CN109951500B - Network attack detection method and device - Google Patents
Network attack detection method and device Download PDFInfo
- Publication number
- CN109951500B CN109951500B CN201910356354.2A CN201910356354A CN109951500B CN 109951500 B CN109951500 B CN 109951500B CN 201910356354 A CN201910356354 A CN 201910356354A CN 109951500 B CN109951500 B CN 109951500B
- Authority
- CN
- China
- Prior art keywords
- target
- detection
- access
- session
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a network attack detection method and a device, wherein the method comprises the following steps: acquiring a plurality of target access requests which belong to the same session and are sent to a target server by a target terminal; determining a detection characteristic item, and determining an access characteristic value of the detection characteristic item according to a plurality of target access requests; obtaining a target detection rule corresponding to the detection feature item; judging the access characteristic value by using a target detection rule to obtain a first attack detection result; the first attack detection result is used for indicating whether network attack behaviors to the same session exist or not. According to the invention, the access characteristic values are extracted by detecting a plurality of target access requests of the same session as a group, and the information carried by the extracted access characteristic values is more comprehensive, so that the attack detection accuracy is higher.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a network attack detection method and device.
Background
In the internet, a process of interaction between a terminal and a server may be subject to network attack by a malicious program such as a hacker. In order to ensure the security of network access, an application firewall is generally deployed on an access path between a terminal and a server, and attack detection and attack processing are performed on an access process based on a protection rule of the application firewall.
Currently, there are two main forms of application firewalls: one is to use hardware server as the main body of firewall and access to network topology structure in the form of independent device; and the other method is that the cloud application firewall is used for modifying the DNS analysis mode of the access request and entering the cloud application firewall into a network topology structure.
The access request of the terminal is subjected to attack detection by the application firewall of some form, but the attack detection accuracy of the application firewall is low.
Disclosure of Invention
In view of this, the present invention provides a network attack detection method and device, so as to improve the accuracy of network attack detection.
In order to achieve the purpose, the technical scheme provided by the invention is as follows:
in a first aspect, the present invention provides a network attack detection method, including:
acquiring a plurality of target access requests which belong to the same session and are sent to a target server by a target terminal; determining a detection characteristic item, and determining an access characteristic value of the detection characteristic item according to a plurality of target access requests; obtaining a target detection rule corresponding to the detection feature item; judging the access characteristic value by using a target detection rule to obtain a first attack detection result; the first attack detection result is used for indicating whether network attack behaviors to the same session exist or not.
In a second aspect, the present invention provides a network attack detecting apparatus, including:
the access request acquisition module is used for acquiring a plurality of target access requests which belong to the same session and are sent to a target server by a target terminal;
the characteristic item determining module is used for determining a detection characteristic item and determining an access characteristic value of the detection characteristic item according to the target access requests;
the rule acquisition module is used for acquiring a target detection rule corresponding to the detection feature item;
the first attack detection result acquisition module is used for judging the access characteristic value by using the target detection rule to acquire a first attack detection result; and the first attack detection result is used for indicating whether network attack behaviors to the same session exist or not.
From the above, the present invention provides a network attack detection method and device, and the method includes: acquiring a plurality of target access requests which belong to the same session and are sent to a target server by a target terminal; determining a detection characteristic item, and determining an access characteristic value of the detection characteristic item according to a plurality of target access requests; obtaining a target detection rule corresponding to the detection feature item; judging the access characteristic value by using a target detection rule to obtain a first attack detection result; the first attack detection result is used for indicating whether network attack behaviors to the same session exist or not. In the prior art, only single access request flow is detected, however, the access characteristic values are detected and extracted by using a plurality of target access requests of the same session as a group, and the information carried by the extracted access characteristic values is more comprehensive, so that the attack detection accuracy is higher.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a frame structure diagram of a firewall system according to the present invention;
fig. 2 is a schematic flow chart of a network attack detection method provided by the present invention;
fig. 3 is another schematic flow chart of the network attack detection method provided by the present invention;
fig. 4 is a schematic structural diagram of a network attack detection apparatus provided in the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to facilitate understanding of the technical solution of the present invention, the following concept is first introduced.
Web Application Firewall (WAF for short): a Web application firewall is a system that specifically provides protection for Web applications by enforcing a series of security policies against HTTP/HTTPs to control access to the Web application, to intercept all HTTP data or requests that only satisfy certain rules.
FLINK: a stream computation processing framework is mainly applied to a distributed processing engine of stream data.
LUA is a light and small script language, which is written in standard C language and opened in source code form, and can be embedded in application program, thereby providing flexible expansion and customization function for application program. In the invention, the lua script can be embedded into the nginx module to be used as a tool for single event security detection.
The technical means of the present invention will be specifically explained below.
The terminal can access the server through the network, in order to prevent hackers or other malicious programs from attacking the access process, the firewall system is arranged in an access path between the server and the terminal in advance, the firewall system can detect the attack behavior of the access request sent by the terminal, and the access request with the attack behavior detection is processed to protect the data security in the access process.
Referring to fig. 1, an embodiment of the present invention provides a firewall system, where the firewall system includes: a WAF basic function module, a data bus (message queue), a WAF extended function module, and a WAF status system.
The firewall system adopts an implementation mode of Nginx (a high-performance HTTP and reverse proxy Web server) and openness (a high-performance Web platform based on Nginx and Lua), wherein Nginx exists in a service system, the firewall system is saved by the aid of self-contained HTTP protocol analysis capability, Nginx has script expansion capability at the same time, and a message detection Lua script is embedded in Nginx so as to realize mutual cooperation among all module systems.
