CN109361701A - Network security detection method, device and server - Google Patents
Network security detection method, device and server Download PDFInfo
- Publication number
- CN109361701A CN109361701A CN201811498125.6A CN201811498125A CN109361701A CN 109361701 A CN109361701 A CN 109361701A CN 201811498125 A CN201811498125 A CN 201811498125A CN 109361701 A CN109361701 A CN 109361701A
- Authority
- CN
- China
- Prior art keywords
- field
- detected
- regular expression
- rule
- testing result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides a kind of network security detection method, device and server, is related to computer data processing technology field.This method passes through field to be detected and strictly all rules corresponding with field to be detected in acquisition request message, wherein rule includes at least one for treating the detection field progress matched regular expression of canonical;Then duplicate removal is carried out to the regular expression for including in strictly all rules;The corresponding regular expression of content and field to be detected further according to field to be detected carries out parallel canonical matching, to determine testing result.Because have passed through duplicate removal to regular expression, when treating detection field using regular expression and being matched, the amount of the regular expression calculated is reduced, and also just reduces the amount of data processing, and then help to improve the efficiency of data processing.In addition, the efficiency of data processing can be improved because being to carry out parallel canonical matching to the regular expression of same field to be detected.
Description
Technical field
The present invention relates to computer data detection technique fields, in particular to a kind of network security detection method, dress
It sets and server.
Background technique
HTTP/HTTPS technology uses the service mode of browser/server, i.e. browser by the request format of visitor
Server end is transferred to by TCP connection after change, server end passes through local resource access and return to after centainly handling
Browser, later by browser-presented to visitor.
The big drawback of the one of the service mode of browser/server is exactly that the performance and stability of server become whole system
Bottleneck, once server is attacked, all visitors are affected, or even make service disruption, cause huge damage
It loses.In response to this, network protection mechanism is come into being, and WAF is exactly one of.WAF is mainly for HTTP/HTTPS layers
Attack, by check client send access content, judgement and intercept attack request, to guarantee that server can provide safety
Service.In the prior art, when being detected to request message, it will usually the partial content in message is computed repeatedly, from
And make the low efficiency of detection.
Summary of the invention
In order to overcome the deficiencies in the prior art described above, the present invention provides a kind of network security detection method, device and clothes
Business device.
To achieve the goals above, technical solution provided by the embodiment of the present invention is as follows:
In a first aspect, the embodiment of the present invention provides a kind of network security detection method, which comprises
Field to be detected in acquisition request message and strictly all rules corresponding with the field to be detected, wherein described
Rule includes that at least one is used to carry out the matched regular expression of canonical to the field to be detected;
Duplicate removal is carried out to the regular expression for including in all rules according to default duplicate removal rule;
Parallel canonical is carried out according to the content of the field to be detected and the corresponding regular expression of the field to be detected
Matching, to determine testing result.
Optionally, above-mentioned content and the corresponding regular expression of the field to be detected according to the field to be detected into
The parallel canonical matching of row, to determine testing result, comprising:
According to the content of the field to be detected, whether match hit is to regular expressions corresponding with the field to be detected
Formula determines the first testing result of the field to be detected;
The corresponding testing result of the request message is determined according to the first testing result of the field to be detected.
Optionally, whether match hit is to corresponding with the field to be detected for the above-mentioned content according to the field to be detected
Regular expression, determine the first testing result of the field to be detected, comprising:
For the corresponding each rule of the field to be detected, in corresponding first rule of the field to be detected
Including the relationships of multiple regular expressions be or relationship and to determine that one of them described regular expression matching hit arrives
When the field to be detected, terminate to detect the field to be detected using first rule, and obtain described in expression
Regular expression matching hits the second testing result to the field to be detected.
Optionally, whether match hit is to corresponding with the field to be detected for the above-mentioned content according to the field to be detected
Regular expression, before the first testing result for determining the field to be detected, the method also includes:
Judge whether it is and the field to be detected is matched using regular expression for the first time;
When to be, according to the content of the field to be detected, whether match hit is to corresponding with the field to be detected
Regular expression determines the first testing result of the field to be detected;
When to be no, from being stored with, acquisition in the array for predefining the testing result is corresponding with the field to be detected
The first testing result.
Optionally, the above method further include:
By the field to be detected storage into the first array, and by the field to be detected and the regular expression
Corresponding testing result storage is into the second array.
Second aspect, the embodiment of the present invention also provide a kind of network security detection device, and described device includes:
Acquiring unit, in acquisition request message field to be detected and all rule corresponding with the field to be detected
Then, wherein the rule includes that at least one is used to carry out the matched regular expression of canonical to the field to be detected;
Duplicate removal unit, for being gone according to default duplicate removal rule to the regular expression for including in all rules
Weight;
As a result determination unit, for the content and the corresponding canonical table of the field to be detected according to the field to be detected
Parallel canonical matching is carried out up to formula, to determine testing result.
Optionally, the above results determination unit is also used to:
According to the content of the field to be detected, whether match hit is to regular expressions corresponding with the field to be detected
Formula determines the first testing result of the field to be detected;
The corresponding testing result of the request message is determined according to the first testing result of the field to be detected.
Optionally, the above results determination unit is also used to:
For the corresponding each rule of the field to be detected, in corresponding first rule of the field to be detected
Including the relationships of multiple regular expressions be or relationship and to determine that one of them described regular expression matching hit arrives
When the field to be detected, terminate to detect the field to be detected using first rule, and obtain described in expression
Regular expression matching hits the second testing result to the field to be detected.
