CN108881263B - Network attack result detection method and system - Google Patents
Network attack result detection method and system Download PDFInfo
- Publication number
- CN108881263B CN108881263B CN201810713254.6A CN201810713254A CN108881263B CN 108881263 B CN108881263 B CN 108881263B CN 201810713254 A CN201810713254 A CN 201810713254A CN 108881263 B CN108881263 B CN 108881263B
- Authority
- CN
- China
- Prior art keywords
- attack
- network
- data
- response
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Abstract
The invention discloses a network attack result detection method and a system, wherein the network attack result detection method comprises the following steps: extracting features to be compared from network data of a target host; comparing the features to be compared with more than one attack response rule, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host; and if the features to be compared are matched with the attack response rule, judging that the target host is successfully attacked by the network. The network attack result detection method and the network attack result detection system provided by the invention can accurately identify successful network attacks and provide effective network attack information for network management personnel.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a network attack result detection method and system.
Background
With the continuous development of computer technology and the continuous popularization of the internet, the form of network attack is endless, the network security problem is increasingly prominent, the social impact and the economic loss caused by the network attack are larger and larger, and new requirements and challenges are provided for network threat detection and defense. The network traffic anomaly is one of the main network security threats at present and is also a key object of network security monitoring. The network abnormal flow can be found quickly and accurately, malicious codes can be captured, analyzed, tracked and monitored accurately in time, and knowledge support can be provided for network security situation index evaluation and immune decision making, so that the overall response capability of a network security emergency organization is improved.
The traditional network attack detection method usually only detects whether the network attack exists, but does not identify the successful network attack, so that a large amount of inaccurate alarm information can be generated, effective information cannot be effectively screened, and the operation and maintenance processing cost is very high.
Disclosure of Invention
The invention aims to solve the problem that the traditional network attack detection method is high in operation and maintenance processing cost.
The invention is realized by the following technical scheme:
a network attack result detection method comprises the following steps:
extracting features to be compared from network data of a target host;
comparing the features to be compared with more than one attack response rule, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host;
and if the features to be compared are matched with the attack response rule, judging that the target host is successfully attacked by the network.
Optionally, the extracting the features to be compared from the network data of the target host includes:
extracting second response data from the network data, wherein the second response data is used for the target host to answer the request service;
and extracting the features to be compared from the second response data.
Optionally, the extracting the features to be compared from the network data of the target host includes:
extracting request data and second response data from the network data, wherein the request data is used for initiating a request service to the target host, and the second response data is used for responding the request service by the target host;
and extracting the features to be compared from the request data and the second response data.
Optionally, before comparing the features to be compared with more than one attack response rule, the method further includes:
a feature library is established that includes the one or more attack response rules.
Optionally, the establishing a feature library including the one or more attack response rules includes:
creating a database;
correspondingly extracting more than one attack response characteristic from more than one first response data;
each attack response characteristic is described in a deterministic manner to form more than one attack response rule;
and storing the more than one attack response rule into the database to obtain the feature library.
Optionally, the feature library includes N sub-feature libraries, where N is an integer not less than 2, and the establishing the feature library including the one or more attack response rules includes:
creating N databases;
correspondingly extracting more than two attack response characteristics from more than two first response data;
each attack response characteristic is described in a deterministic manner to form more than two attack response rules;
and storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
Optionally, the performing deterministic description on each attack response feature includes:
and performing deterministic description on each attack response characteristic by adopting a regular expression.
Optionally, before comparing the features to be compared with more than one attack response rule, the method further includes:
establishing an incidence relation between each attack response rule and an attack action;
after the determining that the target host is successfully attacked by the network, the method further includes:
and determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action.
Optionally, before extracting the features to be compared from the network data of the target host, the method further includes:
detecting whether the target host is under network attack according to the network data;
and if the target host is attacked by the network, extracting the features to be compared from the network data of the target host.
Optionally, the detecting whether the target host is under a network attack according to the network data includes:
extracting features to be detected from the network data;
and importing the features to be detected into a pre-established artificial intelligence model, classifying the features to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result.
Optionally, the extracting the feature to be detected from the network data includes:
extracting request data from the network data, wherein the request data is used for initiating a request service to the target host;
and extracting the features to be detected from the request data.
Optionally, before the introducing the feature to be detected into the artificial intelligence model established in advance, the method further includes:
and establishing the artificial intelligence model.
Optionally, the establishing the artificial intelligence model includes:
collecting model training data;
extracting the characteristics of the known network attacks from the model training data to obtain attack characteristic data;
classifying the attack characteristic data to obtain a training sample;
and carrying out model training according to the training samples to obtain the artificial intelligence model.
Optionally, the collecting model training data includes:
and collecting one or more combinations of the attack data disclosed by the Internet, the vulnerability data disclosed by the Internet, the attack data collected by the target host and the vulnerability data collected by the target host.
Optionally, the performing model training according to the training sample includes:
and performing model training by adopting a naive Bayes algorithm according to the training sample.
Optionally, after comparing the features to be compared with more than one attack response rule, the method further includes:
and generating alarm information, wherein the alarm information comprises the attack type of the network attack, whether the network attack is successful or not and the attack action of the successful network attack.
Optionally, after the generating the alarm information, the method further includes:
and sending the alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging.
Optionally, after the generating the alarm information, the method further includes:
adding a corresponding attack chain tag to the alarm information according to the alarm content of the alarm information, wherein the attack chain tag is used for representing the attack stage of the network attack in an attack chain;
counting each attack chain label of the same attack event, and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and generating attack route information according to the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event, wherein the attack route information comprises the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event.
Optionally, the adding a corresponding attack chain tag to the alarm information according to the alarm content of the alarm information includes:
and determining an attack chain label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information.
Optionally, the attack chain tag includes more than two levels, and adding a corresponding attack chain tag to the alarm information according to the alarm content of the alarm information includes:
and determining each level of label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information, wherein the label library stores M attack chain labels, the M attack chain labels are divided into more than two levels, and M is an integer larger than 4.
Optionally, the attack route information further includes start and end times of each attack stage;
after generating attack route information according to the total number of network attacks in each attack phase of the attack event, the number of successful network attacks, and the attack action of the successful network attacks, the method further includes:
and displaying the attack route information according to the sequence of the starting time of each attack stage.
Based on the same inventive concept, the invention also provides a network attack result detection system, which comprises:
the first extraction module is used for extracting the features to be compared from the network data of the target host;
the comparison module is used for comparing the features to be compared with more than one attack response rule, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host;
and the judging module is used for judging that the target host computer is successfully attacked by the network when the features to be compared are matched with the attack response rules.
Optionally, the first extraction module includes:
a first extracting unit, configured to extract second response data from the network data, where the second response data is used for the target host to answer a request service;
and the second extraction unit is used for extracting the features to be compared from the second response data.
Optionally, the first extraction module includes:
a third extracting unit, configured to extract request data and second response data from the network data, where the request data is used to initiate a request service to the target host, and the second response data is used for the target host to answer the request service;
a fourth extracting unit, configured to extract the feature to be compared from the request data and the second response data.
Optionally, the system for detecting a network attack result further includes:
and the feature library creating module is used for creating a feature library containing more than one attack response rule before the features to be compared are compared with the more than one attack response rule.
Optionally, the feature library creating module includes:
the database creating module is used for creating a database;
the second extraction module is used for correspondingly extracting more than one attack response characteristic from more than one first response data;
the rule forming module is used for performing deterministic description on each attack response characteristic to form more than one attack response rule;
and the storage module is used for storing the more than one attack response rule into the database to obtain the feature library.
Optionally, the feature library includes N sub-feature libraries, where N is an integer not less than 2, and the feature library creating module includes:
the database creating module is used for creating N databases;
the second extraction module is used for correspondingly extracting more than two attack response characteristics from more than two pieces of first response data;
the rule forming module is used for performing deterministic description on each attack response characteristic to form more than two attack response rules;
and the storage module is used for storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
Optionally, the rule forming module is a regular expression writing module.
Optionally, the system for detecting a network attack result further includes:
the incidence relation establishing module is used for establishing the incidence relation between each attack response rule and the attack action before the characteristics to be compared are compared with more than one attack response rule;
and the attack action determining module is used for determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action after the target host computer is judged to be successfully attacked by the network attack.
Optionally, the system for detecting a network attack result further includes:
the detection module is used for detecting whether the target host computer is under network attack or not according to the network data before the features to be compared are extracted from the network data of the target host computer;
and if the target host is attacked by the network, the first extraction module is used for extracting the features to be compared from the network data of the target host.