The message detection lua script comprises a request message detection lua script and a response message detection lua script, wherein the request message detection lua script is used for judging whether the http request message carries a threat, and the detection means comprises black and white list filtering and regular rule filtering; and the latter is used for judging whether the http response message carries user sensitive data which should not be contained.
The WAF basic function module takes Nginx as an access request acquisition tool, an lua script is integrated in the tool, the access request is subjected to first attack detection, and the access request passing the detection is dispatched to a data bus (message queue).
The WAF expansion function module is a module built by a Flink stream processing framework and is responsible for acquiring a message queue from a data bus, carrying out attack behavior detection on a plurality of access requests in the message queue and outputting a detection result.
A WAF state system is a medium for interaction between a WAF basic function module and a WAF extension function module, and specifically comprises the steps of sending an attack behavior detection result output by the WAF extension function module to the WAF basic function module, intercepting an access request with an attack behavior again by the WAF basic function module, such as an IP credit query interface, and inquiring the credit of an IP of a target terminal corresponding to a current access request by the WAF basic function module through the IP credit query interface so as to judge whether the target terminal is a malicious IP or not, intercepting or forwarding the access request belonging to the malicious IP, and sending the remaining access request to a target server.
An embodiment of the present invention provides a network attack detection method, which is applied to a firewall system, specifically to a WAF extension function module in the firewall system, and referring to fig. 2, the network attack detection method may specifically include steps S201 to S204.
S201: and acquiring a plurality of target access requests which belong to the same session and are sent to a target server by a target terminal.
Specifically, the access of the terminal to the server may be in a session manner, and the embodiment of the present invention obtains session data between a detection object, that is, a target terminal and a target server, specifically obtains multiple access requests belonging to the same session. For convenience of description, the acquired access request is referred to as a target access request.
In one example, the target access request obtained in this step may be all access requests belonging to the same session between the target terminal and the target server.
In another example, the target access request obtained in this step may be an access request belonging to the same time period in access requests of the same session between the target terminal and the target server. The method can be realized by the following steps: obtaining access requests which are sent to a target server by a target terminal and belong to the same session; from the obtained access requests, a plurality of access requests belonging to the same time period are extracted as target access requests.
Whether the access requests belong to the same time period can be judged through the identification SID. Specifically, the access request sent by the target terminal to the target server passes through the firewall system, and the firewall system forwards the access request to the target server. And the target server generates a response data packet according to the access request and returns the response data packet to the target terminal through the firewall system. It should be noted that, the firewall system adds the identifier SID to the response data packet returned to the target terminal, and after the response data packet reaches the target terminal, the target terminal stores the identifier SID and carries the identifier SID in the access request of the same session sent to the target terminal.
It should be noted that the identifier SID has timeliness, and an access request subsequently sent by the target terminal may include the SID, and the identifier SIDs of access requests in the same time period are the same. For example: the updating time of the SID is 15 minutes, the time from 12:00 to 12:15 is divided into one SID, and the access requests within 15 minutes with the same SID are determined as the access requests belonging to the same time slot, so that the plurality of access requests are used as target access requests.
In another example, a specific implementation manner of this step is to obtain, from a message queue, a plurality of target access requests belonging to the same session, which are sent by a target terminal to a target server; the message queue records that the access request which belongs to the same session and is checked to have no network attack behavior through a preset detection rule is sent to the server by the terminal.
Specifically, the WAF basic function module may perform first attack detection on the access request, and schedule the access request detected through the attack into the message queue, where the multiple target access requests may be access requests acquired from the message queue. The message queue is a medium for the interaction between the WAF basic function module and the WAF extended function module, and is responsible for dispatching the access request in the WAF basic function module to the WAF extended function module.
After the WAF basic function module obtains the access request, it performs the first attack detection on the access request, specifically, the WAF basic function module stores the feature record of part of the attack behavior, that is, the internal rule of the WAF basic function module, and the access request with the attack behavior, which can be identified by the module, can be intercepted by the module. And sending the access request without the detected attack behavior to a message queue of the data bus.
Multiple groups of access requests can be recorded in the message queue, and each group of access requests corresponds to one identification mark. The sessions in the message queue can be sorted according to the acquisition time of the sessions, and the attack behavior detection in the sessions is carried out according to the sorting result. The obtaining of the access request belonging to the session may also be in other forms, which are not specifically described here.
S202: and determining the detection characteristic item, and determining the access characteristic value of the detection characteristic item according to the plurality of target access requests.
Specifically, the detecting the feature item is a feature item capable of embodying a feature of an access behavior of the terminal to the server, and the detecting the feature item may specifically include: the number of times of occurrence of the IP of the target terminal, the number of times of occurrence of the address of the requested target server, and other detection feature items.
Note that the value of the detection feature item is an access feature value. For example: the access request is provided with a requested target server address, the target server addresses accessed by a plurality of access requests in the same session and the occurrence times of the accessed target server addresses are recorded, and the occurrence times of the target server addresses are access characteristic values corresponding to the detection characteristic items. The detection feature item may also be other items, which are not specifically described here.
S203: and obtaining a target detection rule corresponding to the detection characteristic item.
Specifically, the target detection rule may be a rule stored in the rule server, and a rule related to the detection feature item is extracted from the rule server according to the detection feature item determined in step S202, for example, the detection feature item is the occurrence number of the target server address, and a rule related to the detection feature item is extracted from the rule server according to the detection feature item, for example, the occurrence number of the target server address must not be greater than 100.
The target detection rule may also be a probability threshold through a pre-trained hidden markov model. Specifically, the hidden markov model is used for calculating the probability value of the network attack behavior of the session corresponding to the access request, and the method can set a probability threshold value for judging whether the probability value output by the hidden markov model meets the probability threshold value, wherein the probability threshold value is a target detection rule. The hidden markov model can be used as described below and is not described in detail here.