The third aspect, the embodiment of the present invention also provide a kind of server, and the server includes:
Memory module;
Processing module;And
Network security detection device, including one or more are stored in the memory module and are held by the processing module
Capable software function module, the network security detection device include:
Acquiring unit, in acquisition request message field to be detected and all rule corresponding with the field to be detected
Then, wherein the rule includes that at least one is used to carry out the matched regular expression of canonical to the field to be detected;
Duplicate removal unit, for being gone according to default duplicate removal rule to the regular expression for including in all rules
Weight;
As a result determination unit, for the content and the corresponding canonical table of the field to be detected according to the field to be detected
Parallel canonical matching is carried out up to formula, to determine testing result.
Fourth aspect, the embodiment of the present invention also provide a kind of computer readable storage medium, are stored thereon with computer journey
Sequence when the computer program is run by processor, executes above-mentioned method.
In terms of existing technologies, network security detection method provided by the invention, device and server at least have
Below the utility model has the advantages that this method passes through field to be detected and all rule corresponding with field to be detected in acquisition request message
Then, wherein rule includes at least one for treating the detection field progress matched regular expression of canonical;Then to all rule
The regular expression for including in then carries out duplicate removal;Content and the corresponding regular expressions of field to be detected further according to field to be detected
Formula carries out parallel canonical matching, to determine testing result.Because have passed through duplicate removal to regular expression, canonical is being used
When expression formula is treated detection field and matched, the amount of the regular expression calculated is reduced, and also just reduces data
The amount of processing, and then help to improve the efficiency of data processing.In addition, because being the regular expression to same field to be detected
Parallel canonical matching is carried out, so the efficiency of data processing can be improved.
To enable the above objects, features and advantages of the present invention to be clearer and more comprehensible, the embodiment of the present invention is cited below particularly, and match
Appended attached drawing is closed, is described in detail below.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be to needed in the embodiment attached
Figure is briefly described.It should be appreciated that the following drawings illustrates only certain embodiments of the present invention, therefore it is not construed as pair
The restriction of range for those of ordinary skill in the art without creative efforts, can also be according to this
A little attached drawings obtain other relevant attached drawings.
Fig. 1 is the interaction schematic diagram of requesting terminal provided in an embodiment of the present invention and server.
Fig. 2 is the block diagram of server provided in an embodiment of the present invention.
Fig. 3 is the flow diagram of network security detection method provided in an embodiment of the present invention.
Fig. 4 is the block diagram of network security detection device provided in an embodiment of the present invention.
Icon: 10- server;11- processing module;12- communication module;13- memory module;The requesting terminal 20-;100- net
Network safety detection device;110- acquiring unit;120- duplicate removal unit;130- result determination unit.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description.Obviously, described embodiment is only a part of the embodiments of the present invention, instead of all the embodiments.It is logical
The component for the embodiment of the present invention being often described and illustrated herein in the accompanying drawings can be arranged and be designed with a variety of different configurations.
Therefore, the detailed description of the embodiment of the present invention provided in the accompanying drawings is not intended to limit below claimed
The scope of the present invention, but be merely representative of selected embodiment of the invention.Based on the embodiment of the present invention, those skilled in the art
Member's every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
It should also be noted that similar label and letter indicate similar terms in following attached drawing, therefore, once a certain Xiang Yi
It is defined in a attached drawing, does not then need that it is further defined and explained in subsequent attached drawing.In addition, term " the
One ", " second " etc. is only used for distinguishing description, is not understood to indicate or imply relative importance.
With reference to the accompanying drawing, it elaborates to some embodiments of the present invention.In the absence of conflict, following
Feature in embodiment and embodiment can be combined with each other.
Website application layer intrusion prevention system (Web Application Firewall, WAF) is passed mainly for hypertext
Defeated agreement (Hyper Text Transfer Protocol, HTTP) or HTTP (the Hyper Text for safety data transmission
Transfer Protocol over Secure Socket Layer, HTTPS) layer attack defending, pass through check client
The access content of transmission, judgement and intercept attack request, to guarantee that server can provide safe service.In the prior art,
When being detected to request message, usually detected by serial canonical to realize, that is, one by one in executing rule just
Then expression formula.The request header and request body of HTTP may include more content, such as user agent (User Agent, UA), uniformly
The type of the types such as Resource Locator (Uniform Resource Locator, URL), method attribute (METHOD), seed type
Content can be referred to as a field.The rule that WAF is checked is usually with the regular expression for these fields according to centainly patrolling
It collects and is composed.In the prior art, each canonical can be calculated one by one and logical operation judges whether to match, and a request message
In include generally including multiple fields, each field is corresponding with multiple rules for canonicals matching verification, and each rule includes
Usually there is duplicate regular expression in all fields in multiple regular expressions, also meaning that would generally be in message
Partial content compute repeatedly so that detection low efficiency.
For example, in the prior art, it will usually calculate each canonical one by one and logical operation judges whether to match, such as is right
In following rule:
Regular A:match (UA, " python ") or match (URL, "=")
Regular B:match (UA, " python ") and match (URL, " select ")
Scheme in the prior art can execute match (UA, " python "), match (URL, "=") allow after to the two
Canonical result does or operation, if result is true (namely verification passes through), then it is assumed that request triggers regular A.If not yet
Have, then continues to execute the match (UA, " python ") and match (URL, " select ") the two regular expressions in regular B
Formula, and whether and operation judges, which trigger regular B, is done to their results.In this example embodiment, match (UA, " python ") is calculated
Twice, that is, in rule identical regular expression is repeated calculating, increases calculation amount.