Optionally, the detection module includes:
the third extraction module is used for extracting the features to be detected from the network data;
and the importing module is used for importing the characteristics to be detected into a pre-established artificial intelligence model, classifying the characteristics to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result.
Optionally, the third extraction module includes:
a fifth extracting unit, configured to extract request data from the network data, where the request data is used to initiate a request service to the target host;
and the sixth extraction unit is used for extracting the features to be detected from the request data.
Optionally, the system for detecting a network attack result further includes:
and the model creating module is used for building the artificial intelligence model before the features to be detected are led into the artificial intelligence model built in advance.
Optionally, the model creating module includes:
the collection module is used for collecting model training data;
the fourth extraction module is used for extracting the characteristics of the known network attack from the model training data to obtain attack characteristic data;
the classification module is used for classifying the attack characteristic data to obtain a training sample;
and the training module is used for carrying out model training according to the training samples to obtain the artificial intelligence model.
Optionally, the model training data includes one or more combinations of attack data published by the internet, vulnerability data published by the internet, attack data collected by the target host, and vulnerability data collected by the target host.
Optionally, the training module is a naive bayes algorithm module.
Optionally, the system for detecting a network attack result further includes:
and the warning information generating module is used for generating warning information after comparing the characteristics to be compared with more than one attack response rule, wherein the warning information comprises the attack type of the network attack, whether the network attack is successful and the attack action of the successful network attack.
Optionally, the system for detecting a network attack result further includes:
and the sending module is used for sending the alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging after the alarm information is generated.
Optionally, the system for detecting a network attack result further includes:
the label adding module is used for adding a corresponding attack chain label to the alarm information according to the alarm content of the alarm information, wherein the attack chain label is used for representing the attack stage of the network attack in an attack chain;
the statistical module is used for counting each attack chain label of the same attack event and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and the route information generating module is used for generating attack route information according to the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event, wherein the attack route information comprises the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event.
Optionally, the tag adding module is configured to determine, according to the alarm content of the alarm information, an attack chain tag corresponding to the alarm information from a pre-established tag library.
Optionally, the attack chain tag includes more than two levels, and the tag adding module is configured to determine, according to the alarm content of the alarm information, each level of tag corresponding to the alarm information from a pre-established tag library, where the tag library stores M attack chain tags, the M attack chain tags are divided into more than two levels, and M is an integer greater than 4.
Optionally, the attack route information further includes start and end times of each attack stage, and the network attack result detection system further includes:
and the display module is used for displaying the attack route information according to the sequence of the starting time of each attack stage.
Based on the same inventive concept, the present invention also provides a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the network attack result detection method described above.
Based on the same inventive concept, the invention further provides a computer device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the network attack result detection method.
Compared with the prior art, the invention has the following advantages and beneficial effects:
the traditional network attack detection method only detects whether the network attack exists, but does not identify the successful network attack, so that a large amount of inaccurate alarm information can be generated, and the operation and maintenance processing cost is very high. The network attack result detection method and the network attack result detection system provided by the invention extract the feature to be compared from the network data of the target host, compare the feature to be compared with more than one attack response rule, and judge whether the target host is successfully attacked by the network attack according to whether the feature to be compared is matched with the attack response rule or not. The attack response rule is formed according to first response data, the first response data are used for responding to a successful attack request by the attacked host, and if the to-be-compared characteristic is matched with the attack response rule, the network data are shown to be in accordance with the existing successful network attack characteristic, namely the target host is successfully attacked by the network attack. The network attack result detection method and the network attack result detection system provided by the invention utilize the refined rule to carry out attack response detection, thereby realizing the discrimination of attack response, being capable of accurately identifying successful network attacks and providing effective network attack information for network management personnel, thereby being capable of improving operation and maintenance efficiency and finding real bugs.
Drawings
The accompanying drawings, which are included to provide a further understanding of the embodiments of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principles of the invention. In the drawings:
fig. 1 is a schematic flow chart of a network attack result detection method according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of creating a feature library according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart of creating a feature library according to another embodiment of the present invention;
FIG. 4 is a flowchart illustrating detecting whether a target host is attacked by a network according to an embodiment of the present invention;
FIG. 5 is a schematic flow chart of establishing an artificial intelligence model according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of attack route information according to an embodiment of the invention;
FIG. 7 is a schematic diagram of a tag library of an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to examples and accompanying drawings, and the exemplary embodiments and descriptions thereof are only used for explaining the present invention and are not meant to limit the present invention.
Example 1
The present embodiment provides a network attack result detection method, and fig. 1 is a schematic flow diagram of the network attack result detection method, where the network attack result detection method includes:
step S11, extracting the feature to be compared from the network data of the target host;
step S12, comparing the feature to be compared with more than one attack response rule, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host;
step S13, if the feature to be compared matches the attack response rule, determining that the target host is successfully attacked by the network.
Specifically, the target host may be a server providing various services, a personal computer capable of implementing specific functions, or other network devices capable of providing network services. The target host may receive request data for requesting a service to the target host, which is sent by a terminal device, perform corresponding data processing according to the request data to obtain second response data, that is, the second response data is used for the target host to respond to the request service, and feed back the second response data to the terminal device. The terminal device may be various electronic devices having a display function and supporting an interactive function, including but not limited to a smart phone, a tablet computer, a personal computer, a desktop computer, and the like. In a specific application scenario of the present invention for detecting a network attack, an attacker who initiates the network attack is usually a user who maliciously sends a large amount of data requests. The terminal device utilized by the attacker may be an electronic device with powerful computing functions, and may even be a server.
For the acquisition of the network data of the target host, the network data can be acquired by adopting a network sniffing mode or a network port mirroring mode. The network sniffing mode is to set the network card of the target host computer to be in a hybrid mode and capture the network data of the target host computer by calling a network packet intercepting tool. The network port mirroring mode is to map the acquisition port of the target host to another port and copy data in real time, so as to obtain the network data of the target host. Of course, the specific implementation manner of collecting the network data of the target host is not limited to the above two manners, and this embodiment does not limit this.
And after the network data are collected, extracting the features to be compared from the network data. The network data includes the request data and the second response data, and as mentioned above, the request data is used for requesting a service from the target host and is data sent to the target host by a terminal device; the second response data is used for the target host to answer the request service, and is data sent by the target host to the terminal device. Each successful network attack is unique, which is manifested primarily by the attacked host's response to a successful attack request. Therefore, the extraction of the features to be compared is to extract the features of the second response data. The extracting of the feature to be compared may be directly extracting the feature of the second response data from the network data, or may be extracting the second response data from the network data first and then extracting the feature to be compared from the second response data, which is not limited in this embodiment.
According to the difference of the transmission protocols adopted between the target host and the terminal device, for example, but not limited to, hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), the structure of the second response data is also different. Taking an HTTP-type network response as an example, the second response data includes the following three parts: a status line consisting of three parts, a protocol version (e.g., HTTP 1.1), a status code, and a status code description; a response header including, but not limited to, the name of the application, the version of the application, the response body type, the response body length, and the encoding used for the response body; a response body. After the network data is collected, analyzing each field in the HTTP response head, searching the field content needing to be compared, and extracting the features to be compared.
Further, whether a network attack is successful or not can be judged, reverse derivation can be carried out from the perspective of an attacker, and the accuracy of identifying whether the network attack is successful or not is improved by responding to the characteristics of the content reverse-derivation attack request. Therefore, the feature to be compared may also be extracted from the second response data and the request data together. Specifically, the request data and the second response data may be extracted from the network data, and then the features to be compared may be extracted from the request data and the second response data.
Still taking the HTTP type of network request as an example, the request data includes the following three parts: a request line, which is composed of three parts of a method (e.g. POST), a Uniform Resource Identifier (URI), and a protocol version (e.g. HTTP 1.1); a request header for informing the target host of information requested by the terminal device, including but not limited to the browser type from which the request was made, a list of content types that the terminal device can identify, and the name of the requested host; a request body. After the network data are collected, analyzing each field in the HTTP request head and the HTTP response head, searching the field content needing to be compared, and extracting the features to be compared.
And after the features to be compared are obtained, comparing the features to be compared with more than one attack response rule. Still taking an HTTP type transmission protocol as an example, if the feature to be compared matches with a certain attack response rule, determining that the target host is successfully attacked by the network; and if the characteristics to be compared cannot be matched with any attack response rule, judging that the target host is not successfully attacked by the network.
