According to the warning content of the warning information, determination is corresponding with the warning information from the tag library pre-established
Attack chain label.
Optionally, the attack chain label includes two-stage or more, and the warning content according to the warning information is institute
Stating the corresponding attack chain label of warning information addition includes:
According to the warning content of the warning information, determination is corresponding with the warning information from the tag library pre-established
Labels at different levels, wherein the label stock contains M attack chain label, the M attack chain label be divided into two-stage with
On, M is the integer greater than 4.
Optionally, the attack route information further includes the beginning and ending time of each phase of the attack;
Network attack total degree, the successful network attack of each phase of the attack of the attack are in the basis
After the attack of number and successful network attack generates attack route information, further include:
The attack route information is shown according to the sequencing of the initial time of each phase of the attack.
Based on same inventive concept, the present invention also provides a kind of network attack result detection systems, including:
First extraction module, for extracting feature to be compared from the network data of destination host;
Comparison module, for the feature to be compared to be compared with more than one attack-response rule, wherein described
Attack-response rule is formed according to the first response data, and first response data requests successful attack under fire host
Response;
Determination module, for determining the target when the feature to be compared and the attack-response rule match
Host is by successful network attack.
Optionally, first extraction module includes:
First extraction unit, for extracting the second response data from the network data, wherein second number of responses
According to for destination host response request service;
Second extraction unit, for extracting the feature to be compared from second response data.
Optionally, first extraction module includes:
Third extraction unit, for extracting request data and the second response data from the network data, wherein described
Request data is used to initiate request service to the destination host, and second response data is asked for the destination host response
Ask service;
4th extraction unit, for extracting the spy to be compared from the request data and second response data
Sign.
Optionally, the network attack result detection system further includes:
Feature database creation module, for comparing the feature to be compared and more than one attack-response rule described
To before, the feature database comprising one above attack-response rule is established.
Optionally, the feature database creation module includes:
Database creation module, for creating database;
Second extraction module extracts more than one attack-response spy for corresponding from more than one first response data
Sign;
Rule forms module, for describing to each being determined property of attack-response feature, forms more than one attack and rings
Answer rule;
Memory module, for one above attack-response rule storage into the database, to be obtained the spy
Levy library.
Optionally, the feature database includes N number of subcharacter library, and N is the integer not less than 2, the feature database creation module
Including:
Database creation module, for creating N number of database;
Second extraction module, it is special for the more than two attack-responses of extraction corresponding from more than two first response datas
Sign;
Rule forms module, for describing to each being determined property of attack-response feature, forms more than two attacks and rings
Answer rule;
Memory module, for advising the attack-response for belonging to same attack type in described two above attack-response rules
Then storage obtains the subcharacter library into identical database.
Optionally, it is that regular expression writes module that the rule, which forms module,.
Optionally, the network attack result detection system further includes:
Incidence relation creation module, for carrying out the feature to be compared and more than one attack-response rule described
Before comparison, the incidence relation between each attack-response rule and attack is established;
Attack determining module is used for after the judgement destination host is by successful network attack, root
According to the incidence relation between each attack-response rule and attack, will be rung with the attack of the characteristic matching to be compared
Attack corresponding to rule is answered, the attack of the successful network attack is determined as.
Optionally, the network attack result detection system further includes:
Detection module, for before extracting feature to be compared in the network data from destination host, according to described
Whether network data detects the destination host by network attack;
If the destination host is used for the network number from destination host by the network attack, first extraction module
Feature to be compared is extracted according to middle.
Optionally, the detection module includes:
Third extraction module, for extracting feature to be detected from the network data;
Import modul, for the feature to be detected to be imported the artificial intelligence model pre-established, by described artificial
Whether model of mind sorts out the feature to be detected, determine the destination host by network attack according to categorization results
And the attack type of the network attack.
Optionally, the third extraction module includes:
5th extraction unit, for extracting request data from the network data, wherein the request data be used for
The destination host initiates request service;
6th extraction unit, for extracting the feature to be detected from the request data.
Optionally, the network attack result detection system further includes:
Model creation module, for it is described by the feature to be detected import the artificial intelligence model pre-established it
Before, establish the artificial intelligence model.
Optionally, the model creation module includes:
Collection module, for collecting model training data;
4th extraction module is attacked for extracting the feature of known network attack from the model training data
Characteristic;
Categorization module obtains training sample for classifying to the attack signature data;
Training module obtains the artificial intelligence model for carrying out model training according to the training sample.
Optionally, the model training data include the published attack data in internet, the published loophole in internet
One of loophole data that the attack data and the destination host that data, the destination host have acquired have acquired are more
Kind combination.
Optionally, the training module is NB Algorithm module.
Optionally, the network attack result detection system further includes:
Warning information generation module, for carrying out the feature to be compared and more than one attack-response rule described
After comparison, warning information is generated, wherein the warning information includes that the attack type of the network attack, the network are attacked
Hit whether successful and successfully network attack attack.
Optionally, the network attack result detection system further includes:
Sending module, for passing through mail, short message, dialog box and instant messaging after the generation warning information
One of or multiple combinations the warning information is sent to network management personnel.
Optionally, the network attack result detection system further includes:
Label adding module is attacked for being that warning information addition is corresponding according to the warning content of the warning information
Hit chain label, wherein the attack chain label is used to characterize network attack phase of the attack locating in attack chain;
Statistical module obtains each in the attack for counting each attack chain label of same attack
The attack of the network attack total degree of a phase of the attack, successful network attack number and successful network attack;
Route information generation module, for always secondary according to the network attack in each phase of the attack of the attack
The attack of several, successful network attack number and successful network attack generates attack route information, wherein described to attack
Hitting route information includes network attack total degree, successful network attack number in each phase of the attack of the attack
And the successfully attack of network attack.
Optionally, the label adding module is used for the warning content according to the warning information, from the mark pre-established
It signs and determines attack chain label corresponding with the warning information in library.
Optionally, the attack chain label includes two-stage or more, and the label adding module is used to be believed according to the alarm
The warning content of breath determines labels at different levels corresponding with the warning information, wherein the mark from the tag library pre-established
Label inventory contains M attack chain label, and the M attack chain label is divided into two-stage or more, and M is the integer greater than 4.
Optionally, the attack route information further includes the beginning and ending time of each phase of the attack, the network attack result
Detection system further includes:
Display module, the sequencing for the initial time according to each phase of the attack show the attack route letter
Breath.
Based on same inventive concept, the present invention also provides a kind of computer readable storage mediums, are stored thereon with calculating
Machine program, the program realize above-mentioned network attack result detection method when being executed by processor.
Based on same inventive concept, the present invention also provides a kind of computer equipments, including memory, processor and storage
On a memory and the computer program that can run on a processor, the processor realize above-mentioned network when executing described program
Attack result detection method.
Compared with prior art, the present invention having the following advantages and benefits:
Traditional network attack detecting method is only detected whether there are network attack, without identifying that successful network is attacked
It hits, thus the warning information of a large amount of inaccuracy can be generated, the cost of O&M processing is very high.And network attack provided by the invention
As a result detection method and system, extract feature to be compared from the network data of destination host, and by the feature to be compared with
Whether more than one attack-response rule is compared, matched according to the feature to be compared with the attack-response rule, comes
Determine the destination host whether by successful network attack.Since the attack-response rule is according to the first response data
Formed, and first response data is for response that under fire host request successful attack, if the feature to be compared and
The attack-response rule matches, then shows that the network data meets the feature for having successful network attack, i.e., described
Destination host is by successful network attack.Network attack result detection method and system provided by the invention are using fine
Change rule and carry out attack-response detection, to realize the differentiation for attack-response, can accurately identify that successful network is attacked
It hits, provides effective network attack information for network management personnel, it is thus possible to improve O&M efficiency, find true loophole.
Detailed description of the invention
Attached drawing described herein is used to provide to further understand the embodiment of the present invention, constitutes one of the application
Point, do not constitute the restriction to the embodiment of the present invention.In the accompanying drawings:
Fig. 1 is the flow diagram of the network attack result detection method of the embodiment of the present invention;
Fig. 2 is the flow diagram for establishing feature database of an embodiment of the present invention;
Fig. 3 is the flow diagram for establishing feature database of another embodiment of the invention;
Fig. 4 be the embodiment of the present invention detection destination host whether the flow diagram by network attack;
Fig. 5 is the flow diagram for establishing artificial intelligence model of the embodiment of the present invention;
Fig. 6 is the schematic diagram of the attack route information of the embodiment of the present invention;
Fig. 7 is the schematic diagram of the tag library of the embodiment of the present invention.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below with reference to embodiment and attached drawing, to this
Invention is described in further detail, and exemplary embodiment of the invention and its explanation for explaining only the invention, are not made
For limitation of the invention.