In view of the above problems, present inventor proposes following embodiment to solve above-mentioned ask by the exploration that studies for a long period of time
Topic.With reference to the accompanying drawing, it elaborates to the embodiment of the present invention.In the absence of conflict, following embodiment and implementation
Feature in example can be combined with each other.
Fig. 1 is please referred to, server 10 provided in an embodiment of the present invention can pass through network and at least one requesting terminal 20
Communication connection is established, to carry out data interaction.For example, server 10 can receive what requesting terminal 20 was initiated from requesting terminal 20
Request message based on HTTP/HTTPS, and safety inspection is carried out to request message, it can to improve the safety of 10 network of server
By property.
Further, the requesting terminal 20 connecting with server 10 can be for one or multiple, here to request
The quantity of terminal 20 is not especially limited.Requesting terminal 20 may be, but not limited to, smart phone, PC (personal
Computer, PC), tablet computer, personal digital assistant (personal digital assistant, PDA), mobile Internet access set
Standby (mobile Internet device, MID) etc..Network may be, but not limited to, cable network or wireless network.
Referring to figure 2., in the present embodiment, server 10 may include processing module 11, communication module 12, memory module
13 and network security detection device 100, processing module 11, communication module 12, memory module 13 and network security detection dress
It sets and is directly or indirectly electrically connected between 100 each elements, to realize the transmission or interaction of data.For example, these element phases
It can be realized and be electrically connected by one or more communication bus or signal wire between mutually.
Processing module 11 can be a kind of IC chip, the processing capacity with signal.The processing module 11 can be with
It is general processor.For example, the processor can be central processing unit (Central Processing Unit, CPU), figure
Processor (Graphics Processing Unit, GPU), network processing unit (Network Processor, NP) etc.;May be used also
Be digital signal processor (DSP), specific integrated circuit (ASIC), field programmable gate array (FPGA) or other can compile
Journey logical device, discrete gate or transistor logic, discrete hardware components.It may be implemented or execute the embodiment of the present invention
In disclosed each method, step and logic diagram.
Communication module 12 is used to establish the communication connection of server 10 Yu requesting terminal 20 by network, and is received by network
Send out data.
Memory module 13 may be, but not limited to, random access memory, read-only memory, programmable read only memory,
Erasable Programmable Read Only Memory EPROM, electrically erasable programmable read-only memory etc..In the present embodiment, memory module 13 can be with
For storing rule file, duplicate removal rule etc. including multiple rules.Certainly, memory module 13 can be also used for storage program,
Processing module 11 executes the program after receiving and executing instruction.
Further, network security detection device 100 can be with the shape of software or firmware (firmware) including at least one
Formula is stored in memory module 13 or is solidificated in the software function in 10 operating system of server (operating system, OS)
Module.Processing module 11 is for executing the executable module stored in memory module 13, such as 100 institute of network security detection device
Including software function module and computer program etc..
It is understood that structure shown in Fig. 2 is only a kind of structural schematic diagram of server 10, server 10 can be with
Including than more or fewer components shown in Fig. 2.Each component shown in Fig. 2 can be realized using hardware, software, or its combination.
Referring to figure 3., network security detection method provided in an embodiment of the present invention can be applied to above-mentioned server 10,
Each step for being executed by the server 10 or being realized network security detection method, can improve network security detection in the prior art
The technical issues of low efficiency.
Each step of network security detection method shown in Fig. 3 will be described in detail below:
Step S210, field to be detected and strictly all rules corresponding with field to be detected in acquisition request message, wherein
Rule includes at least one for treating the detection field progress matched regular expression of canonical.
In the present embodiment, server 10 can get request message from requesting terminal 20, then to request message into
Row parsing, to obtain corresponding field to be detected.For example, extracted from request message the fields such as UA, URL, METHOD using as
Field to be detected.Wherein, rule is the pre-stored rule text that safety inspection is carried out for treating detection field of server 10
Rule in part, the rule file can also include other rules.
For example, rule can be with are as follows: match (UA, " python ") or match (URL, "="), wherein the rule
Passed through by the first regular expression " match (UA, " python ") " and the second regular expression " match (URL, "=") " or
Relationship composition.Wherein, the first regular expression is used to carry out " python " canonical to the UA field in request message to match, and second
Regular expression is used to carry out the url field in request message the matching of "=" canonical.For example, being reported using the rule to request
When text is matched, if detect any one regular expression matching in first the second regular expression of regular expression at
Function, then just meaning request message to the canonical successful match of the rule.
Generally, when carrying out canonical matching, suspicious message or attack message ability successful match can be preset,
That is, the field of canonical successful match is suspicious field or attack field, that is to say, that message corresponding to the field may be to attack
Message is hit, also means that the detection to the message does not pass through, needs to carry out intercept process to the message.
It should be noted that rule can be arranged previously according to actual conditions, and be stored in server 10, it is right here
The particular content of rule is not construed as limiting.
Step S220 carries out duplicate removal to the regular expression for including in strictly all rules according to default duplicate removal rule.
In the present embodiment, because generally including identical regular expression in multiple rules corresponding to request message,
So needing to carry out duplicate removal to identical regular expression, to reduce the quantity of regular expression.Wherein, presetting duplicate removal rule can
To be configured according to the actual situation, for example, all unduplicated regular expressions of statistics and number, or for it is duplicate just
Then expression formula only retains one, remaining is deleted.
Step S230 carries out parallel canonical according to the content of field to be detected and the corresponding regular expression of field to be detected
Matching, to determine testing result.