Further, a feature library may be established in advance, and the feature library is used for storing the more than one attack response rule. The attack response rule stored in the feature library is formed according to the first response data, the first response data is used for responding to the successful attack request by the attacked host, namely, the attack response rule is generated in advance according to the response characteristic of the attack response corresponding to the existing successful attack request. Fig. 2 is a schematic flowchart of a process for creating the feature library provided in this embodiment, where the creating the feature library includes:
step S21, creating a database;
step S22, correspondingly extracting more than one attack response characteristic from more than one first response data;
step S23, each attack response characteristic is described in a deterministic manner to form more than one attack response rule;
step S24, storing the one or more attack response rules in the database, and obtaining the feature library.
Specifically, the database is created as a blank storage space. The first response data is used for the attacked host to respond to the successful attack request, and can be collected from the attack data disclosed by the internet and/or the attack data collected by the target host. For example, the attacker sends a floor () function error injection attack request to the attacked host, and the floor () function error injection attack request succeeds, and the response of the attacked host to the floor () function error injection attack request is the first response data. For the network attacks of the same attack type, the network attacks can be divided according to different specific attack actions. For example, for SQL injection attacks, the method further includes count () function error injection, rand () function error injection, floor () function error injection, and the like. For each network attack of the attack action, one first response data can be correspondingly collected, so that more than one attack response characteristic can be correspondingly extracted from more than one first response data, namely, one attack response characteristic can be correspondingly extracted from each first response data. Similar to the attack profile data, the attack response profile may include one or more of a request time, IP information, port information, protocol type, packet frequency, mail address, file name, and target URL address in combination. It should be noted that the attack response characteristics may also be flexibly set according to actual situations, and this embodiment does not limit this.
And after the attack response characteristics are obtained, performing deterministic description on each attack response characteristic, wherein the deterministic description is described according to a preset rule. In this embodiment, each attack response feature may be described deterministically by using a conventional regular expression, or complex logics such as an operation logic and a matching logic may be added to the regular expression, so as to improve the accuracy of the matching result. After the attack response rules are obtained, all the attack response rules are stored in the database, namely corresponding data are written in the blank storage space, and then the feature library is obtained.
Further, the feature library may further include N sub-feature libraries, each sub-feature library correspondingly stores all attack response rules of the same attack type, where N is an integer not less than 2. Based on this, fig. 3 is another schematic flow chart of establishing the feature library provided in this embodiment, where the establishing the feature library includes:
step S31, creating N databases;
step S32, correspondingly extracting more than two attack response characteristics from more than two first response data;
step S33, each attack response characteristic is described in a deterministic manner to form more than two attack response rules;
and step S34, storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
Specifically, the steps S51 to S53 can refer to the descriptions of the steps S41 to S43, and are not repeated herein. After more than two attack response rules are obtained, according to the attack type to which each attack response rule belongs, the attack response rules belonging to the same attack type are stored in the same database, and the sub-feature library is obtained. In this embodiment, the sub-feature library may be a basic feature library, an SQL injection feature library, an XSS dynamic feature library, and a tool fingerprint library, where the basic feature library stores command features and file features, the SQL injection feature library stores features of an SQL injection attack, the XSS dynamic feature library stores features of an XSS dynamic attack, and the tool fingerprint library stores a mare connection fingerprint and a kitchen knife fingerprint. It should be noted that the sub-feature library can be flexibly set according to actual situations, and this embodiment does not limit this.
Further, for the network attack of each attack action, an attack response rule is correspondingly obtained, so that the attack action corresponding to the attack response rule matched with the feature to be compared is determined as the attack action of the successful network attack according to the association relationship between each attack response rule and the attack action by establishing the association relationship between each attack response rule and the attack action. For example, the attack action corresponding to the attack response rule matched with the feature to be compared is error-reported and injected as floor () function, and the attack action of the successful network attack is error-reported and injected as floor () function.
According to the embodiment, attack response detection is performed by using a fine rule, so that judgment of attack response is realized, successful network attacks can be accurately identified, and effective network attack information is provided for network management personnel, so that operation and maintenance efficiency can be improved, and real bugs can be found.
Example 2
Compared with the network attack result detection method provided in embodiment 1, the method for detecting a network attack result further includes, before extracting features to be compared from the network data: detecting whether the target host is under network attack according to the network data; and if the target host is attacked by the network, extracting the features to be compared from the network data.
And detecting whether the target host is under network attack or not, wherein a traditional network attack detection method can be adopted. In consideration of the defects of high false negative rate and poor flexibility of the conventional network attack detection method, the embodiment provides a specific method for detecting whether the target host is attacked by the network attack. Fig. 4 is a schematic flowchart of a process for detecting whether the target host is under a network attack, where the detecting whether the target host is under a network attack includes:
step S41, extracting the features to be detected from the network data;
step S42, the features to be detected are imported into a pre-established artificial intelligence model, the features to be detected are classified through the artificial intelligence model, and whether the target host is attacked by the network and the attack type of the network attack are determined according to the classification result.
As previously mentioned, the network data comprises the request data and the second response data. The feature to be detected may be obtained by directly extracting the feature of the request data from the network data, or may be obtained by extracting the request data from the network data first and then extracting the feature to be detected from the request data, which is not limited in this embodiment. The extraction of the features to be detected is similar to that of the features to be compared in the embodiment, and will not be described herein.
After the characteristics to be detected are obtained, the characteristics to be detected are led into a pre-established artificial intelligence model, and classification is carried out on the characteristics to be detected through the artificial intelligence model to obtain a classification result. The artificial intelligence model can be a machine learning classification model, such as a naive Bayes classification model, and can also be a deep learning classification model. If the classification result is that the to-be-detected features do not belong to any network attack of a known attack type and do not belong to a network attack of an unknown attack type, determining that the target host is not attacked by the network attack; if the classification result is that the to-be-detected feature belongs to a network attack of a certain known attack type, determining that the target host is subjected to the network attack of the attack type; and if the classification result is that the to-be-detected feature belongs to a network attack of an unknown attack type, determining that the target host is subjected to the network attack of the unknown attack type.
In the method for detecting whether the target host is under the network attack, because the artificial intelligence model is a classification model using an artificial intelligence technology and has the capabilities of self-learning, self-organization, self-adaptation and the like, a novel or variant network attack can be effectively discovered, the defect that the conventional network attack detection method cannot detect unknown network attacks is effectively overcome, the overall network attack detection capability is improved, the missing report rate can be reduced, and the attack type of the network attack can be determined according to the classification result.
Further, before the features to be detected are imported into a pre-established artificial intelligence model, the artificial intelligence model also needs to be established. FIG. 5 is a schematic flow chart of the process of building the artificial intelligence model, which includes:
step S51, collecting model training data;
step S52, extracting the characteristics of the known network attack from the model training data to obtain attack characteristic data;
step S53, classifying the attack characteristic data to obtain a training sample;
and step S54, performing model training according to the training samples to obtain the artificial intelligence model.
Specifically, the model training data includes one or more combinations of internet published attack data, internet published vulnerability data, attack data collected by the target host, and vulnerability data collected by the target host. The attack data is extracted from the existing network attack case, and the vulnerability data is extracted from the existing vulnerability case. The attack data and the vulnerability data can be disclosed by the Internet, or can be analyzed and refined by the target host according to the network attack events suffered in the past.
After the model training data are obtained, extracting the characteristics of the known network attacks from the model training data to obtain attack characteristic data. Further, the extracted attack characteristic data may include one or more of request time, IP information, port information, protocol type, packet sending frequency, mail address, file name, and target URL address. It should be noted that the attack characteristic data can be flexibly set according to actual situations, and this embodiment does not limit this. After the attack characteristic data is obtained, classifying according to the attack type of the network attack to which the attack characteristic data belongs to form a training sample, wherein the attack type of the network attack comprises but is not limited to SQL injection attack and XSS attack.
And performing model training according to the training samples, namely calculating the occurrence frequency of the network attacks of each attack type in the training samples and the conditional probability estimation of each attack characteristic data division on the network attacks of each attack type, and recording the calculation result to obtain the artificial intelligence model. In this embodiment, the algorithm used for model training is a naive bayes algorithm. The naive Bayes algorithm has good performance on small-scale data, is suitable for multi-classification tasks and is suitable for incremental training. Of course, other machine learning classification algorithms or deep learning classification algorithms may also be used for model training, for example, a decision tree algorithm may also be used for model training, which is not limited in this embodiment.