S204: judging the access characteristic value by using a target detection rule to obtain a first attack detection result; the first attack detection result is used for indicating whether network attack behaviors to the same session exist or not.
Specifically, matching the feature value corresponding to the detection feature item with the target detection rule corresponding to the detection feature item, where the matching process may be: for example, the detection feature item is the occurrence frequency of the target server address, and according to the target access request, it is determined that the access feature value corresponding to the detection feature item is 120, that is, the occurrence frequency of the target server address is 120, and one rule exists in the obtained target detection rule: and matching the access characteristic value corresponding to the detection characteristic item with the target detection rule if the number of times of the target server address is not more than 100, wherein if the number of times of the target server address is more than 120 and more than 100 and the result is unsuccessful, the access characteristic value is abnormal, so that the fact that the session corresponding to the access characteristic value has the attack behavior is determined, and the detection result with the attack behavior is generated.
In the prior art, the security protection modes of the hardware server and the cloud server are as follows:
hardware server: in the aspect of deployment, the serial connection to a network inlet is required, and when a large-flow network request is encountered, the flow bottleneck can be met, so that the efficiency is low; meanwhile, the attack recognition rule is not updated timely; the maintenance cost is high; cloud server: the network flow needs security check of a third-party organization, the server-side certificate needs to be deployed in the third-party organization, in addition, the protection rule is invisible, and the protection strategy cannot be customized at will. Meanwhile, the two technologies are used for carrying out attack detection on single network flow, and the problems of high false alarm and high missed alarm exist.
According to the technical scheme, the embodiment of the invention discloses a network attack detection method, which comprises the steps of obtaining a plurality of target access requests which belong to the same session and are sent to a target server by a target terminal; determining a detection characteristic item, and determining an access characteristic value of the detection characteristic item according to the target access requests; obtaining a target detection rule corresponding to the detection feature item; judging the access characteristic value by using the target detection rule to obtain a first attack detection result; and the first attack detection result is used for indicating whether network attack behaviors to the same session exist or not. In the prior art, a hardware server and a cloud server only detect the flow of a single access request, but attack detection is performed from a session dimension, specifically, a plurality of target access requests of the same session are used as a group to extract access characteristic values, and the extracted access characteristic values carry more comprehensive information, so that the attack detection accuracy is higher.
In one example, the specific implementation of step S202 (determining the detection feature item, and determining the access feature value of the detection feature item according to the plurality of target access requests) includes the following steps:
determining the detection characteristic item as the access frequency aiming at the same object; wherein the same object includes: any one or more of the same target server, the same website of the same target server and the same website associated with the same session; determining target access requests corresponding to the same object, and counting the number of the target access requests corresponding to the same object; and taking the counted number as an access characteristic value of the detection characteristic item.
Specifically, in the implementation manner, the detection feature item is specifically access frequency for the same object, so that the determined access feature value is a specific number of the access frequency. The specific implementation manner is that target access requests in the same session may be directed to the same or different objects, for example, if the objects refer to target servers, if the target servers in the target access requests are the same, it indicates that the objects are directed to the same object, and if the target servers in the target access requests are not the same, it indicates that the objects are directed to different objects. The invention counts the number of target access requests aiming at the same object, and the number is the access characteristic value.
With such number types of access characteristic values, a counting function needs to be initiated for acquisition, which may be calculated in particular by a counting bloom algorithm. In particular, the bloom algorithm may represent the same object using three eigenvalues, each occupying a bit. If the target access request aiming at a certain same object is added with 1, the values of the three bit positions corresponding to the same object are added with 1, and finally the number of the statistics can be determined according to the values of the three bit positions.
It can be seen that the counting bloom algorithm is implemented by accumulating access characteristic values in the same session, specifically, adding 1 to all bits corresponding to the access characteristic values. By the counting bloom algorithm, the resource space is saved, the algorithm is high in calculation speed, and the firewall system can conveniently identify the attack behavior in the access request.
It should be noted that the above implementation may be specifically applied to the WAF extension function module in the firewall system. This function implemented by the WAF extension function module may be specifically referred to as a "counting service".
Referring to fig. 3, another embodiment of the network attack detection method of the present invention may specifically include the following steps S301-S305, and the method may be specifically applied to a WAF extension function module in a firewall system. The network attack detection method implemented by the WAF extension function module may be specifically referred to as "session analysis service".
S301: and acquiring a plurality of target access requests which belong to the same session and are sent to a target server by a target terminal.
Specifically, the step of obtaining multiple target access requests belonging to the same session, which are sent by the target terminal to the target server, is the same as step S201, and is not described herein again. It should be noted that the number of the target access requests may be a preset number, specifically, whether the target access requests in the same session reach the preset number, for example, 32, is detected, and if the preset number is not reached, the target access requests continue to be obtained; if the preset number is reached, the following steps are carried out.
S302: and determining the detection characteristic item as a session-associated website.
In this implementation manner, the detection feature item is specifically a session-related website. The session-associated website refers to an address of a webpage of the accessed target server carried in the access request sent by the target terminal.
S303: respectively determining the website corresponding to each target access request, and distributing different website identifications to different websites corresponding to the target access requests according to the time sequence of the target access requests to obtain a website identification sequence; wherein the website identification sequence is used as an access characteristic value.
After a plurality of target access requests which belong to the same session and are sent to a target server by a target terminal are acquired, a website associated with the session is extracted from the access requests. That is, each access request corresponds to a respective website, and since the access requests have chronological order, each website also corresponds to chronological order, thereby becoming a website sequence. Because the website sequence can not be directly used as the input of the hidden Markov model, the invention carries out generalization treatment on the website sequence, and the sequence after the generalization treatment can be used as the input of the hidden Markov model.