Embodiment 1
The present embodiment provides a kind of network attack result detection method, Fig. 1 is the network attack result detection method
Flow diagram, the network attack result detection method include:
Step S11 extracts feature to be compared from the network data of destination host;
Step S12 the feature to be compared is compared with more than one attack-response rule, wherein the attack
Rule of response is formed according to the first response data, and first response data answers successful attack request under fire host
It answers;
Step S13, if the feature to be compared matches with the attack-response rule, determine the destination host by
To successful network attack.
Specifically, the destination host can be to provide the server of various services, be also possible to can be realized specific function
The personal computer of energy, can also be that other are capable of providing the network equipment of network service.The destination host can receive end
The request data for servicing to destination host request that end equipment sends over, carries out corresponding according to the request data
Data processing to obtain the second response data, i.e., described second response data for the destination host response request service,
And second response data is fed back into the terminal device.The terminal device can be with display function and support
The various electronic equipments of interactive function, including but not limited to smart phone, tablet computer, personal computer and desktop computer
Deng.In present invention detection this specific application scenarios of network attack, the attacker for initiating network attack is usually that malice is sent out
The user for sending mass data to request.The terminal device that attacker is utilized can be the electronic equipment with powerful computing function,
It even can also be server.
Acquisition for the network data of the destination host can be obtained using Network Sniffing mode, can also be passed through
Network port mirror-image fashion obtains.The Network Sniffing mode refers to that by the Network card setup of the destination host be promiscuous mode,
The network data of the destination host is captured by calling network to cut job contract tool.The network port mirror-image fashion refers to institute
The acquisition port for stating destination host is mapped to another port, is copied in real time to data, to obtain the destination host
Network data.Certainly, the specific implementation for acquiring the network data of the destination host is not limited to above two mode, this
Embodiment is not construed as limiting this.
After collecting the network data, the feature to be compared is extracted from the network data.The network number
According to including the request data and second response data, as previously mentioned, the request data is used for the destination host
Request service, is the data that the destination host is sent to by terminal device;Second response data is used for the target master
Machine response request service, is the data that terminal device is sent to by the destination host.Every kind of successful network attack has it
Uniqueness, this unique response embodiment that mainly successful attack is requested by under fire host.Therefore, the spy to be compared
The extraction of sign is to extract the feature of second response data.Extracting the feature to be compared can be directly from the network
The feature that second response data is extracted in data is also possible to first extract second number of responses from the network data
According to, then the feature to be compared is extracted from second response data, the present embodiment is not construed as limiting this.
According to the difference of the transport protocol used between the destination host and terminal device, for example including but be not limited to surpass
Text transfer protocol (HTTP, Hyper Text Transfer Protocol), File Transfer Protocol (FTP, File
Transfer Protocol), Simple Mail Transfer protocol (SMTP, Simple Mail Transfer Protocol), it is described
The structure of second response data is not also identical.By taking the response of the network of HTTP type as an example, second response data includes following
Three parts:Statusline describes three parts by protocol version (for example, HTTP 1.1), status code and status code and forms;It rings
Answer head, including but not limited to the title of application program, the version of application program, response body type, response text size with
And coding used by response text;Web response body Web.After collecting the network data, carry out each in http response head
The parsing of field finds out the field contents for needing to be compared, that is, extracts the feature to be compared.
Further, to judge whether a network attack succeeds, can also inversely be derived from the angle of attacker, be led to
The anti-feature that pushes away query-attack and should have of response contents is crossed, identifies the whether successful accuracy of network attack to improve.Therefore, institute
The extraction for stating feature to be compared can also be extracts jointly from second response data and the request data.Specifically,
The request data and second response data can be extracted from the network data, then from the request data and described
The feature to be compared is extracted in second response data.
Still by taking the network request of HTTP type as an example, the request data includes following three parts:Request row, by method
(for example, POST), uniform resource identifier (URI, Uniform Resource Identifier) and protocol version (for example,
HTTP 1.1) three parts constitute;Request header, for notifying the destination host in relation to the information of premises equipment requests, packet
Include but be not limited to generate the host name of the browser type of request, the identifiable content type list of terminal device and request;
Request body.After collecting the network data, the solution of each field in HTTP request head and http response head is carried out
Analysis finds out the field contents for needing to be compared, that is, extracts the feature to be compared.
After obtaining the feature to be compared, the feature to be compared and more than one attack-response rule are compared
It is right.Still by taking the transport protocol of HTTP type as an example, if the feature to be compared matches with some attack-response rule, determine
The destination host is by successful network attack;If the feature to be compared cannot be with any one attack-response rule phase
Match, then determines that the destination host is not affected by successful network attack.
Further, feature database can also be pre-established, the feature database is for storing one above attack-response rule
Then.The attack-response rule of the feature database storage is formed according to first response data, and first response data is used
In the response that under fire host requests successful attack, i.e., the described attack-response rule is asked according to already existing successful attack
The response characteristic of corresponding attack-response is asked to pre-generate.Fig. 2 is provided in this embodiment a kind of to establish the feature database
Flow diagram, it is described to establish the feature database and include:
Step S21 creates database;
Step S22, it is corresponding from more than one first response data to extract more than one attack-response feature;
Step S23 describes each being determined property of attack-response feature, forms more than one attack-response rule;
Step S24 obtains the feature database by one above attack-response rule storage into the database.
Specifically, the creation database is the memory space for creating blank.First response data is for being attacked
The response that host requests successful attack is hit, can have been adopted from the published attack data in internet and/or the destination host
It is collected in the attack data of collection.For example, attacker reports an error injection attacks to having sent floor () function by attack host
Request, and the injection attacks request that reports an error of the floor () function obtains success, it is described by attack host to the floor ()
Function report an error injection attacks request response be first response data.For the network attack of same attack type,
It can also be divided according to the difference of specific attack.It further include count () function for example, being attacked for SQL injection
Report an error injection, rand () function reports an error injection and floor () function reports an error injection etc..For the network of every kind of attack
Attack, correspondence can collect first response data, thus can correspond to extraction one from more than one first response data
A above attack-response feature, i.e., each first response data, which can correspond to, extracts an attack-response feature.It is attacked with described
It is similar to hit characteristic, the attack-response feature may include request time, IP information, port information, protocol type, give out a contract for a project
One or more combinations in frequency, mail address, file name and the address target URL.It should be noted that the attack
Response characteristic can also flexibly be set according to the actual situation, the present embodiment to this with no restriction.
After obtaining the attack-response feature, each being determined property of attack-response feature is described, the certainty
Description is described according to default rule.It in the present embodiment, can be using traditional regular expression to each attack
The description of being determined property of response characteristic, can also be added the complexity such as arithmetic logic, matching logic in the regular expression and patrol
Volume, to improve the accuracy of matching result.After obtaining the attack-response rule, by all attack-response rules storage to institute
It states in database, i.e., corresponding data is written in the memory space of the blank, just obtain the feature database.
Further, the feature database can also include N number of subcharacter library, and each subcharacter library is corresponding to store same attack
All attack-responses rule of type, wherein N is the integer not less than 2.Based on this, Fig. 3 is another kind provided in this embodiment
Establish the flow diagram of the feature database, it is described to establish the feature database and include:
Step S31 creates N number of database;
Step S32, it is corresponding from more than two first response datas to extract more than two attack-response features;
Step S33 describes each being determined property of attack-response feature, forms more than two attack-response rules;
Step S34 deposits the attack-response rule for belonging to same attack type in described two above attack-response rules
It stores up in identical database, obtains the subcharacter library.