The method for detecting whether the target host is under the network attack provided by the embodiment can not only detect whether the target host is under the network attack, but also obtain the attack type of the network attack. With reference to the feature library created according to the flow shown in fig. 3 in embodiment 1, the comparing the feature to be compared with more than one attack response rule specifically includes: and comparing the characteristics to be compared with more than one attack response rule in the sub-characteristic library corresponding to the attack type of the network attack. For example, if the attack type of the network attack is SQL injection attack, the feature to be compared is compared with more than one attack response rule in the SQL injection feature library; and if the attack type of the network attack is XSS dynamic attack, comparing the characteristics to be compared with more than one attack response rule in an XSS dynamic characteristic library. By setting the feature library into a plurality of sub-feature libraries, the number of attack response rules for comparing with the features to be compared can be reduced, and the comparison efficiency between the features to be compared and the attack response rules can be improved only by matching with the attack response rules in a certain sub-feature library.
In this embodiment, after the target host is detected to be attacked by the network, the to-be-compared feature is extracted and matched with the attack response rule, and it is not necessary to extract the to-be-compared feature and match with the attack response rule for all network data, so that the identification efficiency of successfully identifying the network attack is improved.
Example 3
Compared with the network attack result detection method provided in embodiment 2, the present embodiment provides another network attack result detection method, and after comparing the to-be-compared feature with more than one attack response rule, alarm information may be further generated, where the alarm information includes an attack type of the network attack, whether the network attack is successful, and an attack action of the successful network attack. For example, when the target host is under SQL injection attack but the attack is unsuccessful, the alarm information may be "under SQL injection attack, attack is invalid"; when the target host is attacked by SQL injection and the attack is successful, the specific attack action is error injection by using a floor () function, and the alarm information can be 'the attack by SQL injection, the attack is successful, and the error injection by the floor () function'.
Further, after the alarm information is generated, the alarm information can be sent to a network manager. For example, the alarm information may be sent to a designated mailbox address by a mail, may be sent to a designated mobile terminal by a short message, may be directly displayed on the target host in a dialog box, and may be sent to a network manager by an instant messaging. Of course, the alarm information may be sent to the network manager in any one of the above manners, or may be sent to the network manager in any combination of several manners.
By generating the alarm information and sending the alarm information to a network manager, the network manager can intuitively master the network attack condition of the target host.
Example 4
Embodiment 3 adopts an alarm mode that one network attack corresponds to one alarm message, that is, when one network attack is detected, one alarm message is generated correspondingly. However, the isolated alarm information does not accurately reflect the security status of the target host, and such attack exposure does not provide a general assurance of the attack process. Therefore, the embodiment provides another network attack result detection method. Compared with the network attack result detection method provided in embodiment 3, after generating the alarm information, this embodiment further includes:
adding a corresponding attack chain tag to the alarm information according to the alarm content of the alarm information, wherein the attack chain tag is used for representing the attack stage of the network attack in an attack chain;
counting each attack chain label of the same attack event, and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and generating attack route information according to the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event, wherein the attack route information comprises the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event.
According to different attack stages of the network attack suffered by the target host, the alarm content of the alarm information is different, namely the alarm content of the alarm information reveals the attack purpose which is required to be realized by the network attack corresponding to the alarm information, and the alarm information with different alarm contents corresponds to different attack stages. Therefore, the attack stage can be determined according to the alarm content of the alarm information corresponding to the network attack suffered by the target host. Specifically, according to the alarm content of the alarm information, an attack chain tag corresponding to the alarm information is determined from a pre-established tag library. M attack chain labels are stored in the label stock, and each attack chain label correspondingly represents one attack stage in an attack chain. The attack chain refers to a series of cyclic processes of an attacker to detect damage to a target host, and generally consists of several different attack stages. For example, the attack chain may consist of six attack phases, namely a scout phase, an intrusion phase, a command control phase, a lateral penetration phase, a data leakage phase and a trace cleanup phase, i.e. M has a value of 6. Correspondingly, the M attack chain labels are a scout label, an intrusion label, a command control label, a transverse infiltration label, a data leakage label and a trace clearing label. Of course, the division of the attack chain is not limited to this manner, and may be flexibly set according to actual situations.
As mentioned above, the alarm information of different alarm contents corresponds to different attack stages, and each attack chain tag corresponds to one attack stage, so that the association relationship between the alarm information of different alarm contents and different attack chain tags can be pre-established according to the published network attack event. According to the alarm content of the alarm information, an attack chain label corresponding to the alarm information can be determined from a pre-established label library. Taking the attack type of the network attack in the alarm information as a PHP code execution attack as an example, regarding the PHP code execution attack, the PHP code execution attack is in a command control phase in an attack chain, so that an attack chain tag added to the alarm information is a "command control" tag. Further, the attack chain tag may be added as an attribute of the alarm information.
After adding corresponding attack chain tags to all the alarm information of an attack event, the total times of network attacks in each attack stage of the attack event can be obtained by counting the number of the same attack chain tags. For example, by counting the number of the reconnaissance labels, the total number of network attacks in the reconnaissance phase of the attack event can be obtained; and counting the number of the intrusion labels to obtain the total times of the network attacks in the intrusion stage of the attack event. Taking the example that the target host is attacked by the network for 10 times in the attack event, 10 pieces of alarm information are correspondingly generated, and the attack chain labels corresponding to the 10 pieces of alarm information are respectively: a scout tag, an intrusion tag, a scout tag, an intrusion tag, a command control tag, and a command control tag. By counting 10 attack chain labels, the target host is known to be attacked 3 times by the network in the reconnaissance phase, 4 times by the network in the intrusion phase and 3 times by the network in the command control phase.
For obtaining the successful network attack times in each attack stage of the attack event, the alarm information corresponding to the successful network attack can be screened out, and then the number of the same attack chain labels in the attack chain labels corresponding to the screened out alarm information is respectively counted, so that the successful network attack times in each attack stage of the attack event can be obtained. And combining the screened alarm information content to obtain the successful attack action of the network attack in each attack stage of the attack event.
And generating the attack route information after obtaining the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event. Further, the attack route information may further include start and end times of each attack stage, and after the attack route information is generated, the attack route information may be displayed according to a sequence of the start times of each attack stage. The starting time of each attack stage is the first network attack time of the attack stage, and the ending time of each attack stage is the last network attack time of the attack stage. Or taking the above target host is attacked by the network for 10 times, if the start-stop time of the reconnaissance phase is 2018-3-1503: 20-2018-3-1915: 12, the start-stop time of the invasion stage is 2018-3-1707: 38-2018-3-2105: 21, the starting time and the ending time of the command control phase are 2018-3-2014: 47-2018-3-2018: 21, the network attack route information generated according to the statistical result can be displayed as "2018-3-1503: 20-2018-3-1915: 12, a detection stage: 3 times; 2018-3-1707: 38-2018-3-2105: 21, invasion stage, 4 times; 2018-3-2014: 47-2018-3-2018: 21, command control phase, 4 times ". Of course, the attack route information may also include information such as an IP address of the target host and a duration of the entire attack event, as shown in fig. 6, which is not limited in this embodiment.
Further, since each attack stage in the attack chain may also be divided into several smaller attack stages, each smaller attack stage is also characterized by an attack chain tag. Correspondingly, the attack chain tag may include more than two levels, and adding a corresponding attack chain tag to the alarm information according to the alarm content of the alarm information includes: and determining each level of label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information, wherein the label library stores M attack chain labels, the M attack chain labels are divided into more than two levels, and M is an integer larger than 4.
Fig. 7 is a schematic diagram of a tag library provided in this embodiment, where attack chain tags in the tag library are divided into three levels. The first-level labels comprise a reconnaissance label, an intrusion label, a command control label, a transverse permeation label, a data leakage label and a trace cleaning label. The secondary labels corresponding to the reconnaissance labels comprise port scanning labels, information leakage labels, IP scanning labels and sub-domain name collection labels; the secondary labels corresponding to the intrusion labels comprise a vulnerability detection label, a vulnerability utilization label, a service denial label, a brute force cracking label and a high-risk operation label; the secondary labels corresponding to the command control labels comprise a host controlled label, a hacker tool uploading label, a server transfer behavior label, a right-lifting label, a virus killing software closing label and a host information acquisition label; the transverse penetration label comprises an intranet investigation label, a sniffing attack label, an intranet vulnerability detection label and an intranet vulnerability utilization label; the secondary labels corresponding to the data leakage labels comprise file downloading labels and library dragging behavior labels; and the secondary labels corresponding to the trace clearing labels comprise a backdoor deleting label, a closing attack service label and a clearing log label. And the third-level label corresponding to the high-risk operation label comprises a database operation label and a weak password successful login label.