The generalization processing process is to assign the same website identification to the same website and assign different website identifications to different websites to obtain website identification sequences corresponding to different websites in the same session. For example, if four websites are extracted from the 32 target network requests, the four different websites are respectively given website identifiers 1, 2, 3, and 4. Meanwhile, assuming that four websites respectively appear in sequence in one session, the obtained website identification sequence is (1, 2, 3, 4, 1, 2, 3, 4, 1, 2, 3, 4, 1, 2, 3, 4, 1, 2, 3, 4, 1, 2, 3, 4, 1, 2, 3, 4, 1, 2, 3, 4).
S304: and inputting the website identification sequence into a hidden Markov model to obtain the probability value of the network attack behavior existing in the session corresponding to the target access requests.
The hidden markov model is a data model obtained by training a large amount of known sample data in advance. The hidden Markov model is used for calculating the probability value of the network attack behavior of the session corresponding to the access request.
Inputting the obtained generalization result into a hidden Markov model, and calculating the sequence through the model to obtain a probability value corresponding to the generalization result, wherein the probability value is an access characteristic value.
S305: if the probability value meets a preset probability threshold, determining that the first attack detection result is that network attack behaviors to the same session exist; and if the probability value does not meet the preset probability threshold, determining that the first attack detection result is that no network attack behavior to the same session exists.
Therefore, the method can judge the websites in the target access requests through the hidden Markov model so as to determine whether the attack behaviors to the target access requests exist.
In addition, the invention also provides a network attack detection method, which can also comprise the following steps on the basis of the network attack detection method. It should be noted that the following steps can be specifically applied to the WAF basic function module in the firewall system.
Obtaining a session blacklist; wherein, the session blacklist records the session with the first attack detection result of network attack behavior; judging whether the same session is contained in the session blacklist or not, and obtaining a second attack detection result; and comprehensively judging the first attack detection result and the second attack detection result to obtain a target attack detection result.
Specifically, the WAF state system in the firewall system records that the first attack detection result is a session in which a network attack behavior exists, and determines a target terminal identifier corresponding to the session, for example: the identification may be a user IP, which is blacklisted for the session. When the target terminal initiates the access request again, the target terminal is determined to be the target terminal in the session blacklist according to the IP in the session blacklist, and the attack detection result is determined to be the existence of the network attack behavior. In order to facilitate differentiation from the attack detection results obtained above, the detection result obtained using the session blacklist is referred to as a second attack detection result.
It should be noted that the second attack detection result may be the same as or different from the first attack detection result. And according to the two attack detection results, comprehensively judging to obtain a target attack detection result. The comprehensive judgment mode can be as follows:
if the two attack detection results are both attacks, the target attack detection result can be a network attack behavior; other cases determine that there is no cyber attack.
Or, if only one of the two attack detection results indicates that the network attack behavior exists, the target attack detection result is that the network attack behavior exists; the rest of the cases are that no network attack behavior exists.
Or other comprehensive determination methods.
In one example, the step of recording access requests in the message queue includes:
obtaining access requests which are sent to a server by a terminal and belong to the same session; obtaining a preset detection rule; wherein the preset detection rule is a detection rule for a field of a single access request; acquiring the field value of the field detected by the preset detection rule from the access request; and if the field value does not meet the preset detection rule, storing the access request associated with the field value into a message queue.
Specifically, a target terminal sends an access request to a target server, the access request firstly passes through a firewall system to judge whether an attack action exists, and then the access request without the attack action is sent to the target server, and a WAF basic function module in the firewall system is used for receiving the access request sent by the target terminal, and carries out single rule detection after receiving the access request.
Wherein the single detection rule is a detection for a single access request. The single detection rule is preset in a part of rules for identifying the attack behavior in the WAF basic function module, namely a regular rule or a black and white list, and specifically detects the identifier of the target terminal. For example: judging whether the identifier in the target terminal is consistent with the identifier in the terminal identifier blacklist, if so, indicating that the target terminal has an attack behavior, and intercepting or skipping the access request of the target terminal; if not, detecting the next rule; and when all regular rules are detected, sending the rest access requests to a message queue of the data bus.
Wherein, the regular rule is as follows:
1. support for protocol item checking: white list restriction on element content, element length, element byte range, character set, etc., restriction of protocols and protocol versions, content validation before submission of a request, checking for irregular encodings (e.g.% uxxyy characters), checking for url encoding characters, enforcing the cookie type used.
2. The method, protocol, body, cookie, and header of the request are restricted.
3. Examination analysis is performed on the response content of response, including heads, body, status.
4. And (3) data reduction: and data decoding, url, Unicode, base64, utf8, 16-system and html special character escape are supported.
5. And (3) terminal identification blacklist detection: request inspection is supported on the basis of regular matching on the request, interception or skip is carried out according to the rule in a non-conforming manner, one request meets a plurality of conditions, a safe request specification is defined, and the request format which is not in conformity with the definition is uniformly rejected.
6. And limiting session attack, namely limiting the request to protect information security in the network access process if a network attack behavior is detected in the request sent by the terminal. The restriction policy may be to directly intercept the request to prevent the request from being sent to the server side; or the policy of restriction may be to suspend sending the request to the server side, instruct the terminal side to send some information to be verified again, and determine whether the terminal is attacked by verifying the information to be verified.
7. Limiting brute force attack: and checking the state in HTTP access, limiting the frequency and limiting a large amount of access to the same resource by errors 401, if the frequency exceeds a certain frequency, rejecting a single ip or a certain ip segment, if the frequency exceeds a certain access frequency within a certain time, rejecting a certain session, if the access frequency is too high, and limiting the automatic connection of the client.