In the present embodiment, the field that regular expression can according to need calculating calculates the matching result of the field,
Calculative field is the field that regular expression is acted on.The result generally includes to indicate the first result of successful match
And the second result that it fails to match.For example, the first result can be indicated with ture, the second result is indicated with false.In canonical table
Up to formula calculated result come out after, can be used the regular expression that these come out as a result, by the result generation
Enter in rule, and carry out logical operation with the result of other regular expressions in rule, so as to without same to acting on
The identical regular expression of one field carries out repetitive operation, so as to improve need in the prior art in Different Rule it is identical just
Then expression formula computes repeatedly the problem for causing computational efficiency low.
Specifically, in each rule, when the result to the regular expression in the rule makees logical operation, logic
Operation rule can be with are as follows: first makees and operation (and operation), remakes or operation (or operation).Such as:
Ture and ture=ture
Flase and flase=flase
Ture and flase=flase
Ture or ture=ture
Flase or flase=flase
Ture or flase=ture
Specifically, it is assumed that regular A are as follows: match (UA, " python ") or match (URL, "="), the first regular expressions
The calculated result of formula match (UA, " python ") is ture, the calculated result of the second regular expression match (URL, "=")
For ture, then, the calculated result of regular A is just ture andture=ture, that is, rule A is hit, and message is can
Doubtful or attack message, is unsafe message, and obtained check results are to indicate the unsafe message of message.
It in the present embodiment, can be true according to the calculated result based on every rule for the check results of request message
It is fixed.For example, if there are at least one rules to be hit in strictly all rules corresponding with message, that is, have at least one rule
As a result it is ture, then the message is just confirmed to be suspicious message or attack message, needs to carry out intercept process to the message, this
When, check results are just to indicate that message is the check results of dangerous message (referring to attack message or suspicious message).If with message
It is not hit in corresponding strictly all rules, that is, well-regulated result is false, then the message is just identified
For safe packet, at this point, check results are just to indicate that message is the check results of safe packet.
It is usually the partial character treated in detection field when the content to each field to be detected carries out safety detection
Carry out canonical matching.For example, for UA field, if detecting corresponding rule are as follows:
Regular A:match (UA, " python ") or match (URL, "=")
Regular B:match (UA, " python ") and match (URL, " select ")
Regular C:match (UA, " curl ") and match (URL, " select ")
When three rules in face are verified in use, the parallel canonical of same field can be matched and be verified.For example, for
Match (UA, " python ") in regular A is to act on UA field just with the match (UA, " curl ") in regular C
Then expression formula.At this point, parallel canonical matching can be carried out to the two regular expressions, be equivalent to by match (UA,
" python "), match (UA, " curl ") the two regular expressions merge into a regular expression match (UA,
[" python ", " curl "]), realize that the parallel canonical for same field matches, that is, can be disposably to same field
All regular expressions calculate corresponding as a result, leading to asking for low efficiency so as to improve serial canonical matching in the prior art
Topic.
In the present embodiment, for the first regular expression: this verification of match (UA, " python "), if being matched to UA
There is " python " character in field, then just thinking that UA field is hit in this of the first regular expression, then utilizes
Other regular expressions in regular A verify respective field.For example, using the second regular expression match (URL,
"=") url field in message is verified, it is then based on the result of the first regular expression and the second regular expression
Determine the result of regular A.When above, there are the results of at least one rule to indicate respective field for three rules (regular A, B, C)
Dangerous (for example the result of one of rule is ture, then it represents that and field is dangerous), then the check results of message are just
Indicate the unsafe check results of message.Alternatively, the result in these three rules indicates safety (such as the result of strictly all rules
For false, then it represents that safety), then the check results of message are just the check results for indicating message safety.
It should be noted that the result of verification rule can be according to the match hit knot of field to be detected and regular expression
Fruit and determine, specific logical relation can be configured according to the actual situation.For example, can be set in advance in field to be detected with
Regular expression matching success when, it is believed that the obtained testing result of this be expression request message this be detected as it is safe
As a result.Alternatively, can be set when field to be detected and regular expression matching are unsuccessful, it is believed that the obtained detection knot of this
Fruit be indicate request message this be detected as safe result.
Optionally, step S230 may include: according to the content of field to be detected whether match hit to glyphomancy to be checked
The corresponding regular expression of section, determines the first testing result of field to be detected;According to the first of field to be detected the detection knot
Fruit determines the corresponding testing result of request message.
Understandably, the first testing result may include indicate the first result that field to be detected verification passes through or indicate to
Detection field verifies unacceptable second result.When request message is without hitting any one rule, then the request message
Usually just it is considered the request message for safety, the first testing result determined just is the first result;Otherwise it is assumed that the request
Message is unsafe request message, and the first testing result determined is the second result.Such as the verification of any one rule
Do not pass through, then the request message is just considered as unsafe request message, the first check results determined just are
One as a result, server 10 can intercept the request message at this time, be attacked to avoid server 10 by the suspicious requests message
It hits, to improve the safety of server 10.
Optionally, step S230 may include: each rule corresponding for field to be detected, corresponding in field to be detected
The first rule in include the relationships of multiple regular expressions be or relationship and to determine one of regular expression
When arriving field to be detected with hit, end is treated detection field using the first rule and is detected, and obtains indicating regular expressions
Second testing result of the formula match hit to field to be detected.Generally, hitting the regular expression then indicates that the field is
Attack field or suspicious field.