By setting the attack chain tags to multiple levels, the attack phases in the attack chain can be described in more detail, thereby presenting the network administrator with the entire process of the attack event in more detail. It should be noted that the tag library may be created by the target host, or may be created by another host, and the target host may directly invoke the tag library from another host when needing to add the corresponding attack chain tag. Furthermore, the corresponding attack chain label can be directly added to the alarm information without creating the label library.
After the attack route information is generated, the attack route information can be sent to a network manager in one or more combination modes of mails, short messages, dialog boxes and instant messaging. By adding the corresponding attack chain tag to the alarm information and counting the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event according to the attack chain tag, the attack event can be divided again according to the attack chain of the event, the whole process of the attack event can be presented to network management personnel in the attack stage from the perspective of big data analysis, and the chaos of an attack line is avoided.
Example 5
This embodiment provides a network attack result detection system, which includes: the first extraction module is used for extracting the features to be compared from the network data of the target host; the comparison module is used for comparing the features to be compared with more than one attack response rule, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host; and the judging module is used for judging that the target host computer is successfully attacked by the network when the features to be compared are matched with the attack response rules.
Further, the first extraction module may include: a first extracting unit, configured to extract second response data from the network data, where the second response data is used for the target host to answer a request service; and the second extraction unit is used for extracting the features to be compared from the second response data.
Further, the first extraction module may also include: a third extracting unit, configured to extract request data and second response data from the network data, where the request data is used to initiate a request service to the target host, and the second response data is used for the target host to answer the request service; a fourth extracting unit, configured to extract the feature to be compared from the request data and the second response data.
Further, the network attack result detection system further includes: and the feature library creating module is used for creating a feature library containing more than one attack response rule before the features to be compared are compared with the more than one attack response rule. Specifically, the feature library creation module may include: the database creating module is used for creating a database; the second extraction module is used for correspondingly extracting more than one attack response characteristic from more than one first response data; the rule forming module is used for performing deterministic description on each attack response characteristic to form more than one attack response rule; and the storage module is used for storing the more than one attack response rule into the database to obtain the feature library.
The feature library may include N sub-feature libraries, where N is an integer not less than 2, and based on this, the feature library creating module may also include: the database creating module is used for creating N databases; the second extraction module is used for correspondingly extracting more than two attack response characteristics from more than two pieces of first response data; the rule forming module is used for performing deterministic description on each attack response characteristic to form more than two attack response rules; and the storage module is used for storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
Further, the network attack result detection system further includes: the incidence relation establishing module is used for establishing the incidence relation between each attack response rule and the attack action before the characteristics to be compared are compared with more than one attack response rule; and the attack action determining module is used for determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action after the target host computer is judged to be successfully attacked by the network attack.
For a specific working principle of the network attack result detection system, reference may be made to the description of step S11 to step S13 in embodiment 1, and this embodiment is not described herein again.
Example 6
This embodiment provides another network attack result detection system, and compared with the network attack result detection system provided in embodiment 5, the network attack result detection system further includes: the detection module is used for detecting whether the target host computer is under network attack or not according to the network data before the features to be compared are extracted from the network data of the target host computer; and if the target host is attacked by the network, the first extraction module is used for extracting the features to be compared from the network data of the target host.
Further, the detection module includes: the third extraction module is used for extracting the features to be detected from the network data; and the importing module is used for importing the characteristics to be detected into a pre-established artificial intelligence model, classifying the characteristics to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result.
Further, the third extraction module comprises: a fifth extracting unit, configured to extract request data from the network data, where the request data is used to initiate a request service to the target host; and the sixth extraction unit is used for extracting the features to be detected from the request data.
Further, the network attack result detection system further includes: and the model creating module is used for building the artificial intelligence model before the features to be detected are led into the artificial intelligence model built in advance. Specifically, the model creation module includes: the collection module is used for collecting model training data; the fourth extraction module is used for extracting the characteristics of the known network attack from the model training data to obtain attack characteristic data; the classification module is used for classifying the attack characteristic data to obtain a training sample; and the training module is used for carrying out model training according to the training samples to obtain the artificial intelligence model.
The specific working principle of the network attack result detection system may refer to the description of each step in embodiment 2, and this embodiment is not described herein again.
Example 7
This embodiment provides another network attack result detection system, and compared with the network attack result detection system provided in embodiment 6, the network attack result detection system further includes: and the warning information generating module is used for generating warning information, wherein the warning information comprises the attack type of the network attack, whether the network attack is successful and the attack action of the successful network attack. Further, the network attack recognition system further includes: and the sending module is used for sending the alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging.
The specific working principle of the network attack result detection system may refer to the description of each step in embodiment 3, which is not described herein again.
Example 8
This embodiment provides another network attack result detection system, and compared with the network attack result detection system provided in embodiment 7, the network attack result detection system further includes: the label adding module is used for adding a corresponding attack chain label to the alarm information according to the alarm content of the alarm information, wherein the attack chain label is used for representing the attack stage of the network attack in an attack chain; the statistical module is used for counting each attack chain label of the same attack event and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event; and the route information generating module is used for generating attack route information according to the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event, wherein the attack route information comprises the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event.
Further, the attack chain tags include more than two levels, and the tag adding module is configured to determine, according to the alarm content of the alarm information, each level of tags corresponding to the alarm information from a pre-established tag library, where the tag library stores M attack chain tags, the M attack chain tags are divided into more than two levels, and M is an integer greater than 4.
Further, the attack route information further includes start and stop times of each attack stage, and the artificial intelligence based network attack detection system further includes: and the display module is used for displaying the attack route information according to the sequence of the starting time of each attack stage.
The specific working principle of the network attack result detection system may refer to the description of each step in embodiment 4, which is not described herein again.
Example 9
The present embodiment provides a computer-readable storage medium, on which a computer program is stored, and the network attack result detection method provided in embodiments 1 to 4 of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional unit and sold or used as an independent product. Based on such understanding, the present invention implements all or part of the processes in the network attack result detection methods provided in embodiments 1 to 4, and can also be implemented by instructing related hardware through a computer program. The computer program may be stored in a computer readable storage medium, which when executed by a processor, may implement the steps of the various method embodiments described above.
Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying said computer program code, medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, etc. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
The invention discloses a1, a network attack result detection method, comprising:
extracting features to be compared from network data of a target host;
comparing the features to be compared with more than one attack response rule, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host;
and if the features to be compared are matched with the attack response rule, judging that the target host is successfully attacked by the network.
A2, the method for detecting network attack result according to A1, wherein the extracting the features to be compared from the network data of the target host comprises:
extracting second response data from the network data, wherein the second response data is used for the target host to answer the request service;
and extracting the features to be compared from the second response data.
A3, the method for detecting network attack result according to A1, wherein the extracting the features to be compared from the network data of the target host comprises:
extracting request data and second response data from the network data, wherein the request data is used for initiating a request service to the target host, and the second response data is used for responding the request service by the target host;
and extracting the features to be compared from the request data and the second response data.
A4, the method for detecting network attack result according to a1, further comprising, before comparing the features to be compared with one or more attack response rules:
a feature library is established that includes the one or more attack response rules.
A5, the method for detecting network attack result according to A4, wherein the establishing a feature library containing the one or more attack response rules comprises:
creating a database;
correspondingly extracting more than one attack response characteristic from more than one first response data;
each attack response characteristic is described in a deterministic manner to form more than one attack response rule;
and storing the more than one attack response rule into the database to obtain the feature library.
A6, the method for detecting network attack result according to A4, wherein the feature library comprises N sub-feature libraries, N is an integer not less than 2, and the establishing the feature library containing the more than one attack response rules comprises:
creating N databases;
correspondingly extracting more than two attack response characteristics from more than two first response data;
each attack response characteristic is described in a deterministic manner to form more than two attack response rules;
and storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
A7, the method for detecting network attack result according to A5 or A6, wherein the deterministically describing each attack response feature comprises:
and performing deterministic description on each attack response characteristic by adopting a regular expression.
A8, the method for detecting network attack result according to a1, further comprising, before comparing the features to be compared with one or more attack response rules:
establishing an incidence relation between each attack response rule and an attack action;
after the determining that the target host is successfully attacked by the network, the method further includes:
and determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action.
A9, the method for detecting network attack result according to A8, before the extracting features to be compared from the network data of the target host, further comprising:
detecting whether the target host is under network attack according to the network data;
and if the target host is attacked by the network, extracting the features to be compared from the network data of the target host.