In summary, the firewall system provided by the invention is implemented by adopting a three-layer protection scheme (flow traction cleaning, flow analysis scheduling, attack recognition analysis service); by utilizing the system, http data traffic can be filtered in multiple levels and multiple dimensions, and a series of current high-risk security attack behaviors such as web attack, crawler attack defense and the like can be effectively intercepted. Wherein:
flow traction cleaning: adopting NGINX as a flow acquisition tool, integrating a lua script, performing first-step cleaning and filtering on network flow data by using the lua script, and simultaneously leading the currently processed flow to a message queue by using the lua script to finish flow traction work;
flow analysis and scheduling: adopting FLINK as a flow processing frame, mainly taking charge of overall scheduling of attack identification, acquiring http flow through a consumption message queue, and identifying abnormal conditions of current flow data through a butt joint data analysis service;
attack recognition analysis service: the part comprises a data analysis service set formed by a plurality of micro services, and judges whether the request has an attacked abnormal condition or not from a session dimension containing batch requests by utilizing a counting service and a session analysis service.
An embodiment of the present invention provides a network attack detection apparatus, and referring to fig. 4, the apparatus may specifically include: an access request obtaining module 401, a feature item determining module 402, a rule obtaining module 403, and a first attack detection result obtaining module 404, where:
an access request obtaining module 401, configured to obtain multiple target access requests belonging to the same session, where the target access requests are sent by a target terminal to a target server.
A feature item determining module 402, configured to determine a detection feature item, and determine an access feature value of the detection feature item according to the multiple target access requests.
A rule obtaining module 403, configured to obtain a target detection rule corresponding to the detection feature item.
A first attack detection result obtaining module 404, configured to use a target detection rule to determine an access characteristic value, and obtain a first attack detection result; the first attack detection result is used for indicating whether network attack behaviors to the same session exist or not.
As can be seen from the foregoing technical solutions, an embodiment of the present invention discloses a network attack detection apparatus, which may: acquiring a plurality of target access requests which belong to the same session and are sent to a target server by a target terminal; determining a detection characteristic item, and determining an access characteristic value of the detection characteristic item according to a plurality of target access requests; obtaining a target detection rule corresponding to the detection feature item; judging the access characteristic value by using a target detection rule to obtain a first attack detection result; the first attack detection result is used for indicating whether network attack behaviors to the same session exist or not. The device can obtain the behavior of one target server accessed by the target terminal by detecting a plurality of target access requests of the same session, thereby accurately detecting the attack behavior in the access requests sent by the target terminal.
In one example, when the access request obtaining module obtains a plurality of target access requests belonging to the same session and sent by a target terminal to a target server, the specific implementation manner is as follows: obtaining access requests which are sent to a target server by a target terminal and belong to the same session; from the obtained access requests, a plurality of access requests belonging to the same time period are extracted as target access requests.
In one example, when the feature item determining module determines the detection feature item and determines the access feature value of the detection feature item according to the plurality of target access requests, a specific implementation manner is as follows: determining the detection characteristic item as the access frequency aiming at the same object; the same object includes: any one or more of the same target server, the same website of the same target server and the same website associated with the same session; determining target access requests corresponding to the same object, and counting the number of the target access requests corresponding to the same object; and taking the counted number as an access characteristic value of the detection characteristic item.
In one example, when the feature item determining module determines the detection feature item and determines the access feature value of the detection feature item according to the plurality of target access requests, a specific implementation manner is as follows: determining the detection characteristic item as a session-associated website; respectively determining a website corresponding to each target access request; distributing different website identifiers to different websites corresponding to the target access request according to the time sequence of the target access request to obtain a website identifier sequence; wherein the website identification sequence is used as an access characteristic value.
In one example, when the rule obtaining module obtains the target detection rule corresponding to the detection feature item, a specific implementation manner is as follows: determining a pre-trained hidden Markov model as a target detection rule corresponding to the detection characteristic item; the hidden Markov model is used for calculating the probability value of the network attack behavior of the session corresponding to the access request. When the first attack detection result acquisition module uses the target detection rule to judge the access characteristic value and acquires a first attack detection result, the specific implementation manner is as follows: inputting a website identification sequence into the hidden Markov model to obtain a probability value of a network attack behavior existing in a session corresponding to a plurality of target access requests; if the probability value meets a preset probability threshold value, determining that a first attack detection result is that network attack behaviors to the same session exist; and if the probability value does not meet a preset probability threshold value, determining that the first attack detection result is that no network attack behavior to the same session exists.
In one example, the network attack detection apparatus may further include: and a session blacklist acquisition module. A session blacklist acquisition module, configured to: obtaining a session blacklist; wherein, the session blacklist records the session with the first attack detection result as the existence of the network attack behavior; the second attack detection result acquisition module is used for judging whether the same session is contained in the session blacklist or not and acquiring a second attack detection result; and the target attack detection result acquisition module is used for comprehensively judging the first attack detection result and the second attack detection result to obtain a target attack detection result.
In one example, when the access request obtaining module obtains a plurality of target access requests belonging to the same session and sent by a target terminal to a target server, a specific implementation manner is as follows: acquiring a plurality of target access requests which belong to the same session and are sent to a target server by a target terminal from a message queue; the message queue records that the access request which belongs to the same session and is checked to have no network attack behavior through a preset detection rule is sent to the server by the terminal.
In one example, the network attack detection apparatus may further include: and recording the access request module. The record access request module is specifically configured to: obtaining access requests which are sent to a server by a terminal and belong to the same session; obtaining a preset detection rule; wherein the preset detection rule is a detection rule for a field of a single access request; acquiring a field value of a field detected by a preset detection rule from the access request; and if the field value does not meet the preset detection rule, storing the access request associated with the field value into a message queue.