Understandably, the second testing result indicates that field to be detected verifies unacceptable detection in a rule wherein and ties
Fruit, that is, there is a situation where hit rule.In the above example, the first canonical table for regular A, in regular A
Just it is or relationship up to formula match (UA, " python ") and the second regular expression match (URL, "="), two in regular B are just
Then expression formula is and relationship.When being verified to UA, URL in request message, for example, when being verified to UA field,
If this verification is hit to the first regular expression match (UA, " python "), then being just not necessarily to url field and second
Regular expression is verified, and can be directly determined outgoing packet and not passed through to the verification of regular A.Alternatively, UA field to second just
Then expression formula match (URL, "=") verification does not pass through, that is to say, that by the way that url field and the second regular expression are carried out school
It tests and is hit, then just outgoing packet can be directly determined it is not necessary that UA field and the first regular expression are carried out matching verification
The verification of regular A is not passed through.Based on this, scheme provided in this embodiment can save calculation amount, so that computational efficiency is improved,
It namely can be improved the efficiency of network security detection.
Certainly, as an alternative embodiment, if regular expression all in rule is and relationship, then just needing
Field to be verified and all regular expressions are verified, and when all regular expressions are not matched hit,
Just confirm that the verification of the rule passes through.
Optionally, method can also include: by field to be detected storage into the first array, and by field to be detected with
The corresponding testing result storage of regular expression is into the second array.
Understandably, server 10 can will acquire field to be detected and the field to be detected and regular expression
Check results are stored into array, during subsequent check, check results are directly extracted from array, without again
It is verified.Based on this, help to reduce data calculation amount, to improve the efficiency of data processing.
Before step S230, method can also include: to judge whether it is for the first time using regular expression to word to be detected
Duan Jinhang matching;When to be, according to the content of field to be detected, whether match hit is to canonical corresponding with field to be detected
Expression formula determines the first testing result of field to be detected;When to be no, the testing result is predefined from being stored with
First testing result corresponding with field to be detected is obtained in array.
Understandably, the mapping relations between regular expression and field to be detected can be pre-established, if glyphomancy to be checked
Section and the regular expression are completed to detect, and can treat mark of the detection field setting for indicating to have completed to detect, together
When will test result be stored in the second array in.Server 10 can be determined whether according to mapping relations and mark to use for the first time
The regular expression, if using for the first time, then step S230 is just executed, if not using for the first time, before also meaning that
The verification of the field to be detected and the regular expression is completed, and will test result and be deposited into the second array, at this time may be used
Directly to obtain its testing result from the second array, without computing repeatedly, so as to reduce calculation amount, promoted at data
The efficiency of reason.
Optionally, in the present embodiment, check results can also be calculated by short circuit calculation machine Delay computing.
Wherein, short circuit calculation refers to that computation rule, one rule of hit just are not continuing to calculate one by one according to regular priority.Delay meter
Calculation refers to that a field only just obtains when needing to use, and a regular expression is only just counted when needing to use
It calculates.Based on this, the treating capacity to data can be reduced, to facilitate the efficiency of promotion data processing.
The principle of the whole flow process to above-mentioned network security detection method is subjected to citing elaboration below:
Before server 10 carries out safety detection to request message, that is, before system starting, need to carry out rule pre-
Processing.For example, the field detect and regular expression that include in statistics request message, for example, counting each word
Section is corresponding so regular expression, in order to parallel computation.Specific steps can be such that
The first step, according to the request message of acquisition, the corresponding strictly all rules of read requests message, in statistical rules it is all not
Repeating Field is simultaneously numbered, wherein each rule includes at least one regular expression, for example rule can be with are as follows: match
(UA, " python ") or match (URL, "="), wherein the rule by the first regular expression " match (UA,
" python ") " and the second regular expression " match (URL, "=") " pass through or relationship composition;
Second step, the rule based on reading count all unduplicated regular expressions and number;
Each rule is converted into the expression formula numbered by regular expression and logical operation forms by third step, such as:
Regular A:match (UA, " python ") or match (URL, "=")
Regular B:match (UA, " python ") and match (URL, " select ")
Regular C:match (UA, " curl ") and match (URL, " select ")
There are two field UA and URL after statistics, and it is a, b that number, which can be respectively set,.Regular expression has 4, respectively
Match (UA, " python "), match (URL, "="), match (URL, " select ") and match (UA, " curl "), can be with
Setting number is 0,1,2,3;Then above-mentioned rule is just expressed as:
Regular A:0 or 1
Regular B:0 and 2
Regular C:3 and 2
Rule, is according to priority ranked up by the 4th step, and priority can be configured according to the actual situation, for example,
Priority can be set according to the logical relation in field type or rule between regular expression;For example, two or relationship
The priority for the rule that canonical is formed is higher than the rule of two and the formation of relationship canonical, and the higher rule of priority can be used at first
It is matched in verification;
5th step counts the corresponding regular expression of this field for all fields, forms a set, for example,
Based on above-mentioned rule:
Regular A:0 or 1
Regular B:0 and 2
Regular C:3 and 2
To each statistics regular expression:
The set of the corresponding regular expression of field a (i.e. field UA) is { 0,3 } (that is 0,3 two regular expressions
Formula can calculate simultaneously for the same field, that is, parallel canonical matching primitives);
The set of the corresponding regular expression of field b (i.e. field URL) is { 1,2 } (that is 1,2 two regular expressions
Formula can calculate simultaneously for the same field, that is, parallel canonical matching primitives).
When server 10 carries out safety detection to request message:
6th step when each request arrives, initializes two arrays for saving field and the corresponding inspection of regular expression
Survey result;
7th step, in sequence successively judgment rule whether match hit, exited in advance if hit;
8th step when computation rule is hit, can first search in above-mentioned two array before field is extracted and is calculated
Corresponding testing result whether is had existed, if had existed, directly obtains and uses from array, no longer need to repeated matching
It calculates;
9th step does not calculate nonessential value for the logical operation in rule if having been able to inferred results.Example
Such as, calculate " regular A:0 or 1 " when, if it is known that " 0 " be verification do not pass through, then do not calculate " 1 " whether verification passes through, from
And reduce calculation amount;
Tenth step will act on the institute of the field when the array for saving the calculating of canonical file does not correspond to the value of canonical
There is regular expression to carry out parallel canonical matching primitives, is recorded in array after calculating by the result of multiple regular expressions.