A10, the method for detecting result of network attack according to A9, wherein the detecting whether the target host is under network attack according to the network data includes:
extracting features to be detected from the network data;
and importing the features to be detected into a pre-established artificial intelligence model, classifying the features to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result.
A11, the method for detecting network attack result according to A10, wherein the extracting the features to be detected from the network data includes:
extracting request data from the network data, wherein the request data is used for initiating a request service to the target host;
and extracting the features to be detected from the request data.
A12, the method for detecting network attack results according to A10, wherein before the step of importing the features to be detected into a pre-established artificial intelligence model, the method further comprises:
and establishing the artificial intelligence model.
A13, the method for detecting network attack result according to A12, wherein the establishing the artificial intelligence model comprises:
collecting model training data;
extracting the characteristics of the known network attacks from the model training data to obtain attack characteristic data;
classifying the attack characteristic data to obtain a training sample;
and carrying out model training according to the training samples to obtain the artificial intelligence model.
A14, the method for detecting network attack result according to A13, wherein the collecting model training data includes:
and collecting one or more combinations of the attack data disclosed by the Internet, the vulnerability data disclosed by the Internet, the attack data collected by the target host and the vulnerability data collected by the target host.
A15, the method for detecting the result of cyber attack according to A13, wherein the training of the model according to the training samples includes:
and performing model training by adopting a naive Bayes algorithm according to the training sample.
A16, the method for detecting network attack result according to a10, further comprising, after comparing the features to be compared with one or more attack response rules:
and generating alarm information, wherein the alarm information comprises the attack type of the network attack, whether the network attack is successful or not and the attack action of the successful network attack.
A17, the method for detecting network attack result according to A16, further comprising, after the generating the alarm information:
and sending the alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging.
A18, the method for detecting network attack result according to A16, further comprising, after the generating the alarm information:
adding a corresponding attack chain tag to the alarm information according to the alarm content of the alarm information, wherein the attack chain tag is used for representing the attack stage of the network attack in an attack chain;
counting each attack chain label of the same attack event, and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and generating attack route information according to the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event, wherein the attack route information comprises the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event.
A19, the method for detecting network attack result according to A18, wherein the adding of the corresponding attack chain label to the alarm information according to the alarm content of the alarm information includes:
and determining an attack chain label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information.
A20, the method for detecting network attack result according to A18, wherein the attack chain label includes more than two levels, and the adding of the corresponding attack chain label to the alarm information according to the alarm content of the alarm information includes:
determining a first-level label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information;
and determining each level of label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information, wherein the label library stores M attack chain labels, the M attack chain labels are divided into more than two levels, and M is an integer larger than 4.
A21, according to the network attack result detection method of A18, the attack route information further includes the start and stop time of each attack stage;
after generating attack route information according to the total number of network attacks in each attack phase of the attack event, the number of successful network attacks, and the attack action of the successful network attacks, the method further includes:
and displaying the attack route information according to the sequence of the starting time of each attack stage.
The invention also discloses B22, a network attack result detecting system, comprising:
the first extraction module is used for extracting the features to be compared from the network data of the target host;
the comparison module is used for comparing the features to be compared with more than one attack response rule, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host;
and the judging module is used for judging that the target host computer is successfully attacked by the network when the features to be compared are matched with the attack response rules.
B23, the system for detecting network attack result according to B22, the first extraction module comprising:
a first extracting unit, configured to extract second response data from the network data, where the second response data is used for the target host to answer a request service;
and the second extraction unit is used for extracting the features to be compared from the second response data.
B24, the system for detecting network attack result according to B22, the first extraction module comprising:
a third extracting unit, configured to extract request data and second response data from the network data, where the request data is used to initiate a request service to the target host, and the second response data is used for the target host to answer the request service;
a fourth extracting unit, configured to extract the feature to be compared from the request data and the second response data.
B25, the system for detecting network attack result according to B22, further comprising:
and the feature library creating module is used for creating a feature library containing more than one attack response rule before the features to be compared are compared with the more than one attack response rule.
B26, the system for detecting network attack result according to B25, wherein the feature library creating module comprises:
the database creating module is used for creating a database;
the second extraction module is used for correspondingly extracting more than one attack response characteristic from more than one first response data;
the rule forming module is used for performing deterministic description on each attack response characteristic to form more than one attack response rule;
and the storage module is used for storing the more than one attack response rule into the database to obtain the feature library.
B27, the system for detecting the result of network attack according to B25, wherein the feature library comprises N sub-feature libraries, N is an integer not less than 2, and the feature library creating module comprises:
the database creating module is used for creating N databases;
the second extraction module is used for correspondingly extracting more than two attack response characteristics from more than two pieces of first response data;
the rule forming module is used for performing deterministic description on each attack response characteristic to form more than two attack response rules;
and the storage module is used for storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
B28, the system for detecting network attack result according to B26 or B27, wherein the rule forming module is a regular expression writing module.
B29, the system for detecting network attack result according to B22, further comprising:
the incidence relation establishing module is used for establishing the incidence relation between each attack response rule and the attack action before the characteristics to be compared are compared with more than one attack response rule;
and the attack action determining module is used for determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action after the target host computer is judged to be successfully attacked by the network attack.
B30, the system for detecting network attack result according to B29, further comprising:
the detection module is used for detecting whether the target host computer is under network attack or not according to the network data before the features to be compared are extracted from the network data of the target host computer;
and if the target host is attacked by the network, the first extraction module is used for extracting the features to be compared from the network data of the target host.
B31, the system for detecting the result of network attack according to B30, wherein the detection module comprises:
the third extraction module is used for extracting the features to be detected from the network data;
and the importing module is used for importing the characteristics to be detected into a pre-established artificial intelligence model, classifying the characteristics to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result.
B32, the system for detecting network attack result according to B31, the third extraction module includes:
a fifth extracting unit, configured to extract request data from the network data, where the request data is used to initiate a request service to the target host;
and the sixth extraction unit is used for extracting the features to be detected from the request data.
B33, the system for detecting network attack result according to B31, further comprising:
and the model creating module is used for building the artificial intelligence model before the features to be detected are led into the artificial intelligence model built in advance.
B34, the system for detecting network attack result according to B33, the model creating module includes:
the collection module is used for collecting model training data;
the fourth extraction module is used for extracting the characteristics of the known network attack from the model training data to obtain attack characteristic data;
the classification module is used for classifying the attack characteristic data to obtain a training sample;
and the training module is used for carrying out model training according to the training samples to obtain the artificial intelligence model.
B35, the system for detecting the network attack result according to B34, wherein the model training data comprises one or more combinations of Internet published attack data, Internet published vulnerability data, attack data collected by the target host and vulnerability data collected by the target host.
B36, the system for detecting the result of network attack according to B34, wherein the training module is a naive Bayes algorithm module.
B37, the system for detecting network attack result according to B31, further comprising:
and the warning information generating module is used for generating warning information after comparing the characteristics to be compared with more than one attack response rule, wherein the warning information comprises the attack type of the network attack, whether the network attack is successful and the attack action of the successful network attack.
B38, the system for detecting network attack result according to B37, further comprising:
and the sending module is used for sending the alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging after the alarm information is generated.
B39, the system for detecting network attack result according to B37, further comprising:
the label adding module is used for adding a corresponding attack chain label to the alarm information according to the alarm content of the alarm information, wherein the attack chain label is used for representing the attack stage of the network attack in an attack chain;
the statistical module is used for counting each attack chain label of the same attack event and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
and the route information generating module is used for generating attack route information according to the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event, wherein the attack route information comprises the total network attack times, the successful network attack times and the successful attack actions of the network attack in each attack stage of the attack event.
B40, according to the network attack result detection system of B39, the label adding module is used for determining an attack chain label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information.
B41 and according to the system for detecting network attack results of B39, the attack chain tags include more than two levels, the tag adding module is used for determining each level of tags corresponding to the alarm information from a pre-established tag library according to the alarm content of the alarm information, wherein M attack chain tags are stored in the tag library, the M attack chain tags are divided into more than two levels, and M is an integer greater than 4.
B42, the system for detecting network attack result according to B39, wherein the attack route information further includes start and stop times of each attack stage, further including:
and the display module is used for displaying the attack route information according to the sequence of the starting time of each attack stage.
The invention also discloses C43, a computer readable storage medium, having a computer program stored thereon, which when executed by a processor, implements a network attack result detection method as described in any one of A1 to A21.
The invention also discloses D44 and computer equipment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the network attack result detection method of any one of A1-A21.