It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the same element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (14)
1. A network attack detection method is characterized by comprising the following steps:
the firewall system is arranged in an access path between a server and a terminal, and performs attack behavior detection on an access request sent by the terminal;
acquiring a plurality of target access requests which belong to the same session and are sent to a target server by a target terminal;
determining a detection characteristic item, and determining an access characteristic value of the detection characteristic item according to the target access requests;
obtaining a target detection rule corresponding to the detection feature item;
judging the access characteristic value by using the target detection rule to obtain a first attack detection result; the first attack detection result is used for indicating whether a network attack behavior to the same session exists or not;
the acquiring a plurality of target access requests which are sent to a target server by a target terminal and belong to the same session comprises the following steps:
obtaining access requests which are sent to a target server by a target terminal and belong to the same session;
extracting a plurality of access requests belonging to the same time period from the obtained access requests as target access requests, and the method comprises the following steps: acquiring carried identification SID from the access request, and extracting a plurality of access requests belonging to the same time period as target access requests according to the identification SID; the identification SID is generated into a response data packet based on the target server according to the access request, when the response data packet returns to the target terminal through the firewall system, the firewall system is added in the response data packet, so that the target terminal stores the identification SID after receiving the response data packet carrying the identification SID, and carries the identification SID in the access request of the same session sent to the target server next time; the identification SID has timeliness.
2. The network attack detection method according to claim 1, wherein the determining a detection feature item and determining an access feature value of the detection feature item according to the target access requests comprises:
determining the detection characteristic item as the access frequency aiming at the same object; wherein the same object includes: any one or more of the same target server, the same website of the same target server, and the same website associated with the same session;
determining target access requests corresponding to the same object, and counting the number of the target access requests corresponding to the same object;
and taking the counted number as the access characteristic value of the detection characteristic item.
3. The network attack detection method according to claim 1, wherein the determining a detection feature item and determining an access feature value of the detection feature item according to the target access requests comprises:
determining the detection characteristic item as a session-associated website;
respectively determining a website corresponding to each target access request;
distributing different website identifiers to different websites corresponding to the target access request according to the time sequence of the target access request to obtain a website identifier sequence; wherein the website identification sequence is used as an access characteristic value.
4. The network attack detection method according to claim 3,
the obtaining of the target detection rule corresponding to the detection feature item includes:
determining a pre-trained hidden Markov model as a target detection rule corresponding to the detection characteristic item; the hidden Markov model is used for calculating the probability value of the network attack behavior of the session corresponding to the access request;
the judging the access characteristic value by using the target detection rule to obtain a first attack detection result includes:
inputting a website identification sequence into the hidden Markov model to obtain a probability value of a network attack behavior existing in a session corresponding to a plurality of target access requests;
if the probability value meets a preset probability threshold value, determining that a first attack detection result is that network attack behaviors to the same session exist;
and if the probability value does not meet a preset probability threshold value, determining that the first attack detection result is that no network attack behavior to the same session exists.
5. The network attack detection method according to claim 1, further comprising:
obtaining a session blacklist; wherein, the session blacklist records the session with the first attack detection result of network attack behavior;
judging whether the same session is contained in the session blacklist or not, and obtaining a second attack detection result;
and comprehensively judging the first attack detection result and the second attack detection result to obtain a target attack detection result.
6. The method according to claim 1, wherein the obtaining of the multiple target access requests belonging to the same session and sent by the target terminal to the target server comprises:
acquiring a plurality of target access requests which belong to the same session and are sent to a target server by a target terminal from a message queue; the message queue records that the access request which belongs to the same session and is checked to have no network attack behavior through a preset detection rule is sent to the server by the terminal.
7. The network attack detection method according to claim 6, wherein the step of recording the access requests in the message queue comprises:
obtaining access requests which are sent to a server by a terminal and belong to the same session;
obtaining a preset detection rule; wherein the preset detection rule is a detection rule for a field of a single access request;
acquiring the field value of the field detected by the preset detection rule from the access request;
and if the field value does not meet the preset detection rule, storing the access request associated with the field value into a message queue.
8. A cyber attack detecting apparatus, comprising:
the access request acquisition module is used for acquiring a plurality of target access requests which belong to the same session and are sent to a target server by a target terminal;
the characteristic item determining module is used for determining a detection characteristic item and determining an access characteristic value of the detection characteristic item according to the target access requests;
the rule acquisition module is used for acquiring a target detection rule corresponding to the detection feature item;
the first attack detection result acquisition module is used for judging the access characteristic value by using the target detection rule to acquire a first attack detection result; the first attack detection result is used for indicating whether a network attack behavior to the same session exists or not;
the access request obtaining module is specifically configured to: obtaining access requests which are sent to a target server by a target terminal and belong to the same session; extracting a plurality of access requests belonging to the same time period from the obtained access requests as target access requests, and the method comprises the following steps: acquiring carried identification SID from the access request, and extracting a plurality of access requests belonging to the same time period as target access requests according to the identification SID; the identification SID is generated into a response data packet based on the target server according to the access request, when the response data packet returns to the target terminal through a firewall system, the firewall system is added in the response data packet, so that the target terminal stores the identification SID after receiving the response data packet carrying the identification SID, and carries the identification SID in the access request of the same session sent to the target server next time; the identification SID has timeliness; the firewall system is arranged in an access path between the server and the terminal in advance, and performs attack behavior detection on an access request sent by the terminal.
9. The network attack detection device according to claim 8, wherein the feature item determination module is specifically configured to:
determining the detection characteristic item as the access frequency aiming at the same object; the same object includes: any one or more of the same target server, the same website of the same target server, and the same website associated with the same session;
determining target access requests corresponding to the same object, and counting the number of the target access requests corresponding to the same object;
and taking the counted number as the access characteristic value of the detection characteristic item.