Specifically, step S51~step S53 can refer to aforementioned to step S41~step S43 description, no longer superfluous herein
It states.After obtaining more than two attack-response rules, according to attack type belonging to each attack-response rule, it will belong to same
The attack-response rule of kind attack type is stored into identical database, obtains the subcharacter library.In the present embodiment, institute
State subcharacter library can based on feature database, SQL injection feature database, XSS behavioral characteristics library and tool fingerprint base, wherein institute
State the storage of foundation characteristic library is command characteristics and file characteristic, and the SQL injection feature database storage is that SQL injection is attacked
Feature, what XSS behavioral characteristics library stored is the feature of XSS dynamic attacks, and the tool fingerprint base storage is that big horse connects
Connect fingerprint and kitchen knife fingerprint.It should be noted that the subcharacter library can flexibly be set according to the actual situation, the present embodiment
With no restriction to this.
Further, for the network attack of every kind of attack, correspondence obtains an attack-response rule, thus can lead to
Cross the incidence relation established between each attack-response rule and attack, according to each attack-response rule with
Incidence relation between attack, by with the characteristic matching to be compared attack-response rule corresponding to attack,
It is determined as the attack of the successful network attack.For example, the attack-response rule to match with the feature to be compared
Corresponding attack is that floor () function reports an error injection, then the attack of successful network attack is floor () function
Report an error injection.
The present embodiment is to carry out attack-response detection using fining rule, to realize differentiation for attack-response,
It can accurately identify successful network attack, provide effective network attack information for network management personnel, it is thus possible to mention
High O&M efficiency, finds true loophole.
Embodiment 2
The present embodiment provides another network attack result detection methods, examine with the network attack result that embodiment 1 provides
Survey method is compared, and described before extracting feature to be compared in the network data, further includes:It is examined according to the network data
The destination host is surveyed whether by network attack;If the destination host is executed by the network attack from the net
Characterization step to be compared is extracted in network data.
The destination host is detected whether by network attack, traditional network attack detecting method can be used.Consider
Have the defects that rate of failing to report is high, flexibility is poor to traditional network attack detecting method, the present embodiment provides described in a kind of detection
Destination host whether the specific method by network attack.Fig. 4 be the detection destination host whether the stream by network attack
Journey schematic diagram, the detection destination host whether by network attack included:
Step S41 extracts feature to be detected from the network data;
The feature to be detected is imported the artificial intelligence model pre-established, passes through the artificial intelligence mould by step S42
Whether type sorts out the feature to be detected, determine the destination host by network attack and institute according to categorization results
State the attack type of network attack.
As previously mentioned, the network data includes the request data and second response data.The spy to be detected
The extraction of sign can be and extract the feature of the request data from the network data directly to obtain the spy to be detected
Sign is also possible to first extract the request data from the network data, then extracts from the request data described to be checked
Feature is surveyed, the present embodiment is not construed as limiting this.Feature to be compared described in the extraction and embodiment of the feature to be detected mentions
Take it is similar, herein without excessively illustrating.
After obtaining the feature to be detected, the feature to be detected is imported into the artificial intelligence model pre-established, is led to
It crosses the artificial intelligence model to sort out the feature to be detected, obtains categorization results.The artificial intelligence model can be with
It can also be deep learning disaggregated model for machine learning classification model, such as Naive Bayes Classification Model.If the classification
As a result it is not belonging to the network attack of any known attack type for the feature to be detected, is also not belonging to unknown attack type
Network attack, it is determined that the destination host is not affected by network attack;If the categorization results are the feature category to be detected
In the network attack of certain known attack type, it is determined that network attack of the destination host by this kind of attack type;If
The categorization results are the network attack that the feature to be detected belongs to certain unknown attack type, it is determined that the destination host
Network attack by unknown attack type.
The detection provided in this embodiment destination host whether the method by network attack, due to the artificial intelligence
Model is the disaggregated model using artificial intelligence technology, has the abilities such as self study, self-organizing, adaptive, so can be effectively
It was found that novel or mutation network attack, unknown network attack cannot be detected by effectively making up traditional network attack detecting method
The shortcomings that, overall network attack detecting ability is improved, can reduce rate of failing to report, and can be according to categorization results determination
The attack type of network attack.
Further, before the feature to be detected is imported the artificial intelligence model pre-established, it is also necessary to establish institute
State artificial intelligence model.Fig. 5 is the flow diagram for establishing the artificial intelligence model, described to establish the artificial intelligence model
Including:
Step S51 collects model training data;
Step S52 extracts the feature of known network attack from the model training data, obtains attack signature data;
Step S53 classifies to the attack signature data, obtains training sample;
Step S54 carries out model training according to the training sample, obtains the artificial intelligence model.
Specifically, the model training data include the published attack data in internet, the published loophole in internet
One of loophole data that the attack data and the destination host that data, the destination host have acquired have acquired are more
Kind combination.The attack data are the data extracted from existing network attack case, and the loophole data are from existing
Loophole case in the data that extract.The attack data and the loophole data can be disclosed in internet, can also be with
It is that the destination host is analyzed and refined according to the assault being subjected in the past.
After obtaining the model training data, the feature of known network attack is extracted from the model training data,
Obtain attack signature data.Further, the attack signature data of extraction may include request time, IP information, port information, association
Discuss one or more combinations in type, frequency of giving out a contract for a project, mail address, file name and the address target URL.It needs to illustrate
That the attack signature data can flexibly be set according to the actual situation, the present embodiment to this with no restriction.It is attacked described in acquisition
It hits after characteristic, classifies according to the attack type that its belonging network is attacked to form training sample, the network is attacked
The attack type hit includes but is not limited to SQL injection attack and XSS attack.
Model training is carried out according to the training sample, that is, calculates the network attack of every kind of attack type in the trained sample
The frequency of occurrences and each attack signature data in this, which divide, estimates the conditional probability of the network attack of every kind of attack type,
And calculated result is recorded and just obtains the artificial intelligence model.In the present embodiment, the calculation of model training use is carried out
Method is NB Algorithm.NB Algorithm is fine to small-scale Data Representation, is suitble to more classification tasks, is suitble to increase
The training of amount formula.It is of course also possible to use other machines learning classification algorithm or deep learning sorting algorithm carry out model training,
For example, it is also possible to carry out model training using decision Tree algorithms, the present embodiment is not construed as limiting this.
The detection provided in this embodiment destination host whether the method by network attack, the mesh can not only be detected
Host is marked whether by network attack, moreover it is possible to obtain the attack type of the network attack.According to Fig. 3 institute in conjunction with the embodiments in 1
Show the feature database of process creation, it is described that specific packet is compared with more than one attack-response rule in the feature to be compared
It includes:By the feature to be compared with and the corresponding subcharacter library of attack type of the network attack in more than one attack ring
Rule is answered to be compared.For example, if the attack type of the network attack is SQL injection attack, by the feature to be compared
It is compared with more than one attack-response rule in SQL injection feature database;If the attack type of the network attack is XSS
Then the feature to be compared is compared with more than one attack-response rule in XSS behavioral characteristics library for dynamic attacks.It is logical
It crosses and sets multiple subcharacter libraries for the feature database, it is possible to reduce the attack-response rule being compared with the feature to be compared
Then quantity need to only be matched, it is thus possible to improve described to be compared with the attack-response rule in some subcharacter library
The comparison efficiency of feature and the attack-response rule.
The present embodiment is then to extract the feature to be compared after detecting the destination host by the network attack
It is matched with the attack-response rule, it is not necessary to extract the feature to be compared for all-network data and the attack is rung
It answers rule to be matched, thus improves the recognition efficiency for identifying successfully network attack.
Embodiment 3
The present embodiment provides another network attack result detection methods, examine with the network attack result that embodiment 2 provides
Survey method is compared, and after the feature to be compared is compared with more than one attack-response rule, can also generate announcement
Alert information, wherein the warning information include the attack type of the network attack, the network attack it is whether successful and at
The attack of the network attack of function.For example, when the destination host is attacked by SQL injection but attacks unsuccessful, it is described
Warning information can be " being attacked by SQL injection, attack is invalid ";When the destination host is attacked and attacked by SQL injection
Success is hit, specific attack is the injection that reports an error using floor () function, and the warning information can be for " by SQL note
Enter attack, success attack, floor () function reports an error injection ".
Further, after generating the warning information, the warning information can also be sent to network management personnel.
For example, the warning information can be sent to specified email address by way of mail, the side of short message can also be passed through
The warning information is sent to specified mobile terminal by formula, can also be by way of dialog box directly in the destination host
It shows the warning information, the warning information can also be sent to network management personnel by way of instant messaging.When
So, the warning information can be sent to by network management personnel using any one of the above mode, it can also be using any several
The warning information is sent to network management personnel by the combination of kind mode.