Claims (36)
1. A network attack result detection method is characterized by comprising the following steps:
extracting features to be compared from network data of a target host;
comparing the features to be compared with more than one attack response rule, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host;
if the features to be compared are matched with the attack response rule, judging that the target host computer is successfully attacked by the network;
before comparing the features to be compared with more than one attack response rule, the method further comprises the following steps:
establishing a feature library containing the one or more attack response rules;
after comparing the features to be compared with more than one attack response rule, the method further comprises the following steps:
generating alarm information, wherein the alarm information comprises an attack type of the network attack, whether the network attack is successful or not and an attack action of the successful network attack;
wherein, after the generating the alarm information, the method further comprises:
adding a corresponding attack chain tag to the alarm information according to the alarm content of the alarm information, wherein the attack chain tag is used for representing the attack stage of the network attack in an attack chain;
counting each attack chain label of the same attack event, and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
generating attack route information according to the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event, wherein the attack route information comprises the total times of network attacks, the successful times of network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
wherein the feature library comprises N sub-feature libraries, N is an integer not less than 2, and the establishing the feature library including the one or more attack response rules comprises:
creating N databases;
correspondingly extracting more than two attack response characteristics from more than two first response data;
each attack response characteristic is described in a deterministic manner to form more than two attack response rules;
and storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
2. The method according to claim 1, wherein the extracting the features to be compared from the network data of the target host comprises:
extracting second response data from the network data, wherein the second response data is used for the target host to answer the request service;
and extracting the features to be compared from the second response data.
3. The method according to claim 1, wherein the extracting the features to be compared from the network data of the target host comprises:
extracting request data and second response data from the network data, wherein the request data is used for initiating a request service to the target host, and the second response data is used for responding the request service by the target host;
and extracting the features to be compared from the request data and the second response data.
4. The method according to claim 1, wherein the establishing a feature library containing the one or more attack response rules comprises:
creating a database;
correspondingly extracting more than one attack response characteristic from more than one first response data;
each attack response characteristic is described in a deterministic manner to form more than one attack response rule;
and storing the more than one attack response rule into the database to obtain the feature library.
5. The method according to claim 4, wherein the deterministically describing each attack response feature comprises:
and performing deterministic description on each attack response characteristic by adopting a regular expression.
6. The method according to claim 1, further comprising, before comparing the features to be compared with one or more attack response rules:
establishing an incidence relation between each attack response rule and an attack action;
after the determining that the target host is successfully attacked by the network, the method further includes:
and determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action.
7. The method according to claim 6, further comprising, before extracting the features to be compared from the network data of the target host, the steps of:
detecting whether the target host is under network attack according to the network data;
and if the target host is attacked by the network, extracting the features to be compared from the network data of the target host.
8. The method according to claim 7, wherein the detecting whether the target host is under a network attack according to the network data comprises:
extracting features to be detected from the network data;
and importing the features to be detected into a pre-established artificial intelligence model, classifying the features to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result.
9. The method according to claim 8, wherein the extracting features to be detected from the network data comprises:
extracting request data from the network data, wherein the request data is used for initiating a request service to the target host;
and extracting the features to be detected from the request data.
10. The method according to claim 8, further comprising, before importing the features to be detected into a pre-established artificial intelligence model:
and establishing the artificial intelligence model.
11. The method according to claim 10, wherein the establishing the artificial intelligence model comprises:
collecting model training data;
extracting the characteristics of the known network attacks from the model training data to obtain attack characteristic data;
classifying the attack characteristic data to obtain a training sample;
and carrying out model training according to the training samples to obtain the artificial intelligence model.
12. The method according to claim 11, wherein the collecting model training data comprises:
and collecting one or more combinations of the attack data disclosed by the Internet, the vulnerability data disclosed by the Internet, the attack data collected by the target host and the vulnerability data collected by the target host.
13. The method according to claim 11, wherein the performing model training according to the training samples comprises:
and performing model training by adopting a naive Bayes algorithm according to the training sample.
14. The method according to claim 1, further comprising, after the generating the warning message:
and sending the alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging.
15. The method according to claim 1, wherein the adding a corresponding attack chain tag to the alarm information according to the alarm content of the alarm information comprises:
and determining an attack chain label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information.
16. The method according to claim 1, wherein the attack chain tag includes more than two levels, and adding a corresponding attack chain tag to the alarm information according to the alarm content of the alarm information includes:
determining a first-level label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information;
and determining each level of label corresponding to the alarm information from a pre-established label library according to the alarm content of the alarm information, wherein the label library stores M attack chain labels, the M attack chain labels are divided into more than two levels, and M is an integer larger than 4.
17. The method according to claim 1, wherein the attack route information further includes start and stop times of each attack phase;
after generating attack route information according to the total number of network attacks in each attack phase of the attack event, the number of successful network attacks, and the attack action of the successful network attacks, the method further includes:
and displaying the attack route information according to the sequence of the starting time of each attack stage.
18. A system for detecting a network attack result, comprising:
the first extraction module is used for extracting the features to be compared from the network data of the target host;
the comparison module is used for comparing the features to be compared with more than one attack response rule, wherein the attack response rule is formed according to first response data, and the first response data is used for responding to a successful attack request by an attacked host;
the judging module is used for judging that the target host computer is successfully attacked by the network when the features to be compared are matched with the attack response rules;
the warning information generating module is used for generating warning information after the characteristics to be compared are compared with more than one attack response rule, wherein the warning information comprises the attack type of the network attack, whether the network attack is successful and the attack action of the successful network attack;
the label adding module is used for adding a corresponding attack chain label to the alarm information according to the alarm content of the alarm information, wherein the attack chain label is used for representing the attack stage of the network attack in an attack chain;
the statistical module is used for counting each attack chain label of the same attack event and obtaining the total times of network attacks, the times of successful network attacks and the attack actions of the successful network attacks in each attack stage of the attack event;
a route information generating module, configured to generate attack route information according to the total network attack times, successful network attack times, and successful network attack actions in each attack stage of the attack event, where the attack route information includes the total network attack times, successful network attack times, and successful network attack actions in each attack stage of the attack event;
a feature library creating module, configured to create a feature library including one or more attack response rules before the feature to be compared is compared with the one or more attack response rules;
the feature library comprises N sub-feature libraries, N is an integer not less than 2, and the feature library creating module comprises:
the database creating module is used for creating N databases;
the second extraction module is used for correspondingly extracting more than two attack response characteristics from more than two pieces of first response data;
the rule forming module is used for performing deterministic description on each attack response characteristic to form more than two attack response rules;
and the storage module is used for storing the attack response rules belonging to the same attack type in the more than two attack response rules into the same database to obtain the sub-feature library.
19. The system of claim 18, wherein the first extraction module comprises:
a first extracting unit, configured to extract second response data from the network data, where the second response data is used for the target host to answer a request service;
and the second extraction unit is used for extracting the features to be compared from the second response data.
20. The system of claim 18, wherein the first extraction module comprises:
a third extracting unit, configured to extract request data and second response data from the network data, where the request data is used to initiate a request service to the target host, and the second response data is used for the target host to answer the request service;
a fourth extracting unit, configured to extract the feature to be compared from the request data and the second response data.
21. The system of claim 18, wherein the signature library creation module comprises:
the database creating module is used for creating a database;
the second extraction module is used for correspondingly extracting more than one attack response characteristic from more than one first response data;
the rule forming module is used for performing deterministic description on each attack response characteristic to form more than one attack response rule;
and the storage module is used for storing the more than one attack response rule into the database to obtain the feature library.
22. The system according to claim 18, wherein the rule forming module is a regular expression writing module.
23. The system of claim 18, further comprising:
the incidence relation establishing module is used for establishing the incidence relation between each attack response rule and the attack action before the characteristics to be compared are compared with more than one attack response rule;
and the attack action determining module is used for determining the attack action corresponding to the attack response rule matched with the feature to be compared as the attack action of the successful network attack according to the incidence relation between each attack response rule and the attack action after the target host computer is judged to be successfully attacked by the network attack.
24. The system for detecting results of network attacks according to claim 23, further comprising:
the detection module is used for detecting whether the target host computer is under network attack or not according to the network data before the features to be compared are extracted from the network data of the target host computer;
and if the target host is attacked by the network, the first extraction module is used for extracting the features to be compared from the network data of the target host.
25. The system of claim 24, wherein the detection module comprises:
the third extraction module is used for extracting the features to be detected from the network data;
and the importing module is used for importing the characteristics to be detected into a pre-established artificial intelligence model, classifying the characteristics to be detected through the artificial intelligence model, and determining whether the target host is under network attack and the attack type of the network attack according to the classification result.
26. The system according to claim 25, wherein the third extracting module comprises:
a fifth extracting unit, configured to extract request data from the network data, where the request data is used to initiate a request service to the target host;
and the sixth extraction unit is used for extracting the features to be detected from the request data.
27. The system for detecting results of network attacks according to claim 25, further comprising:
and the model creating module is used for building the artificial intelligence model before the features to be detected are led into the artificial intelligence model built in advance.
28. The system of claim 27, wherein the model creation module comprises:
the collection module is used for collecting model training data;
the fourth extraction module is used for extracting the characteristics of the known network attack from the model training data to obtain attack characteristic data;
the classification module is used for classifying the attack characteristic data to obtain a training sample;
and the training module is used for carrying out model training according to the training samples to obtain the artificial intelligence model.
29. The system of claim 28, wherein the model training data comprises one or more combinations of internet published attack data, internet published vulnerability data, attack data collected by the target host, and vulnerability data collected by the target host.
30. The system of claim 28, wherein the training module is a naive bayes algorithm module.
31. The system of claim 18, further comprising:
and the sending module is used for sending the alarm information to a network manager through one or more combinations of mails, short messages, dialog boxes and instant messaging after the alarm information is generated.
32. The system for detecting network attack result according to claim 18, wherein the tag adding module is configured to determine an attack chain tag corresponding to the alarm information from a pre-established tag library according to the alarm content of the alarm information.
33. The system according to claim 18, wherein the attack chain tags include two or more levels, the tag adding module is configured to determine, according to the alarm content of the alarm information, each level of tags corresponding to the alarm information from a pre-established tag library, where the tag library stores M attack chain tags, the M attack chain tags are divided into two or more levels, and M is an integer greater than 4.
34. The system according to claim 18, wherein the attack route information further includes start and stop times of each attack stage, further comprising:
and the display module is used for displaying the attack route information according to the sequence of the starting time of each attack stage.
35. A computer-readable storage medium on which a computer program is stored, the program, when executed by a processor, implementing a network attack result detection method according to any one of claims 1 to 17.
36. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements a network attack result detection method according to any one of claims 1 to 17 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810713254.6A CN108881263B (en) | 2018-06-29 | 2018-06-29 | Network attack result detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810713254.6A CN108881263B (en) | 2018-06-29 | 2018-06-29 | Network attack result detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108881263A CN108881263A (en) | 2018-11-23 |
| CN108881263B true CN108881263B (en) | 2022-01-25 |
Family
ID=64296728
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810713254.6A Active CN108881263B (en) | 2018-06-29 | 2018-06-29 | Network attack result detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108881263B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109450929B (en) * | 2018-12-13 | 2021-05-14 | 成都亚信网络安全产业技术研究院有限公司 | Safety detection method and device |
| CN112543168A (en) * | 2019-09-20 | 2021-03-23 | 中移(苏州)软件技术有限公司 | Network attack detection method, device, server and storage medium |
| CN110958261A (en) * | 2019-12-13 | 2020-04-03 | 微创(上海)网络技术股份有限公司 | Network attack comprehensive detection and coping method |
| CN111400721B (en) * | 2020-03-24 | 2024-04-12 | 杭州数梦工场科技有限公司 | API interface detection method and device |
| CN111510434A (en) * | 2020-03-24 | 2020-08-07 | 中国建设银行股份有限公司 | Network intrusion detection method, system and related equipment |
| CN111711599A (en) * | 2020-04-23 | 2020-09-25 | 北京凌云信安科技有限公司 | Safety situation perception system based on multivariate mass data fusion association analysis |
| CN112671727B (en) * | 2020-12-11 | 2023-05-16 | 深信服科技股份有限公司 | Information leakage detection method and device, equipment and storage medium |
| CN113472772B (en) * | 2021-06-29 | 2023-05-16 | 深信服科技股份有限公司 | Network attack detection method and device, electronic equipment and storage medium |
| CN116346381A (en) * | 2021-12-24 | 2023-06-27 | 华为技术有限公司 | Attack success identification method and protection system |
| CN114553588B (en) * | 2022-03-07 | 2022-11-08 | 鼎惠(上海)科技有限公司 | Internet financial data protection method and server based on artificial intelligence |
| CN115051873B (en) * | 2022-07-27 | 2024-02-23 | 深信服科技股份有限公司 | Network attack result detection method, device and computer readable storage medium |
| CN115801468B (en) * | 2023-02-09 | 2023-04-25 | 南京聚铭网络科技有限公司 | Zero-day vulnerability attack detection method, device and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107046518A (en) * | 2016-02-05 | 2017-08-15 | 阿里巴巴集团控股有限公司 | The detection method and device of network attack |
| CN107577945A (en) * | 2017-09-28 | 2018-01-12 | 阿里巴巴集团控股有限公司 | URL attack detection methods, device and electronic equipment |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102404318B (en) * | 2011-10-31 | 2015-09-09 | 杭州迪普科技有限公司 | A kind of method and device taking precautions against DNS cache attack |
| US9178899B2 (en) * | 2013-08-28 | 2015-11-03 | Bank Of America Corporation | Detecting automated site scans |
| CN104009986B (en) * | 2014-05-22 | 2017-03-15 | 中国电子科技集团公司第三十研究所 | A kind of host-based network attacks springboard detection method and device |
| CN107241301B (en) * | 2016-03-29 | 2021-01-29 | 阿里巴巴集团控股有限公司 | Method, device and system for defending reflection attack |
| CN106341414B (en) * | 2016-09-30 | 2019-04-23 | 重庆邮电大学 | A kind of multi-step attack safety situation evaluation method based on Bayesian network |
-
2018
- 2018-06-29 CN CN201810713254.6A patent/CN108881263B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107046518A (en) * | 2016-02-05 | 2017-08-15 | 阿里巴巴集团控股有限公司 | The detection method and device of network attack |
| CN107577945A (en) * | 2017-09-28 | 2018-01-12 | 阿里巴巴集团控股有限公司 | URL attack detection methods, device and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| 一个基于复合攻击路径图的报警关联算法;刘志杰 等;《南京大学学报》;20100130;正文1.3-1.4、2.2,图3-5 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108881263A (en) | 2018-11-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108683687B (en) | Network attack identification method and system | |
| CN108471429B (en) | Network attack warning method and system | |
| CN108881265B (en) | Network attack detection method and system based on artificial intelligence | |
| CN108881263B (en) | Network attack result detection method and system | |
| CN108833186B (en) | Network attack prediction method and device | |
| CN108833185B (en) | Network attack route restoration method and system | |
| US11516248B2 (en) | Security system for detection and mitigation of malicious communications | |
| CN110399925B (en) | Account risk identification method, device and storage medium | |
| US10686829B2 (en) | Identifying changes in use of user credentials | |
| US10721245B2 (en) | Method and device for automatically verifying security event | |
| CN103368979B (en) | Network security verifying device based on improved K-means algorithm | |
| CN110519150B (en) | Mail detection method, device, equipment, system and computer readable storage medium | |
| Tufan et al. | Anomaly-based intrusion detection by machine learning: A case study on probing attacks to an institutional network | |
| CN111221625B (en) | File detection method, device and equipment | |
| Krishnaveni et al. | Ensemble approach for network threat detection and classification on cloud computing | |
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| CN111049786A (en) | Network attack detection method, device, equipment and storage medium | |
| CN111049783A (en) | Network attack detection method, device, equipment and storage medium | |
| CN110460611B (en) | Machine learning-based full-flow attack detection technology | |
| Marchetti et al. | Identification of correlated network intrusion alerts | |
| Zali et al. | Real-time attack scenario detection via intrusion detection alert correlation | |
| US10419449B1 (en) | Aggregating network sessions into meta-sessions for ranking and classification | |
| CN113704328A (en) | User behavior big data mining method and system based on artificial intelligence | |
| CN112153062A (en) | Multi-dimension-based suspicious terminal equipment detection method and system | |
| CN115643044A (en) | Data processing method, device, server and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220722 Address after: 300450 No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science Park, Binhai New Area, Tianjin Patentee after: 3600 Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230711 Address after: 1765, floor 17, floor 15, building 3, No. 10 Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: Beijing Hongxiang Technical Service Co.,Ltd. Address before: 300450 No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science Park, Binhai New Area, Tianjin Patentee before: 3600 Technology Group Co.,Ltd. |
|
| TR01 | Transfer of patent right |