10. The network attack detection device according to claim 8, wherein the feature item determination module is specifically configured to:
determining the detection characteristic item as a session-associated website;
respectively determining a website corresponding to each target access request;
distributing different website identifiers to different websites corresponding to the target access request according to the time sequence of the target access request to obtain a website identifier sequence; wherein the website identification sequence is used as an access characteristic value.
11. The cyber attack detecting apparatus according to claim 10,
the rule obtaining module is specifically configured to determine a pre-trained hidden markov model as a target detection rule corresponding to the detection feature item; the hidden Markov model is used for calculating the probability value of the network attack behavior of the session corresponding to the access request;
the first attack detection result acquisition module is specifically configured to input a website identification sequence into the hidden markov model to obtain a probability value of a session having a network attack behavior corresponding to a plurality of target access requests; if the probability value meets a preset probability threshold value, determining that a first attack detection result is that network attack behaviors to the same session exist; and if the probability value does not meet a preset probability threshold value, determining that the first attack detection result is that no network attack behavior to the same session exists.
12. The cyber attack detecting apparatus according to claim 8, further comprising:
the session blacklist acquisition module is used for acquiring a session blacklist; wherein, the session blacklist records the session with the first attack detection result of network attack behavior;
the second attack detection result acquisition module is used for judging whether the same session is contained in the session blacklist or not and acquiring a second attack detection result;
and the target attack detection result acquisition module is used for comprehensively judging the first attack detection result and the second attack detection result to obtain a target attack detection result.
13. The apparatus for detecting network attack according to claim 8, wherein the access request obtaining module is specifically configured to:
acquiring a plurality of target access requests which belong to the same session and are sent to a target server by a target terminal from a message queue; the message queue records that the access request which belongs to the same session and is checked to have no network attack behavior through a preset detection rule is sent to the server by the terminal.
14. The cyber attack detecting apparatus according to claim 13, further comprising: a record access request module to:
obtaining access requests which are sent to a server by a terminal and belong to the same session;
obtaining a preset detection rule; wherein the preset detection rule is a detection rule for a field of a single access request;
acquiring the field value of the field detected by the preset detection rule from the access request;
and if the field value does not meet the preset detection rule, storing the access request associated with the field value into a message queue.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910356354.2A CN109951500B (en) | 2019-04-29 | 2019-04-29 | Network attack detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910356354.2A CN109951500B (en) | 2019-04-29 | 2019-04-29 | Network attack detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109951500A CN109951500A (en) | 2019-06-28 |
| CN109951500B true CN109951500B (en) | 2021-10-26 |
Family
ID=67016691
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910356354.2A Active CN109951500B (en) | 2019-04-29 | 2019-04-29 | Network attack detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109951500B (en) |
Families Citing this family (25)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110602046B (en) * | 2019-08-13 | 2022-04-26 | 未鲲(上海)科技服务有限公司 | Data monitoring processing method and device, computer equipment and storage medium |
| CN110545269A (en) * | 2019-08-22 | 2019-12-06 | 西安四叶草信息技术有限公司 | Access control method, device and storage medium |
| CN110430226B (en) * | 2019-09-16 | 2021-08-17 | 腾讯科技(深圳)有限公司 | Network attack detection method and device, computer equipment and storage medium |
| CN110798385B (en) * | 2019-11-07 | 2023-03-03 | 中天宽带技术有限公司 | Method, device, equipment and medium for testing wide area network access setting function |
| CN110730195B (en) * | 2019-12-18 | 2020-03-31 | 腾讯科技(深圳)有限公司 | Data processing method and device and computer readable storage medium |
| CN110798488B (en) * | 2020-01-03 | 2020-04-14 | 北京东方通科技股份有限公司 | Web application attack detection method |
| CN113158182A (en) * | 2020-01-07 | 2021-07-23 | 深信服科技股份有限公司 | Web attack detection method and device, electronic equipment and storage medium |
| CN111314291A (en) * | 2020-01-15 | 2020-06-19 | 北京小米移动软件有限公司 | Website security detection method and device and storage medium |
| CN111585956B (en) * | 2020-03-31 | 2022-09-09 | 完美世界(北京)软件科技发展有限公司 | Website anti-brushing verification method and device |
| CN111526136A (en) * | 2020-04-15 | 2020-08-11 | 优刻得科技股份有限公司 | Malicious attack detection method, system, device and medium based on cloud WAF |
| CN111800379A (en) * | 2020-05-26 | 2020-10-20 | 北京惠而特科技有限公司 | Industrial control private protocol detection method and device based on Lua |
| CN111800409B (en) * | 2020-06-30 | 2023-04-25 | 杭州数梦工场科技有限公司 | Interface attack detection method and device |
| CN111885011B (en) * | 2020-07-02 | 2022-11-01 | 安全能力生态聚合(北京)运营科技有限公司 | Method and system for analyzing and mining safety of service data network |
| CN112153033B (en) * | 2020-09-16 | 2023-04-07 | 杭州安恒信息技术股份有限公司 | Method and device for detecting webshell |
| CN112434304A (en) * | 2020-12-02 | 2021-03-02 | 网宿科技股份有限公司 | Method, server and computer readable storage medium for defending network attack |