By generating the warning information, and the warning information is sent to network management personnel, network pipe can be made
Reason personnel intuitively grasp the network attack situation that the destination host is subject to.
Embodiment 4
What embodiment 3 was taken is the alarm mode of the corresponding warning information of a network attack, that is, detects a net
Network attack, correspondence will generate a warning information.However, isolated warning information cannot accurately reflect the destination host
Safe condition, such attack shows and cannot hold attack process on the whole.Therefore, the present embodiment provides another networks to attack
Result detection method is hit to compare.Compared with the network attack result detection method that embodiment 3 provides, the present embodiment is described in the generation
After warning information, further include:
It is that the warning information adds corresponding attack chain label according to the warning content of the warning information, wherein institute
It states attack chain label and is used to characterize network attack phase of the attack locating in attack chain;
Each attack chain label of same attack is counted, the net for being in each phase of the attack of the attack is obtained
The attack of network attack total degree, successful network attack number and successful network attack;
According in the network attack total degree of each phase of the attack of the attack, successful network attack number with
And successfully the attack of network attack generates attack route information, wherein the attack route information includes in described
The network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack are attacked
Hit movement.
According to the phase of the attack difference for the network attack that the destination host is subject to, the warning content of the warning information
Different, i.e., the warning content of the described warning information discloses the corresponding network attack of the warning information and wants the attack realized
Purpose, the warning information of different warning contents correspond to different phase of the attack.Therefore, the network attack pair being subjected to according to destination host
The warning content for the warning information answered can determine phase of the attack.Specifically, according to the warning content of the warning information, from pre-
Attack chain label corresponding with the warning information is determined in the tag library first established.The label stock contains M attack chain
Label, each corresponding characterization of attack chain label attack a phase of the attack in chain.The attack chain refers to attacker to target
Host is usually made of several different phase of the attack from a series of circulating treatment procedures for detecting destruction.For example, the attack
Chain can be leaked by reconnaissance stage, invasion stage, order control stage, horizontal infiltration stage, data the stage and trace cleaning
Stage, six phase of the attack were constituted, i.e., the value of M is 6.Correspondingly, the M attack chain label be scout label, invasion label,
Order abstract factory, horizontal infiltration label, data leak label and trace cleaning label.Certainly, the division of the attack chain
It is not limited to such mode, can specifically carry out flexible setting according to the actual situation.
As previously mentioned, the warning information of different warning contents corresponds to different phase of the attack, and each attack chain label is corresponding
A phase of the attack is characterized, thus the alarm of different warning contents can be pre-established according to published assault
Incidence relation between information and different attack chain labels.It, can be from pre-establishing according to the warning content of the warning information
Tag library in determine corresponding with warning information attack chain label.With attacking for network attack described in the warning information
Hitting type is for PHP code executes attack, to execute attack for PHP code, is in the order control stage in attack chain,
Therefore the attack chain label for being warning information addition is " order control " label.Further, the attack chain label can be with
Attribute as the warning information is added.
After adding corresponding attack chain label for all warning information of an attack, attacked by counting identical
The quantity for hitting chain label can be obtained the network attack total degree in each phase of the attack of the attack.For example, passing through
Statistics scouts the quantity of label, can obtain the network attack total degree in the attack reconnaissance stage;Pass through statistics
The quantity for invading label can obtain the network attack total degree in the attack invasion stage.With the attack thing
For destination host described in part is by 10 network attacks, correspondence produces 10 warning information, 10 warning information
Corresponding attack chain label is respectively:Scout label, scout label, invasion label, invasion label, invasion label, scout label,
Invade label, order abstract factory, order abstract factory and order abstract factory.By uniting to 10 attack chain labels
Meter, it is known that network attack 3 times by reconnaissance stage of the destination host are ordered by network attack 4 times of the invasion stage
Enable network attack 3 times of control stage.
Acquisition for the successful network attack number in each phase of the attack of the attack, can be by success
The corresponding warning information of network attack screen, then count the corresponding attack of warning information that these are screened out respectively
The quantity of identical attack chain label, can be obtained the successful network in each phase of the attack of the attack in chain label
Number of times of attack.In conjunction with the warning information content for being screened out, can be obtained in each phase of the attack of the attack
The attack of successful network attack.
Obtaining network attack total degree, the successful network attack number for being in each phase of the attack of the attack
And the attack route information successfully is generated after the attack of network attack.Further, the attack route information
It can also include that can also be attacked according to each after route information is attacked in the generation beginning and ending time of each phase of the attack
The sequencing for hitting the initial time in stage shows the attack route information.The initial time of each phase of the attack is in this
The first Network Attack Time of phase of the attack, the termination time of each phase of the attack are that the end network in the phase of the attack is attacked
Hit the time.Or by taking destination host described above is by 10 network attacks as an example, if the beginning and ending time of reconnaissance stage is 2018-
3-15 03:20~2018-3-19 15:12, the beginning and ending time for invading the stage is 2018-3-17 07:38~2018-3-21
05:21, the beginning and ending time in order control stage is 2018-3-20 14:47~2018-3-20 18:21, then according to statistical result
The network attack route information of generation can be shown as " 2018-3-15 03:20~2018-3-19 15:12, investigation stage:3
It is secondary;2018-3-17 07:38~2018-3-21 05:21, it invades the stage, 4 times;2018-3-20 14:47~2018-3-20
18:21, the order control stage, 4 times ".Certainly, it is described attack route information can also include the destination host IP address and
The information such as the duration of entire attack, as shown in fig. 6, the present embodiment is not construed as limiting this.
Further, since each phase of the attack in the attack chain can also be divided into several smaller attack ranks
Section, each smaller phase of the attack is also by attack chain tag characterization.Correspondingly, the attack chain label may include two-stage with
On, the warning content according to the warning information is that the corresponding attack chain label of warning information addition includes:According to
The warning content of the warning information determines labels at different levels corresponding with the warning information from the tag library pre-established,
Wherein, the label stock contains M attack chain label, and the M attack chain label is divided into two-stage or more, and M is greater than 4
Integer.
Fig. 7 is a kind of schematic diagram of tag library provided in this embodiment, and the attack chain label in the tag library is divided into three
A grade.Level-one label include scout label, invasion label, order abstract factory, horizontal infiltration label, data leak label with
And trace clears up label.Scouting the corresponding second level label of label includes port scan label, information leakage label, IP scanning label
And subdomain name collects label;The corresponding second level label of invasion label includes vulnerability detection label, vulnerability exploit label, refusal clothes
Business label, Brute Force label and high-risk operation label;The corresponding second level label of order abstract factory includes the controlled mark of host
Label, hack tool upload label, transit server behavior label, mention token label, close antivirus software label and host information
Obtain label;Horizontal infiltration label includes Intranet investigation label, Sniffing Attack label, Intranet vulnerability detection label and Intranet leakage
Hole utilizes label;The data corresponding second level label of label that leaks includes file download label and dragging library behavior label;Trace cleaning
The corresponding second level label of label includes that back door deletes label, closes attack service labels and removes Log Label.High-risk operation
The corresponding three-level label of label includes that database manipulation label and weak passwurd successfully log in label.
Multiple grades are set as by the way that chain label will be attacked, the phase of the attack in attack chain can be more fully described, from
And the whole process of attack is showed to network management personnel in more detail.It should be noted that the tag library can be with
It is created, can also be created by other hosts by the destination host, the destination host needs to add corresponding attack chain label
When directly call the tag library from other hosts.Further, it can also directly be added for the warning information corresponding
Chain label is attacked, without creating the tag library.
After generating the attack route information, one in mail, short message, dialog box and instant messaging can be passed through
Kind or multiple combinations mode the attack route information is sent to network management personnel.By for the warning information addition pair
The attack chain label answered, it is total according to the network attack of the attack chain label statistics in each phase of the attack of the attack
The attack of number, successful network attack number and successful network attack, can be to attack again according to thing
The attack chain of part divides, and can show attack to network management personnel with dividing phase of the attack from the angle of big data analysis
Whole process, avoid attack route chaotic.
Embodiment 5
The present embodiment provides a kind of network attack result detection system, the network attack result detection system includes:The
One extraction module, for extracting feature to be compared from the network data of destination host;Comparison module, being used for will be described to be compared
Feature is compared with more than one attack-response rule, wherein and the attack-response rule is formed according to the first response data,
First response data is for the response that under fire host requests successful attack;Determination module, for described to be compared
When feature and the attack-response rule match, determine the destination host by successful network attack.
Further, first extraction module may include:First extraction unit, for being extracted from the network data
Second response data, wherein second response data is for destination host response request service;Second extraction unit,
For extracting the feature to be compared from second response data.
Further, first extraction module also may include:Third extraction unit, for being mentioned from the network data
Take request data and the second response data, wherein the request data is used to initiate request service to the destination host, described
Second response data is for destination host response request service;4th extraction unit is used for from the request data and institute
It states and extracts the feature to be compared in the second response data.
Further, the network attack result detection system further includes:Feature database creation module, for it is described will be described
Before feature to be compared is compared with more than one attack-response rule, establish comprising one above attack-response rule
Feature database.Specifically, the feature database creation module may include:Database creation module, for creating database;Second
Extraction module extracts more than one attack-response feature for corresponding from more than one first response data;Rule forms mould
Block forms more than one attack-response rule for describing to each being determined property of attack-response feature;Memory module is used
It stores in by one above attack-response rule into the database, obtains the feature database.
The feature database may include N number of subcharacter library, and N is the integer not less than 2, is based on this, the feature database creation
Module also may include:Database creation module, for creating N number of database;Second extraction module, for from more than two the
It is corresponding in one response data to extract more than two attack-response features;Rule forms module, for each attack-response feature
The description of being determined property forms more than two attack-response rules;Memory module, for advising described two above attack-responses
The attack-response rule for belonging to same attack type in then is stored into identical database, obtains the subcharacter library.
Further, the network attack result detection system further includes:Incidence relation creation module is used for institute described
It states before feature to be compared is compared with more than one attack-response rule, establishes each attack-response rule and attack
Incidence relation between movement;Attack determining module, for determining the destination host by successful network described
It, will be with the feature to be compared according to the incidence relation between each attack-response rule and attack after attack
Attack corresponding to matched attack-response rule, is determined as the attack of the successful network attack.
The concrete operating principle of the network attack result detection system can refer in embodiment 1 for step S11 to step
The description of rapid S13, details are not described herein for the present embodiment.
Embodiment 6
The present embodiment provides another network attack result detection systems, examine with the network attack result that embodiment 5 provides
Examining system is compared, and the network attack result detection system further includes:Detection module, in the network from destination host
Before extracting feature to be compared in data, whether the destination host is detected by network attack according to the network data;If
The destination host by the network attack, first extraction module be used to extract from the network data of destination host to
Compare feature.
Further, the detection module includes:Third extraction module, for extracting spy to be detected from the network data
Sign;Import modul passes through the artificial intelligence mould for the feature to be detected to be imported the artificial intelligence model pre-established
Whether type sorts out the feature to be detected, determine the destination host by network attack and institute according to categorization results
State the attack type of network attack.
Further, the third extraction module includes:5th extraction unit, for extracting request from the network data
Data, wherein the request data is used to initiate request service to the destination host;6th extraction unit is used for from described
The feature to be detected is extracted in request data.
Further, the network attack result detection system further includes:Model creation module, for it is described will it is described to
Detection feature imports before the artificial intelligence model pre-established, establishes the artificial intelligence model.Specifically, the model wound
Modeling block includes:Collection module, for collecting model training data;4th extraction module is used for from the model training data
The middle feature for extracting known network attack, obtains attack signature data;Categorization module, for being carried out to the attack signature data
Classification obtains training sample;Training module obtains the artificial intelligence for carrying out model training according to the training sample
Model.
The concrete operating principle of the network attack result detection system can refer to retouching for each step in embodiment 2
It states, details are not described herein for the present embodiment.
Embodiment 7
The present embodiment provides another network attack result detection systems, examine with the network attack result that embodiment 6 provides
Examining system is compared, and the network attack result detection system further includes:Warning information generation module, for generating warning information,
Wherein, the warning information includes the attack type of the network attack, whether the network attack succeeds and successful net
The attack of network attack.Further, the network attack identifying system further includes:Sending module, for passing through mail, short
The warning information is sent to network management personnel by one of letter, dialog box and instant messaging or multiple combinations.
The concrete operating principle of the network attack result detection system, which can refer in embodiment 3, retouches each step
It states, details are not described herein for the present embodiment.
Embodiment 8
The present embodiment provides another network attack result detection systems, examine with the network attack result that embodiment 7 provides
Examining system is compared, and the network attack result detection system further includes:Label adding module, for according to the warning information
Warning content is that the warning information adds corresponding attack chain label, wherein the attack chain label is for characterizing the net
Network attack phase of the attack locating in attack chain;Statistical module, for counting each attack chain label of same attack,
It obtains in the network attack total degree of each phase of the attack of the attack, successful network attack number and successfully
The attack of network attack;Route information generation module, for according to the net for being in each phase of the attack of the attack
The attack that network attacks total degree, successful network attack number and successful network attack generates attack route information,
Wherein, it is described attack route information include in each phase of the attack of the attack network attack total degree, successfully
The attack of network attack number and successful network attack.
Further, the attack chain label includes two-stage or more, and the label adding module is used to be believed according to the alarm
The warning content of breath determines labels at different levels corresponding with the warning information, wherein the mark from the tag library pre-established
Label inventory contains M attack chain label, and the M attack chain label is divided into two-stage or more, and M is the integer greater than 4.
Further, the attack route information further includes the beginning and ending time of each phase of the attack, described to be based on artificial intelligence
Network attack detection system further include:Display module, the sequencing for the initial time according to each phase of the attack are aobvious
Show the attack route information.
The concrete operating principle of the network attack result detection system, which can refer in embodiment 4, retouches each step
It states, details are not described herein for the present embodiment.
Embodiment 9
The present embodiment provides a kind of computer readable storage mediums, are stored thereon with computer program, the embodiment of the present invention 1
If the network attack result detection method provided to embodiment 4 is realized in the form of SFU software functional unit and as independent production
Product when selling or using, can store in a computer readable storage medium.Based on this understanding, the present invention realizes
The all or part of the process in network attack result detection method that embodiment 1 to embodiment 4 provides, can also pass through computer
Program is completed to instruct relevant hardware.The computer program can be stored in a computer readable storage medium, the meter
Calculation machine program is when being executed by processor, it can be achieved that the step of above-mentioned each embodiment of the method.
Wherein, the computer program includes computer program code, and the computer program code can be source code
Form, object identification code form, executable file or certain intermediate forms etc..The computer-readable medium may include:It can
Carry any entity or device, medium, USB flash disk, mobile hard disk, magnetic disk, CD, the computer storage of the computer program code
Device, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory),
Electric carrier signal, telecommunication signal and software distribution medium etc..It should be noted that the computer-readable medium include it is interior
Increase and decrease appropriate can be carried out according to the requirement made laws in jurisdiction with patent practice by holding, such as in certain jurisdictions of courts
Area does not include electric carrier signal and telecommunication signal according to legislation and patent practice, computer-readable medium.
Above-described specific embodiment has carried out further the purpose of the present invention, technical scheme and beneficial effects
It is described in detail, it should be understood that being not intended to limit the present invention the foregoing is merely a specific embodiment of the invention
Protection scope, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should all include
Within protection scope of the present invention.
The present invention discloses A1, a kind of network attack result detection method, including:
Feature to be compared is extracted from the network data of destination host;
The feature to be compared is compared with more than one attack-response rule, wherein the attack-response rule
It is formed according to the first response data, first response data is for the response that under fire host requests successful attack;
If the feature to be compared matches with the attack-response rule, determine the destination host by successful
Network attack.
A2, a kind of network attack result detection method according to a1 are mentioned in the network data from destination host
The feature to be compared is taken to include:
The second response data is extracted from the network data, wherein second response data is used for the target master
Machine response request service;
The feature to be compared is extracted from second response data.
A3, a kind of network attack result detection method according to a1 are mentioned in the network data from destination host
The feature to be compared is taken to include:
Request data and the second response data are extracted from the network data, wherein the request data is used for institute
It states destination host and initiates request service, second response data is for destination host response request service;
The feature to be compared is extracted from the request data and second response data.
A4, a kind of network attack result detection method according to a1, described by the feature to be compared and one
Before the above attack-response rule is compared, further include:
Establish the feature database comprising one above attack-response rule.
A5, a kind of network attack result detection method according to a4, it is described to establish comprising one above attack
The feature database of rule of response includes:
Create database;
It is corresponding from more than one first response data to extract more than one attack-response feature;
Each being determined property of attack-response feature is described, more than one attack-response rule is formed;
By one above attack-response rule storage into the database, the feature database is obtained.
A6, a kind of network attack result detection method according to a4, the feature database includes N number of subcharacter library, and N is
Integer not less than 2, the feature database of the foundation comprising one above attack-response rule include:
Create N number of database;
It is corresponding from more than two first response datas to extract more than two attack-response features;
Each being determined property of attack-response feature is described, more than two attack-response rules are formed;
The attack-response rule for belonging to same attack type in described two above attack-response rules is stored to identical
Database in, obtain the subcharacter library.
A7, a kind of network attack result detection method according to A5 or A6, it is described to each attack-response feature into
Row definite description includes:
Each being determined property of attack-response feature is described using regular expression.
A8, a kind of network attack result detection method according to a1, described by the feature to be compared and one
Before the above attack-response rule is compared, further include:
Establish the incidence relation between each attack-response rule and attack;
After the judgement destination host is by successful network attack, further include:
It, will be with the feature to be compared according to the incidence relation between each attack-response rule and attack
Attack corresponding to the attack-response rule matched, is determined as the attack of the successful network attack.
A9, a kind of network attack result detection method according to A8, in the network data from destination host
Before extracting feature to be compared, further include:
Whether the destination host is detected by network attack according to the network data;
If the destination host is extracted to be compared by the network attack, execution from the network data of destination host
Characterization step.
A10, a kind of network attack result detection method according to A9, it is described according to network data detection
Destination host whether by network attack included:
Feature to be detected is extracted from the network data;
The feature to be detected is imported into the artificial intelligence model pre-established, by the artificial intelligence model to described
Feature to be detected is sorted out, and determines whether the destination host is attacked by network attack and the network according to categorization results
The attack type hit.
A11, a kind of network attack result detection method according to A10, it is described from the network data extract to
Detecting feature includes:
Request data is extracted from the network data, wherein the request data is used to initiate to the destination host
Request service;
The feature to be detected is extracted from the request data.
A12, a kind of network attack result detection method according to A10 import the feature to be detected described
Before the artificial intelligence model pre-established, further include:
Establish the artificial intelligence model.
A13, a kind of network attack result detection method according to A12, it is described to establish the artificial intelligence model packet
It includes:
Collect model training data;
The feature that known network attack is extracted from the model training data, obtains attack signature data;
Classify to the attack signature data, obtains training sample;
Model training is carried out according to the training sample, obtains the artificial intelligence model.
A14, a kind of network attack result detection method according to A13, the collection model training data include:
The published attack data in internet, the published loophole data in internet, the destination host is collected to have acquired
Attack data and one of the loophole data that have acquired of the destination host or multiple combinations.
A15, a kind of network attack result detection method according to A13, it is described that mould is carried out according to the training sample
Type training includes:
According to the training sample, model training is carried out using NB Algorithm.
A16, a kind of network attack result detection method according to A10, described by the feature to be compared and one
After a above attack-response rule is compared, further include:
Generate warning information, wherein the warning information includes the attack type of the network attack, the network attack
Whether successful and successfully network attack attack.
A17, a kind of network attack result detection method according to A16 are also wrapped after the generation warning information
It includes:
The warning information is sent by one of mail, short message, dialog box and instant messaging or multiple combinations
To network management personnel.
A18, a kind of network attack result detection method according to A16 are also wrapped after the generation warning information
It includes:
It is that the warning information adds corresponding attack chain label according to the warning content of the warning information, wherein institute
It states attack chain label and is used to characterize network attack phase of the attack locating in attack chain;
Each attack chain label of same attack is counted, the net for being in each phase of the attack of the attack is obtained
The attack of network attack total degree, successful network attack number and successful network attack;
According in the network attack total degree of each phase of the attack of the attack, successful network attack number with
And successfully the attack of network attack generates attack route information, wherein the attack route information includes in described
The network attack total degree of each phase of the attack of attack, successful network attack number and successful network attack are attacked
Hit movement.
A19, a kind of network attack result detection method according to A18, the alarm according to the warning information
Content is that the corresponding attack chain label of warning information addition includes:
According to the warning content of the warning information, determination is corresponding with the warning information from the tag library pre-established
Attack chain label.
A20, a kind of network attack result detection method according to A18, the attack chain label includes two-stage or more,
The warning content according to the warning information is that the corresponding attack chain label of warning information addition includes:
According to the warning content of the warning information, determination is corresponding with the warning information from the tag library pre-established
Level-one label;
According to the warning content of the warning information, determination is corresponding with the warning information from the tag library pre-established
Labels at different levels, wherein the label stock contains M attack chain label, the M attack chain label be divided into two-stage with
On, M is the integer greater than 4.
A21, a kind of network attack result detection method according to A18, the attack route information further includes each
The beginning and ending time of phase of the attack;
Network attack total degree, the successful network attack of each phase of the attack of the attack are in the basis
After the attack of number and successful network attack generates attack route information, further include:
The attack route information is shown according to the sequencing of the initial time of each phase of the attack.
The invention also discloses B22, a kind of network attack result detection system, including:
First extraction module, for extracting feature to be compared from the network data of destination host;
Comparison module, for the feature to be compared to be compared with more than one attack-response rule, wherein described
Attack-response rule is formed according to the first response data, and first response data requests successful attack under fire host
Response;
Determination module, for determining the target when the feature to be compared and the attack-response rule match
Host is by successful network attack.
B23, a kind of network attack result detection system according to B22, first extraction module include:
First extraction unit, for extracting the second response data from the network data, wherein second number of responses
According to for destination host response request service;
Second extraction unit, for extracting the feature to be compared from second response data.
B24, a kind of network attack result detection system according to B22, first extraction module include:
Third extraction unit, for extracting request data and the second response data from the network data, wherein described
Request data is used to initiate request service to the destination host, and second response data is asked for the destination host response
Ask service;
4th extraction unit, for extracting the spy to be compared from the request data and second response data
Sign.
B25, a kind of network attack result detection system according to B22 further include:
Feature database creation module, for comparing the feature to be compared and more than one attack-response rule described
To before, the feature database comprising one above attack-response rule is established.
B26, a kind of network attack result detection system according to B25, the feature database creation module include:
Database creation module, for creating database;
Second extraction module extracts more than one attack-response spy for corresponding from more than one first response data
Sign;
Rule forms module, for describing to each being determined property of attack-response feature, forms more than one attack and rings
Answer rule;
Memory module, for one above attack-response rule storage into the database, to be obtained the spy
Levy library.
B27, a kind of network attack result detection system according to B25, the feature database include N number of subcharacter library, N
For the integer not less than 2, the feature database creation module includes:
Database creation module, for creating N number of database;
Second extraction module, it is special for the more than two attack-responses of extraction corresponding from more than two first response datas
Sign;
Rule forms module, for describing to each being determined property of attack-response feature, forms more than two attacks and rings
Answer rule;
Memory module, for advising the attack-response for belonging to same attack type in described two above attack-response rules
Then storage obtains the subcharacter library into identical database.
B28, a kind of network attack result detection system according to B26 or B27, it is canonical that the rule, which forms module,
Expression formula writes module.
B29, a kind of network attack result detection system according to B22 further include:
Incidence relation creation module, for carrying out the feature to be compared and more than one attack-response rule described
Before comparison, the incidence relation between each attack-response rule and attack is established;
Attack determining module is used for after the judgement destination host is by successful network attack, root
According to the incidence relation between each attack-response rule and attack, will be rung with the attack of the characteristic matching to be compared
Attack corresponding to rule is answered, the attack of the successful network attack is determined as.
B30, a kind of network attack result detection system according to B29 further include:
Detection module, for before extracting feature to be compared in the network data from destination host, according to described
Whether network data detects the destination host by network attack;
If the destination host is used for the network number from destination host by the network attack, first extraction module
Feature to be compared is extracted according to middle.
B31, a kind of network attack result detection system according to B30, the detection module include:
Third extraction module, for extracting feature to be detected from the network data;
Import modul, for the feature to be detected to be imported the artificial intelligence model pre-established, by described artificial
Whether model of mind sorts out the feature to be detected, determine the destination host by network attack according to categorization results
And the attack type of the network attack.
B32, a kind of network attack result detection system according to B31, the third extraction module include:
5th extraction unit, for extracting request data from the network data, wherein the request data be used for
The destination host initiates request service;
6th extraction unit, for extracting the feature to be detected from the request data.
B33, a kind of network attack result detection system according to B31 further include:
Model creation module, for it is described by the feature to be detected import the artificial intelligence model pre-established it
Before, establish the artificial intelligence model.
B34, a kind of network attack result detection system according to B33, the model creation module include:
Collection module, for collecting model training data;
4th extraction module is attacked for extracting the feature of known network attack from the model training data
Characteristic;
Categorization module obtains training sample for classifying to the attack signature data;
Training module obtains the artificial intelligence model for carrying out model training according to the training sample.
B35, a kind of network attack result detection system according to B34, the model training data include internet
Attack data that published attack data, the published loophole data in internet, the destination host have acquired and described
One of loophole data that destination host has acquired or multiple combinations.
B36, a kind of network attack result detection system according to B34, the training module are naive Bayesian calculation
Method module.
B37, a kind of network attack result detection system according to B31 further include:
Warning information generation module, for carrying out the feature to be compared and more than one attack-response rule described
After comparison, warning information is generated, wherein the warning information includes that the attack type of the network attack, the network are attacked
Hit whether successful and successfully network attack attack.
B38, a kind of network attack result detection system according to B37 further include:
Sending module, for passing through mail, short message, dialog box and instant messaging after the generation warning information
One of or multiple combinations the warning information is sent to network management personnel.
B39, a kind of network attack result detection system according to B37 further include:
Label adding module is attacked for being that warning information addition is corresponding according to the warning content of the warning information
Hit chain label, wherein the attack chain label is used to characterize network attack phase of the attack locating in attack chain;
Statistical module obtains each in the attack for counting each attack chain label of same attack
The attack of the network attack total degree of a phase of the attack, successful network attack number and successful network attack;
Route information generation module, for always secondary according to the network attack in each phase of the attack of the attack
The attack of several, successful network attack number and successful network attack generates attack route information, wherein described to attack
Hitting route information includes network attack total degree, successful network attack number in each phase of the attack of the attack
And the successfully attack of network attack.
B40, a kind of network attack result detection system according to B39, the label adding module are used for according to institute
The warning content for stating warning information determines attack chain label corresponding with the warning information from the tag library pre-established.
B41, a kind of network attack result detection system according to B39, the attack chain label includes two-stage or more,
The label adding module is used for according to the warning content of the warning information, determined from the tag library pre-established with it is described
The corresponding labels at different levels of warning information, wherein the label stock contains M attack chain label, the M attack chain label quilt
It is divided into two-stage or more, M is the integer greater than 4.
B42, a kind of network attack result detection system according to B39, the attack route information further includes each
The beginning and ending time of phase of the attack, further include:
Display module, the sequencing for the initial time according to each phase of the attack show the attack route letter
Breath.
The invention also discloses C43, a kind of computer readable storage medium, are stored thereon with computer program, the program
A kind of A1 to A21 described in any item network attack result detection methods are realized when being executed by processor.
The invention also discloses D44, a kind of computer equipment, including memory, processor and storage are on a memory simultaneously
The computer program that can be run on a processor, the processor realize that A1 to A21 is described in any item when executing described program
A kind of network attack result detection method.
Claims (10)
1. a kind of network attack result detection method, which is characterized in that including:
Feature to be compared is extracted from the network data of destination host;
The feature to be compared is compared with more than one attack-response rule, wherein the attack-response rule according to
First response data is formed, and first response data is for the response that under fire host requests successful attack;
If the feature to be compared matches with the attack-response rule, determine the destination host by successful network
Attack.
2. a kind of network attack result detection method according to claim 1, which is characterized in that described from destination host
Feature to be compared is extracted in network data includes:
The second response data is extracted from the network data, wherein second response data is answered for the destination host
Answer request service;
The feature to be compared is extracted from second response data.
3. a kind of network attack result detection method according to claim 1, which is characterized in that described from destination host
Feature to be compared is extracted in network data includes:
Request data and the second response data are extracted from the network data, wherein the request data is used for the mesh
It marks host and initiates request service, second response data is for destination host response request service;
The feature to be compared is extracted from the request data and second response data.
4. a kind of network attack result detection method according to claim 1, which is characterized in that it is described will it is described to than
Before feature is compared with more than one attack-response rule, further include:
Establish the feature database comprising one above attack-response rule.
5. a kind of network attack result detection method according to claim 4, which is characterized in that described to establish comprising described
The feature database of more than one attack-response rule includes:
Create database;
It is corresponding from more than one first response data to extract more than one attack-response feature;
Each being determined property of attack-response feature is described, more than one attack-response rule is formed;
By one above attack-response rule storage into the database, the feature database is obtained.
6. a kind of network attack result detection method according to claim 4, which is characterized in that the feature database includes N
A sub- feature database, N are the integer not less than 2, and the feature database of the foundation comprising one above attack-response rule includes:
Create N number of database;
It is corresponding from more than two first response datas to extract more than two attack-response features;
Each being determined property of attack-response feature is described, more than two attack-response rules are formed;
The attack-response rule for belonging to same attack type in described two above attack-response rules is stored to identical number
According in library, obtaining the subcharacter library.
7. a kind of network attack result detection method according to claim 5 or 6, which is characterized in that described to be attacked to each
Hitting the description of being determined property of response characteristic includes:
Each being determined property of attack-response feature is described using regular expression.
8. a kind of network attack result detection system, which is characterized in that including:
First extraction module, for extracting feature to be compared from the network data of destination host;
Comparison module, for the feature to be compared to be compared with more than one attack-response rule, wherein the attack
Rule of response is formed according to the first response data, and first response data answers successful attack request under fire host
It answers;
Determination module, for determining the destination host when the feature to be compared and the attack-response rule match
By successful network attack.
9. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is held by processor
A kind of claim 1 to 7 described in any item network attack result detection methods are realized when row.
10. a kind of computer equipment including memory, processor and stores the meter that can be run on a memory and on a processor
Calculation machine program, which is characterized in that the processor realizes the described in any item one kind of claim 1 to 7 when executing described program
Network attack result detection method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810713254.6A CN108881263B (en) | 2018-06-29 | 2018-06-29 | Network attack result detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810713254.6A CN108881263B (en) | 2018-06-29 | 2018-06-29 | Network attack result detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108881263A true CN108881263A (en) | 2018-11-23 |
| CN108881263B CN108881263B (en) | 2022-01-25 |
Family
ID=64296728
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810713254.6A Active CN108881263B (en) | 2018-06-29 | 2018-06-29 | Network attack result detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108881263B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109450929A (en) * | 2018-12-13 | 2019-03-08 | 成都亚信网络安全产业技术研究院有限公司 | A kind of safety detection method and device |
| CN110958261A (en) * | 2019-12-13 | 2020-04-03 | 微创(上海)网络技术股份有限公司 | Network attack comprehensive detection and coping method |
| CN111400721A (en) * | 2020-03-24 | 2020-07-10 | 杭州数梦工场科技有限公司 | API interface detection method and device |
| CN111510434A (en) * | 2020-03-24 | 2020-08-07 | 中国建设银行股份有限公司 | Network intrusion detection method, system and related equipment |
| CN111711599A (en) * | 2020-04-23 | 2020-09-25 | 北京凌云信安科技有限公司 | Safety situation perception system based on multivariate mass data fusion association analysis |
| CN112543168A (en) * | 2019-09-20 | 2021-03-23 | 中移(苏州)软件技术有限公司 | Network attack detection method, device, server and storage medium |
| CN112671727A (en) * | 2020-12-11 | 2021-04-16 | 深信服科技股份有限公司 | Information leakage detection method and device, equipment and storage medium |
| CN113472772A (en) * | 2021-06-29 | 2021-10-01 | 深信服科技股份有限公司 | Network attack detection method and device, electronic equipment and storage medium |
| CN114186225A (en) * | 2021-12-07 | 2022-03-15 | 北京天融信网络安全技术有限公司 | Database detection method and device, electronic equipment and storage medium |
| CN115051873A (en) * | 2022-07-27 | 2022-09-13 | 深信服科技股份有限公司 | Network attack result detection method and device and computer readable storage medium |
| CN115801306A (en) * | 2022-03-07 | 2023-03-14 | 王俊文 | Data processing method and server applied to artificial intelligence |
| CN115801468A (en) * | 2023-02-09 | 2023-03-14 | 南京聚铭网络科技有限公司 | Zero-day vulnerability attack detection method and device and storage medium |
| WO2023116045A1 (en) * | 2021-12-24 | 2023-06-29 | 华为技术有限公司 | Method for identifying successful attack, and protection system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102404318A (en) * | 2011-10-31 | 2012-04-04 | 杭州迪普科技有限公司 | Method and device for prevention of DNS (Domain Name Server) cathe attack |
| CN104009986A (en) * | 2014-05-22 | 2014-08-27 | 中国电子科技集团公司第三十研究所 | Network attack springboard detection method and device based on host |
| US20150067848A1 (en) * | 2013-08-28 | 2015-03-05 | Bank Of America Corporation | Detecting automated site scans |
| CN106341414A (en) * | 2016-09-30 | 2017-01-18 | 重庆邮电大学 | Bayesian network-based multi-step attack security situation assessment method |
| CN107046518A (en) * | 2016-02-05 | 2017-08-15 | 阿里巴巴集团控股有限公司 | The detection method and device of network attack |
| CN107241301A (en) * | 2016-03-29 | 2017-10-10 | 阿里巴巴集团控股有限公司 | The methods, devices and systems of defense refloex attack |
| CN107577945A (en) * | 2017-09-28 | 2018-01-12 | 阿里巴巴集团控股有限公司 | URL attack detection methods, device and electronic equipment |
-
2018
- 2018-06-29 CN CN201810713254.6A patent/CN108881263B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102404318A (en) * | 2011-10-31 | 2012-04-04 | 杭州迪普科技有限公司 | Method and device for prevention of DNS (Domain Name Server) cathe attack |
| US20150067848A1 (en) * | 2013-08-28 | 2015-03-05 | Bank Of America Corporation | Detecting automated site scans |
| CN104009986A (en) * | 2014-05-22 | 2014-08-27 | 中国电子科技集团公司第三十研究所 | Network attack springboard detection method and device based on host |
| CN107046518A (en) * | 2016-02-05 | 2017-08-15 | 阿里巴巴集团控股有限公司 | The detection method and device of network attack |
| CN107241301A (en) * | 2016-03-29 | 2017-10-10 | 阿里巴巴集团控股有限公司 | The methods, devices and systems of defense refloex attack |
| CN106341414A (en) * | 2016-09-30 | 2017-01-18 | 重庆邮电大学 | Bayesian network-based multi-step attack security situation assessment method |
| CN107577945A (en) * | 2017-09-28 | 2018-01-12 | 阿里巴巴集团控股有限公司 | URL attack detection methods, device and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| 刘志杰 等: "一个基于复合攻击路径图的报警关联算法", 《南京大学学报》 * |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109450929B (en) * | 2018-12-13 | 2021-05-14 | 成都亚信网络安全产业技术研究院有限公司 | Safety detection method and device |
| CN109450929A (en) * | 2018-12-13 | 2019-03-08 | 成都亚信网络安全产业技术研究院有限公司 | A kind of safety detection method and device |
| CN112543168A (en) * | 2019-09-20 | 2021-03-23 | 中移(苏州)软件技术有限公司 | Network attack detection method, device, server and storage medium |
| CN110958261A (en) * | 2019-12-13 | 2020-04-03 | 微创(上海)网络技术股份有限公司 | Network attack comprehensive detection and coping method |
| CN111400721B (en) * | 2020-03-24 | 2024-04-12 | 杭州数梦工场科技有限公司 | API interface detection method and device |
| CN111400721A (en) * | 2020-03-24 | 2020-07-10 | 杭州数梦工场科技有限公司 | API interface detection method and device |
| CN111510434A (en) * | 2020-03-24 | 2020-08-07 | 中国建设银行股份有限公司 | Network intrusion detection method, system and related equipment |
| CN111711599A (en) * | 2020-04-23 | 2020-09-25 | 北京凌云信安科技有限公司 | Safety situation perception system based on multivariate mass data fusion association analysis |
| CN112671727A (en) * | 2020-12-11 | 2021-04-16 | 深信服科技股份有限公司 | Information leakage detection method and device, equipment and storage medium |
| CN113472772A (en) * | 2021-06-29 | 2021-10-01 | 深信服科技股份有限公司 | Network attack detection method and device, electronic equipment and storage medium |
| CN114186225A (en) * | 2021-12-07 | 2022-03-15 | 北京天融信网络安全技术有限公司 | Database detection method and device, electronic equipment and storage medium |
| WO2023116045A1 (en) * | 2021-12-24 | 2023-06-29 | 华为技术有限公司 | Method for identifying successful attack, and protection system |
| CN115801306A (en) * | 2022-03-07 | 2023-03-14 | 王俊文 | Data processing method and server applied to artificial intelligence |
| CN115051873A (en) * | 2022-07-27 | 2022-09-13 | 深信服科技股份有限公司 | Network attack result detection method and device and computer readable storage medium |
| CN115051873B (en) * | 2022-07-27 | 2024-02-23 | 深信服科技股份有限公司 | Network attack result detection method, device and computer readable storage medium |
| CN115801468A (en) * | 2023-02-09 | 2023-03-14 | 南京聚铭网络科技有限公司 | Zero-day vulnerability attack detection method and device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108881263B (en) | 2022-01-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108881263A (en) | A kind of network attack result detection method and system | |
| CN108881265A (en) | A kind of network attack detecting method and system based on artificial intelligence | |
| CN108683687B (en) | Network attack identification method and system | |
| CN108471429B (en) | Network attack warning method and system | |
| CN108833186B (en) | Network attack prediction method and device | |
| CN108667854A (en) | Network hole detection method and device, network hole automated pubilication system | |
| CN108833185B (en) | Network attack route restoration method and system | |
| US20210021644A1 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
| Ektefa et al. | Intrusion detection using data mining techniques | |
| US9679131B2 (en) | Method and apparatus for computer intrusion detection | |
| CN107579956B (en) | User behavior detection method and device | |
| CN112417477A (en) | Data security monitoring method, device, equipment and storage medium | |
| Araújo et al. | Identifying important characteristics in the KDD99 intrusion detection dataset by feature selection using a hybrid approach | |
| Elshoush et al. | An improved framework for intrusion alert correlation | |
| Krishnaveni et al. | Ensemble approach for network threat detection and classification on cloud computing | |
| CN107392022A (en) | Reptile identification, processing method and relevant apparatus | |
| US20200145455A1 (en) | Detecting zero-day attacks with unknown signatures via mining correlation in behavioral change of entities over time | |
| CN112738040A (en) | Network security threat detection method, system and device based on DNS log | |
| Marchetti et al. | Identification of correlated network intrusion alerts | |
| CN115001934A (en) | Industrial control safety risk analysis system and method | |
| US20230396640A1 (en) | Security event management system and associated method | |
| Spathoulas et al. | Methods for post-processing of alerts in intrusion detection: A survey | |
| Agrawal et al. | A SURVEY ON ATTACKS AND APPROACHES OF INTRUSION DETECTION SYSTEMS. | |
| CN111885011A (en) | Method and system for analyzing and mining safety of service data network | |
| Nauta et al. | Detecting hacked twitter accounts based on behavioural change |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220722 Address after: 300450 No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science Park, Binhai New Area, Tianjin Patentee after: 3600 Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230711 Address after: 1765, floor 17, floor 15, building 3, No. 10 Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: Beijing Hongxiang Technical Service Co.,Ltd. Address before: 300450 No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science Park, Binhai New Area, Tianjin Patentee before: 3600 Technology Group Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| CP03 | Change of name, title or address |
Address after: 1765, floor 17, floor 15, building 3, No. 10 Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: Beijing 360 Zhiling Technology Co.,Ltd. Country or region after: China Address before: 1765, floor 17, floor 15, building 3, No. 10 Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee before: Beijing Hongxiang Technical Service Co.,Ltd. Country or region before: China |