Based on above-mentioned design, scheme provided in an embodiment of the present invention will act on all regular expressions an of field simultaneously
Row calculates, and arithmetic speed is improved, to help to improve the efficiency of safety detection.In addition, to duplicate regular expression into
Row duplicate removal, it is possible to reduce calculation amount can be further improved arithmetic speed.
Referring to figure 4., network security detection device 100 provided in an embodiment of the present invention can be applied to above-mentioned server
10, for for executing or realizing the software function module of network security detection method.Wherein, network security detection device 100 can
To include acquiring unit 110, duplicate removal unit 120 and result determination unit 130.
Acquiring unit 110, in acquisition request message field to be detected and all rule corresponding with field to be detected
Then, wherein rule includes at least one for treating the detection field progress matched regular expression of canonical.
Duplicate removal unit 120, for carrying out duplicate removal to the regular expression for including in strictly all rules according to default duplicate removal rule.
As a result determination unit 130, for the content and the corresponding regular expression of field to be detected according to field to be detected
Parallel canonical matching is carried out, to determine testing result.
Optionally, as a result determination unit 130 is also used to: according to the content of field to be detected whether match hit to it is to be checked
The corresponding regular expression of the section that tells fortune by analysing the component parts of a Chinese character, determines the first testing result of field to be detected;According to the first of field to be detected the inspection
It surveys result and determines the corresponding testing result of request message.
Optionally, as a result determination unit 130 is also used to: the corresponding each rule of field to be detected is directed to, in glyphomancy to be checked
The relationship for the multiple regular expressions for including in corresponding first rule of section is or relationship, and is determining one of canonical table
When up to formula match hit to field to be detected, end is treated detection field using the first rule and is detected, and obtains indicating just
Then second testing result of the expression formula match hit to field to be detected.
Optionally, network security detection device 100 can also include judging unit, execute step in result determination unit 130
Before rapid S230, judging unit is treated detection field using regular expression for the first time and is matched for judging whether it is;For
When being, according to the content of field to be detected, whether match hit is to regular expression corresponding with field to be detected, determine to
First testing result of detection field;When to be no, from be stored with predefine testing result array in obtain with to
Corresponding first testing result of detection field.
Optionally, network security detection device 100 can also include storage unit, for by field to be detected storage to the
In one array, and by field to be detected testing result storage corresponding with regular expression into the second array.
It should be noted that it is apparent to those skilled in the art that, for convenience and simplicity of description, on
The specific work process of the network security detection device 100 of description is stated, each step corresponding process in preceding method can be referred to,
It no longer excessively repeats herein.
The embodiment of the present invention also provides a kind of computer readable storage medium.Computer journey is stored in readable storage medium storing program for executing
Sequence, when computer program is run on computers, so that computer is executed such as above-mentioned network security inspection as described in the examples
Survey method.
Through the above description of the embodiments, those skilled in the art can be understood that the present invention can lead to
Hardware realization is crossed, the mode of necessary general hardware platform can also be added to realize by software, based on this understanding, this hair
Bright technical solution can be embodied in the form of software products, which can store in a non-volatile memories
In medium (can be CD-ROM, USB flash disk, mobile hard disk etc.), including some instructions are used so that a computer equipment (can be
Personal computer or the network equipment etc.) execute method described in each implement scene of the present invention.
In conclusion the present invention provides a kind of network security detection method, device and server.This method is asked by obtaining
Ask the field to be detected in message and strictly all rules corresponding with field to be detected, wherein rule include at least one for pair
Field to be detected carries out the matched regular expression of canonical;Then duplicate removal is carried out to the regular expression for including in strictly all rules;
The corresponding regular expression of content and field to be detected further according to field to be detected carries out parallel canonical matching, to determine to examine
Survey result.Because have passed through duplicate removal to regular expression, when treating detection field using regular expression and being matched,
The amount of the regular expression calculated is reduced, and also just reduces the amount of data processing, and then help to improve at data
The efficiency of reason.In addition, number can be improved because being to carry out parallel canonical matching to the regular expression of same field to be detected
According to the efficiency of processing.
In embodiment provided by the present invention, it should be understood that disclosed devices, systems, and methods can also lead to
Other modes are crossed to realize.Devices, systems, and methods embodiment described above is only schematical, for example, in attached drawing
Flow chart and block diagram show that the system of multiple embodiments according to the present invention, the possibility of method and computer program product are real
Existing architecture, function and operation.In this regard, each box in flowchart or block diagram can represent module, a journey
A part of sequence section or code, a part of the module, section or code include one or more for realizing defined
The executable instruction of logic function.It should also be noted that in some implementations as replacement, function marked in the box
It can also occur in a different order than that indicated in the drawings.For example, two continuous boxes can actually be substantially in parallel
It executes, they can also be executed in the opposite order sometimes, and this depends on the function involved.It is also noted that block diagram and/
Or the combination of each box in flow chart and the box in block diagram and or flow chart, can with execute as defined in function or
The dedicated hardware based system of movement is realized, or can be realized using a combination of dedicated hardware and computer instructions.
In addition, each functional module in each embodiment of the present invention can integrate one independent part of formation together, it can also be with
It is modules individualism, an independent part can also be integrated to form with two or more modules.
It can replace, can be realized wholly or partly by software, hardware, firmware or any combination thereof.When
When using software realization, can entirely or partly it realize in the form of a computer program product.The computer program product
Including one or more computer instructions.It is all or part of when loading on computers and executing the computer program instructions
Ground is generated according to process or function described in the embodiment of the present invention.The computer can be general purpose computer, special purpose computer,
Computer network or other programmable devices.The computer instruction may be stored in a computer readable storage medium, or
Person is transmitted from a computer readable storage medium to another computer readable storage medium, for example, the computer instruction
Wired (such as coaxial cable, optical fiber, digital subscriber can be passed through from a web-site, computer, server or data center
Line (DSL)) or wireless (such as infrared, wireless, microwave etc.) mode to another web-site, computer, server or data
It is transmitted at center.The computer readable storage medium can be any usable medium that computer can access and either wrap
The data storage devices such as server, the data center integrated containing one or more usable mediums.The usable medium can be magnetic
Property medium, (for example, floppy disk, hard disk, tape), optical medium (for example, DVD) or semiconductor medium (such as solid state hard disk
Solid State Disk (SSD)) etc..
The foregoing is only a preferred embodiment of the present invention, is not intended to restrict the invention, for the skill of this field
For art personnel, the invention may be variously modified and varied.All within the spirits and principles of the present invention, made any to repair
Change, equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.
Claims (10)
1. a kind of network security detection method, which is characterized in that the described method includes:
Field to be detected in acquisition request message and strictly all rules corresponding with the field to be detected, wherein the rule
It is used to carry out the matched regular expression of canonical to the field to be detected including at least one;
Duplicate removal is carried out to the regular expression for including in all rules according to default duplicate removal rule;
Parallel canonical matching is carried out according to the content of the field to be detected and the corresponding regular expression of the field to be detected,
To determine testing result.
2. the method according to claim 1, wherein according to the content of the field to be detected and described to be detected
The corresponding regular expression of field carries out parallel canonical matching, to determine testing result, comprising:
According to the content of the field to be detected, whether match hit is to regular expression corresponding with the field to be detected, really
Make the first testing result of the field to be detected;
The corresponding testing result of the request message is determined according to the first testing result of the field to be detected.
3. according to the method described in claim 2, it is characterized in that, according to the content of the field to be detected whether match hit
To regular expression corresponding with the field to be detected, the first testing result of the field to be detected is determined, comprising:
For the corresponding each rule of the field to be detected, include in corresponding first rule of the field to be detected
The relationships of multiple regular expressions be or relationship and to determine one of them described regular expression matching hit to described
When field to be detected, terminate to detect the field to be detected using first rule, and obtain indicating the canonical
Second testing result of the expression formula match hit to the field to be detected.
4. according to the method described in claim 2, it is characterized in that, according to the content of the field to be detected whether match hit
To regular expression corresponding with the field to be detected, before the first testing result for determining the field to be detected, institute
State method further include:
Judge whether it is and the field to be detected is matched using regular expression for the first time;
When to be, according to the content of the field to be detected, whether match hit is to canonical corresponding with the field to be detected
Expression formula determines the first testing result of the field to be detected;
When to be no, corresponding with the field to be detected the is obtained from being stored in the array for predefining the testing result
One testing result.
5. the method according to any one of claim 2-4, which is characterized in that the method also includes:
The field storage to be detected is corresponding with the regular expression into the first array, and by the field to be detected
Testing result store into the second array.
6. a kind of network security detection device, which is characterized in that described device includes:
Acquiring unit, in acquisition request message field to be detected and strictly all rules corresponding with the field to be detected,
Wherein, the rule includes that at least one is used to carry out the matched regular expression of canonical to the field to be detected;
Duplicate removal unit, for carrying out duplicate removal to the regular expression for including in all rules according to default duplicate removal rule;
As a result determination unit, for the content and the corresponding regular expression of the field to be detected according to the field to be detected
Parallel canonical matching is carried out, to determine testing result.
7. device according to claim 6, which is characterized in that the result determination unit is also used to:
According to the content of the field to be detected, whether match hit is to regular expression corresponding with the field to be detected, really
Make the first testing result of the field to be detected;
The corresponding testing result of the request message is determined according to the first testing result of the field to be detected.
8. device according to claim 7, which is characterized in that the result determination unit is also used to:
For the corresponding each rule of the field to be detected, include in corresponding first rule of the field to be detected
The relationships of multiple regular expressions be or relationship and to determine one of them described regular expression matching hit to described
When field to be detected, terminate to detect the field to be detected using first rule, and obtain indicating the canonical
Second testing result of the expression formula match hit to the field to be detected.
9. a kind of server, which is characterized in that the server includes:
Memory module;
Processing module;And
Network security detection device is stored in the memory module including one or more and is executed by the processing module
Software function module, the network security detection device include:
Acquiring unit, in acquisition request message field to be detected and strictly all rules corresponding with the field to be detected,
Wherein, the rule includes that at least one is used to carry out the matched regular expression of canonical to the field to be detected;
Duplicate removal unit, for carrying out duplicate removal to the regular expression for including in all rules according to default duplicate removal rule;
As a result determination unit, for the content and the corresponding regular expression of the field to be detected according to the field to be detected
Parallel canonical matching is carried out, to determine testing result.
10. a kind of computer readable storage medium, which is characterized in that be stored thereon with computer program, the computer program
When being run by processor, method according to any one of claims 1 to 5 is executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811498125.6A CN109361701A (en) | 2018-12-07 | 2018-12-07 | Network security detection method, device and server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811498125.6A CN109361701A (en) | 2018-12-07 | 2018-12-07 | Network security detection method, device and server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109361701A true CN109361701A (en) | 2019-02-19 |
Family
ID=65331797
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811498125.6A Pending CN109361701A (en) | 2018-12-07 | 2018-12-07 | Network security detection method, device and server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109361701A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109995784A (en) * | 2019-04-03 | 2019-07-09 | 杭州汉领信息科技有限公司 | A kind of data extraction accelerated method based on UDP |
| CN112422545A (en) * | 2020-11-09 | 2021-02-26 | 北京天融信网络安全技术有限公司 | Data processing method and device based on HTTP request |
| CN112887405A (en) * | 2021-01-26 | 2021-06-01 | 深信服科技股份有限公司 | Intrusion prevention method, system and related equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102981822A (en) * | 2012-10-31 | 2013-03-20 | 华为技术有限公司 | Method and equipment of treatment strategy |
| CN103688489A (en) * | 2012-12-03 | 2014-03-26 | 华为技术有限公司 | Method for strategy processing and network equipment |
| CN105959324A (en) * | 2016-07-15 | 2016-09-21 | 江苏博智软件科技有限公司 | Regular matching-based network attack detection method and apparatus |
| CN107402959A (en) * | 2017-06-15 | 2017-11-28 | 中国科学院信息工程研究所 | URL matching process, URL matching units and storage medium |
| WO2018182442A1 (en) * | 2017-03-27 | 2018-10-04 | Huawei Technologies Co., Ltd. | Machine learning system and method for generating a decision stream and automonously operating device using the decision stream |
-
2018
- 2018-12-07 CN CN201811498125.6A patent/CN109361701A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102981822A (en) * | 2012-10-31 | 2013-03-20 | 华为技术有限公司 | Method and equipment of treatment strategy |
| CN103688489A (en) * | 2012-12-03 | 2014-03-26 | 华为技术有限公司 | Method for strategy processing and network equipment |
| CN105959324A (en) * | 2016-07-15 | 2016-09-21 | 江苏博智软件科技有限公司 | Regular matching-based network attack detection method and apparatus |
| WO2018182442A1 (en) * | 2017-03-27 | 2018-10-04 | Huawei Technologies Co., Ltd. | Machine learning system and method for generating a decision stream and automonously operating device using the decision stream |
| CN107402959A (en) * | 2017-06-15 | 2017-11-28 | 中国科学院信息工程研究所 | URL matching process, URL matching units and storage medium |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109995784A (en) * | 2019-04-03 | 2019-07-09 | 杭州汉领信息科技有限公司 | A kind of data extraction accelerated method based on UDP |
| CN112422545A (en) * | 2020-11-09 | 2021-02-26 | 北京天融信网络安全技术有限公司 | Data processing method and device based on HTTP request |
| CN112887405A (en) * | 2021-01-26 | 2021-06-01 | 深信服科技股份有限公司 | Intrusion prevention method, system and related equipment |
| CN112887405B (en) * | 2021-01-26 | 2022-09-30 | 深信服科技股份有限公司 | Intrusion prevention method, system and related equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109361701A (en) | Network security detection method, device and server | |
| US9462009B1 (en) | Detecting risky domains | |
| US8886795B2 (en) | Method and system for determining response time of a server | |
| CN107624233B (en) | VPN transmission tunnel scheduling method and device and VPN client server | |
| US11588851B2 (en) | Detecting device masquerading in application programming interface (API) transactions | |
| US9503506B2 (en) | Transit-mode-based webpage accessing method, system, and crawler route server | |
| US11516235B2 (en) | System and method for detecting bots based on anomaly detection of JavaScript or mobile app profile information | |
| CN106209861A (en) | A kind of based on broad sense Jie Kade similarity coefficient Web application layer ddos attack detection method and device | |
| CN104901851B (en) | A kind of method and system of detection network quality | |
| CN114095567B (en) | Data access request processing method and device, computer equipment and medium | |
| CN109194684A (en) | A kind of method, apparatus and calculating equipment of simulation Denial of Service attack | |
| CN105991511A (en) | Method and device for detecting CC attack | |
| CN107403251A (en) | Risk checking method and device | |
| CN108390856A (en) | A kind of ddos attack detection method, device and electronic equipment | |
| CN108600172A (en) | Hit library attack detection method, device, equipment and computer readable storage medium | |
| CN111385272A (en) | Weak password detection method and device | |
| CN106101117B (en) | A kind of fishing website blocking-up method, device and system | |
| CN109462586A (en) | Flow monitoring method, device and execute server | |
| Pandurang et al. | Impact analysis of preventing cross site scripting and SQL injection attacks on web application | |
| CN106454934A (en) | False alarm signal detection method and base station | |
| CN109361674A (en) | Bypass stream data detection method, device and the electronic equipment of access | |
| Pandurang et al. | A mapping-based podel for preventing Cross site scripting and sql injection attacks on web application and its impact analysis | |
| CN113765914B (en) | CC attack protection method, system, computer equipment and readable storage medium | |
| CN106709333A (en) | Method and device for detecting security of application programming | |
| US20170078178A1 (en) | Delay information output device, delay information output method, and non-transitory computer-readable recording medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: Room 311501, Unit 1, Building 5, Courtyard 1, Futong East Street, Chaoyang District, Beijing Applicant after: Beijing Zhichuangyu Information Technology Co., Ltd. Address before: Room 311501, Unit 1, Building 5, Courtyard 1, Futong East Street, Chaoyang District, Beijing Applicant before: Beijing Knows Chuangyu Information Technology Co.,Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190219 |