| CN112668007A (en) * | 2021-01-05 | 2021-04-16 | 浪潮软件股份有限公司 | Software system security reinforcing method |
| CN113114620B (en) * | 2021-03-02 | 2023-03-17 | 深信服科技股份有限公司 | Brute force cracking detection method and device, and storage medium |
| CN112866292B (en) * | 2021-03-04 | 2022-10-21 | 安天科技集团股份有限公司 | Attack behavior prediction method and device for multi-sample combination attack |
| CN113032788A (en) * | 2021-03-24 | 2021-06-25 | 山东英信计算机技术有限公司 | Firmware image switching method, device and medium in computer system |
| CN113452702B (en) * | 2021-06-28 | 2023-02-24 | 中国光大银行股份有限公司 | Micro-service traffic detection system and method |
| CN113542252A (en) * | 2021-07-11 | 2021-10-22 | 北京长亭科技有限公司 | Detection method, detection model and detection device for Web attack |
| CN113676473B (en) * | 2021-08-19 | 2023-05-02 | 中国电信股份有限公司 | Network service safety protection device, method and storage medium |
| CN114389900A (en) * | 2022-03-23 | 2022-04-22 | 广东睿江云计算股份有限公司 | OpenResty-based abnormal traffic capturing and intercepting method and system |
| CN114666162B (en) * | 2022-04-29 | 2023-05-05 | 北京火山引擎科技有限公司 | Flow detection method, device, equipment and storage medium |
| CN115150182B (en) * | 2022-07-25 | 2023-07-25 | 国网湖南省电力有限公司 | Information system network attack detection method based on flow analysis |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102137111A (en) * | 2011-04-20 | 2011-07-27 | 北京蓝汛通信技术有限责任公司 | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server |
| CN104065644A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Method and apparatus for recognizing CC attacks based on log analysis |
| US9225738B1 (en) * | 2014-06-30 | 2015-12-29 | Emc Corporation | Markov behavior scoring |
| CN105391692A (en) * | 2015-10-19 | 2016-03-09 | 广州车行易信息科技有限公司 | Detection identification method and device for performing batched attack on APP and gateway communication |
| CN107070852A (en) * | 2016-12-07 | 2017-08-18 | 东软集团股份有限公司 | Network attack detecting method and device |
| CN107402921A (en) * | 2016-05-18 | 2017-11-28 | 阿里巴巴集团控股有限公司 | Identify event-order serie data processing method, the apparatus and system of user behavior |
| CN108111466A (en) * | 2016-11-24 | 2018-06-01 | 北京金山云网络技术有限公司 | A kind of attack detection method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080115213A1 (en) * | 2006-11-14 | 2008-05-15 | Fmr Corp. | Detecting Fraudulent Activity on a Network Using Stored Information |
-
2019
- 2019-04-29 CN CN201910356354.2A patent/CN109951500B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102137111A (en) * | 2011-04-20 | 2011-07-27 | 北京蓝汛通信技术有限责任公司 | Method and device for preventing CC (Challenge Collapsar) attack and content delivery network server |
| CN104065644A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Method and apparatus for recognizing CC attacks based on log analysis |
| US9225738B1 (en) * | 2014-06-30 | 2015-12-29 | Emc Corporation | Markov behavior scoring |
| CN105391692A (en) * | 2015-10-19 | 2016-03-09 | 广州车行易信息科技有限公司 | Detection identification method and device for performing batched attack on APP and gateway communication |
| CN107402921A (en) * | 2016-05-18 | 2017-11-28 | 阿里巴巴集团控股有限公司 | Identify event-order serie data processing method, the apparatus and system of user behavior |
| CN108111466A (en) * | 2016-11-24 | 2018-06-01 | 北京金山云网络技术有限公司 | A kind of attack detection method and device |
| CN107070852A (en) * | 2016-12-07 | 2017-08-18 | 东软集团股份有限公司 | Network attack detecting method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109951500A (en) | 2019-06-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109951500B (en) | Network attack detection method and device | |
| CN109600363B (en) | Internet of things terminal network portrait and abnormal network access behavior detection method | |
| US10721244B2 (en) | Traffic feature information extraction method, traffic feature information extraction device, and traffic feature information extraction program | |
| US9369479B2 (en) | Detection of malware beaconing activities | |
| Stringhini et al. | Shady paths: Leveraging surfing crowds to detect malicious web pages | |
| KR100800370B1 (en) | Network attack signature generation | |
| CN103379099B (en) | Hostile attack identification method and system | |
| CN107465648B (en) | Abnormal equipment identification method and device | |
| US20210258791A1 (en) | Method for http-based access point fingerprint and classification using machine learning | |
| KR101391781B1 (en) | Apparatus and Method for Detecting HTTP Botnet based on the Density of Web Transaction | |
| EP2953298A1 (en) | Log analysis device, information processing method and program | |
| US20090282478A1 (en) | Method and apparatus for processing network attack | |
| US10257213B2 (en) | Extraction criterion determination method, communication monitoring system, extraction criterion determination apparatus and extraction criterion determination program | |
| CN103297433A (en) | HTTP botnet detection method and system based on net data stream | |
| CN107979581B (en) | Detection method and device for zombie characteristics | |
| CN111641658A (en) | Request intercepting method, device, equipment and readable storage medium | |
| US11349866B2 (en) | Hardware acceleration device for denial-of-service attack identification and mitigation | |
| CN106302450A (en) | A kind of based on the malice detection method of address and device in DDOS attack | |
| US20060272019A1 (en) | Intelligent database selection for intrusion detection & prevention systems | |
| KR101045330B1 (en) | Method for detecting http botnet based on network | |
| CN110061998B (en) | Attack defense method and device | |
| KR101210622B1 (en) | Method for detecting ip shared router and system thereof | |
| CN109413022B (en) | Method and device for detecting HTTP FLOOD attack based on user behavior | |
| KR101398740B1 (en) | System, method and computer readable recording medium for detecting a malicious domain | |
| KR102119636B1 (en) | Anonymous network analysis system using passive fingerprinting and method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |