CN109995750A - The defence method and electronic equipment of network attack - Google Patents

The defence method and electronic equipment of network attack Download PDF

Info

Publication number
CN109995750A
CN109995750A CN201910046009.9A CN201910046009A CN109995750A CN 109995750 A CN109995750 A CN 109995750A CN 201910046009 A CN201910046009 A CN 201910046009A CN 109995750 A CN109995750 A CN 109995750A
Authority
CN
China
Prior art keywords
request
model
attack
log
response message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910046009.9A
Other languages
Chinese (zh)
Other versions
CN109995750B (en
Inventor
尚侠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Mule Network Technology Co Ltd
Original Assignee
Shanghai Mule Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Mule Network Technology Co Ltd filed Critical Shanghai Mule Network Technology Co Ltd
Priority to CN201910046009.9A priority Critical patent/CN109995750B/en
Publication of CN109995750A publication Critical patent/CN109995750A/en
Application granted granted Critical
Publication of CN109995750B publication Critical patent/CN109995750B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Abstract

This application discloses a kind of defence method of network attack and electronic equipments, are applied to technical field of network security, obtain first request of the attack side to the objective of defense;First request is query-attack;Extract the attack signature in first request;The attack signature in the corresponding relationship and first request of model is obscured according to all kinds of attack signatures and response that pre-establish, determines that model is obscured in the corresponding response of attack signature in first request;Construction of A Model is obscured using the determining response and generates the part response message;Obtain the dynamic area information of the objective of defense identified in advance;The dynamic area information is to indicate the information of the part response message point of addition;The part response message is added in position indicated by the dynamic area information, the response message of first request is obtained, and feed back to the attack side, improves protection effect.

Description

The defence method and electronic equipment of network attack
Technical field
This application involves technical field of network security more particularly to the defence methods and electronic equipment of a kind of network attack.
Background technique
With the development of science and technology computer networking technology rapidly develops, while facilitating people's life, there is also certain Security risk, be faced with various network attacks.
Data are sent when user accesses the website website Shi Huixiang, this process for sending data is known as requesting, website The data that user requests can be returned after receiving request, the process of this returned data is known as responding.When attacker sends out website Attack code can be added in the request when dynamic attack, it is intended to website vulnerability is triggered, to should not be attacked by response information acquisition The data that the person of hitting obtains, for example, sensitive information or can result in the information further attacked.
In the related technology, the relatively common defense mechanism for network attack is direct intercept attack request, will be fixed Information returns to attacker to data in response, clear simultaneously although this access behavior of attacker can be interrupted directly Inform that attacker has been found to and current attack pattern can not come into force, attacker can attempt at once new attack point or Person changes attack means, if attacker carries out vulnerability scanning using automatic scanning device, and can not be to operational efficiency and scanning As a result it is bad to generate effectively interference, protection effect.
Summary of the invention
The purpose of the application is to provide the defence method and electronic equipment of a kind of network attack, straight in the related technology to solve Connect the bad problem of the protection effect of the defense mechanism of intercept attack request.
The purpose of the application is achieved through the following technical solutions:
A kind of defence method of network attack, comprising:
Obtain first request of the attack side to the objective of defense;First request is query-attack;
Extract the attack signature in first request;
Obscured in the corresponding relationship and first request of model according to all kinds of attack signatures and response that pre-establish Attack signature, determine it is described first request in attack signature it is corresponding response obscure model;Model is obscured in the response is It is obtained according to the first log gathered in advance and the second log, construction is generated to be matched with the attack signature in first request Part response message model;First log includes each second request and corresponding response message, and each described second asks Seeking Truth is directed to the query-attack of not protected target drone;Second log includes the request of each third and corresponding response message, Each third request is the normal request for the target drone;
Construction of A Model is obscured using the determining response and generates the part response message;
Obtain the dynamic area information of the objective of defense identified in advance;The dynamic area information is the instruction portion The information for dividing response message point of addition, is obtained according to third log, and the third log includes the 4th request and corresponds to Response message, the 4th request is the daily normal request for the objective of defense;
The part response message is added in position indicated by the dynamic area information, described first is obtained and asks The response message asked, and feed back to the attack side.
Optionally, it includes the first model and the second model that model is obscured in the response;
The defence method further include:
Obtain the first log gathered in advance;
Fetching portion or whole logs from first log, as the 4th log;
Obtain second log gathered in advance;
Fetching portion or whole logs from second log, as the 5th log;
The 4th log and the 5th log are compared, the second corresponding response message of request and described the are obtained Difference content between the corresponding response message of three requests;
It is divided into several phrases to store the difference content using the first algorithm;
Extract it is described second request in attack signature, and with corresponding each phrase associated storage;
Attack signature in second request is classified;
In every a kind of attack signature, each phrase associated by the attack signature in each second request is obtained, As the first model, each phrase is handled using the second algorithm, obtains corresponding second mould of attack signature of this class Type.
Optionally, second algorithm is hidden Markov model algorithm;Second model, comprising: state shifts square Battle array, observing matrix and probability matrix;
It is described that the Construction of A Model generation part response message is obscured using the determining response, comprising:
One phrase is selected from first model using the probability matrix;
Based on each phrase in first model, use the state-transition matrix and the observing matrix with institute It states the phrase selected and generates the part response message for initial phrase construction.
It optionally, include the information of server or application in first request, the second request and third request;Institute The defence method stated further include: by the server or the information of application, as each phrase in first model Label;
Second algorithm is hidden Markov model algorithm;Second model, comprising: state-transition matrix, observation Matrix and probability matrix;It is described that the Construction of A Model generation part response message, packet are obscured using the determining response It includes:
Obtain the server in first request or the information of application;
Obtain the label of each phrase in first model;
To in first model, label with described first request in server or application the phrase that is consistent of information, Weighted value is distributed according to preset algorithm;
The weighted value is superimposed on the basis of the probability matrix;
According to the probability matrix after the superposition weighted value, an initial word is selected from first model Group;
Based on each phrase in first model, use the state-transition matrix and the observing matrix with institute It states the phrase selected and generates the part response message for initial phrase construction.
Optionally, further includes:
It is handled using Gaussian distribution model by the attack signature in second request, obtains Gaussian Profile ginseng Number;
After the attack signature extracted in first request, the attack signature of determination first request Before model is obscured in corresponding response, the defence method further include:
The attack signature in first request is normalized according to the Gaussian Distribution Parameters.
Optionally, the attack signature by second request is classified, comprising:
The attack signature in second request is classified using clustering algorithm;
Alternatively, the attack signature in second request is classified in the form of mapping table according to preset rules.
Optionally, further includes:
Obtain the third log gathered in advance;The third log includes the 4th request and corresponding response message, 4th request is the daily normal request for the objective of defense;
Fetching portion or whole logs from the third log, as the 6th log;
Response message in 6th log is divided by several phrases using the first algorithm;
The phrase for comparing each response message for the same objective of defense, the part that matching degree is less than preset matching degree are true It is set to dynamic area information and stores.
Optionally, first algorithm is n-gram algorithm or character edit distance recognizer.
Optionally, further includes:
Attack scanning is carried out to the not protected target drone using various vulnerability scanners, acquires first log;
And/or
The target drone is normally accessed using web crawlers, acquires second log.
A kind of electronic equipment, comprising:
Processor, and the memory being connected with the processor;
The memory is for storing computer program;
The processor is for calling and executing the computer program in the memory, to execute such as any of the above The defence method of network attack described in.
The application uses above technical scheme, has the following beneficial effects:
Due to acquiring the including each query-attack and corresponding response message for not protected target drone in advance One log includes the second log for being directed to each normal request and corresponding response message of target drone, with the first log and second day These true data of will are as support, and construction generates the corresponding response of all kinds of attack signatures and obscures model, to construct attack The response message of request is obscured the corresponding relationship of model based on all kinds of attack signatures and response pre-established, prevented when having to be directed to When eye protection target has the aggressive first request, the attack signature in the first request can be extracted, is determined in the first request Attack signature belonging to classification, determine that model is obscured in corresponding response according to above-mentioned corresponding relationship, obscure mould using the response Block can construct the matched part response message of attack signature generated with the first request, then anti-according to what is identified in advance Eye protection target dynamic area information, by the part, response message is added to position indicated by the information of dynamic area, therein dynamic State area information is obtained previously according to the third log for including the normal request for being directed to the objective of defense, can respond part Information is accurately added to suitable position, obtains the response message of the first request and feeds back to attack side, in this way, to related skill Art is compared, for query-attack, the scheme of the present embodiment and indirect interception, but one void of Construction of A Model is obscured by response False response message and feedback, since the response message of construction is that these are true based on the first log, the second log, third log What data obtained, therefore, the response message for constructing the first request of generation can have any different with the response message of normal request, again It can generate and obscure with the response message of actual query-attack, provide one where there is the deceptive information of loophole, fascination is attacked The person of hitting, even if attacker notes abnormalities, faces a large amount of query-attack, instead so that attacker can not have found attack failure immediately Feedback is the response message largely constructed, and attacker can not also go the true and false of authentication response information one by one, disturb attacker Attack thinking improve protection effect so that it be made to abandon attacking, if attacker using scanner carry out vulnerability scanning, If there are loopholes for the response message prompt of feedback, existing loophole will persistently be detected, will not continue to carry out next leakage The scanning in hole improves protection effect to reduce the vulnerability scanning efficiency of attack side and the accuracy of detection.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of application for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
Fig. 1 is a kind of defence method flow chart for network attack that the application one embodiment provides;
Fig. 2 is the generation method flow chart that model is obscured in a kind of response that the application one embodiment provides;
Fig. 3 is the structural schematic diagram for a kind of electronic equipment that the application one embodiment provides.
Specific embodiment
To keep the purposes, technical schemes and advantages of the application clearer, the technical solution of the application will be carried out below Detailed description.Obviously, described embodiments are only a part of embodiments of the present application, instead of all the embodiments.Base Embodiment in the application, those of ordinary skill in the art are obtained all without making creative work Other embodiment belongs to the range that the application is protected.
Embodiment
It is a kind of defence method flow chart of network attack provided by the embodiments of the present application referring to Fig. 1, Fig. 1.
As shown in Figure 1, a kind of defence method of network attack provided in this embodiment, includes at least following steps:
Step 11 obtains first request of the attack side to the objective of defense;First request is query-attack.
Wherein, the objective of defense can be website.
Attack signature in step 12, the first request of extraction.
Step 13, corresponding relationship and the first request that model is obscured according to all kinds of attack signatures and response that pre-establish In attack signature, determine the attack signature in the first request it is corresponding response obscure model;It is according to pre- that model is obscured in response What the first log and the second log first acquired obtained, construction is generated to be responded with the matched part of attack signature in the first request The model of information;First log includes each second request and corresponding response message, and each second request is for not protected The query-attack of target drone;Second log includes each third request and corresponding response message, and each third request is for target drone Normal request.
Wherein, part response message is the response message of the feature with success attack response message.
Step 14 obscures Construction of A Model generating portion response message using determining response.
The dynamic area information for the objective of defense that step 15, acquisition identify in advance;Dynamic area information is that indicating section is rung The information for answering information point of addition is obtained according to third log, and third log includes the 4th request and corresponding response letter Breath, the 4th request are the daily normal requests for the objective of defense.
Part response message is added in position indicated by the information of dynamic area by step 16, obtains the first request Response message, and feed back to attack side.
Wherein, the first log, the second log, in third log may include request content and response message, can be with The information of server and application including website, the development language used, response mode, etc..
Due to acquiring the including each query-attack and corresponding response message for not protected target drone in advance One log includes the second log for being directed to each normal request and corresponding response message of target drone, with the first log and second day These true data of will are as support, and construction generates the corresponding response of all kinds of attack signatures and obscures model, to construct attack The response message of request is obscured the corresponding relationship of model based on all kinds of attack signatures and response pre-established, prevented when having to be directed to When eye protection target has the aggressive first request, the attack signature in the first request can be extracted, is determined in the first request Attack signature belonging to classification, determine that model is obscured in corresponding response according to above-mentioned corresponding relationship, obscure mould using the response Block can construct the matched part response message of attack signature generated with the first request, then anti-according to what is identified in advance Eye protection target dynamic area information, by the part, response message is added to position indicated by the information of dynamic area, therein dynamic State area information is obtained previously according to the third log for including the normal request for being directed to the objective of defense, can respond part Information is accurately added to suitable position, obtains the response message of the first request and feeds back to attack side, in this way, to related skill Art is compared, for query-attack, the scheme of the present embodiment and indirect interception, but one void of Construction of A Model is obscured by response False response message and feedback, since the response message of construction is that these are true based on the first log, the second log, third log What data obtained, therefore, the response message for constructing the first request of generation can have any different with the response message of normal request, again It can generate and obscure with the response message of actual query-attack, provide one where there is the deceptive information of loophole, fascination is attacked The person of hitting, even if attacker notes abnormalities, faces a large amount of query-attack, instead so that attacker can not have found attack failure immediately Feedback is the response message largely constructed, and attacker can not also go the true and false of authentication response information one by one, disturb attacker Attack thinking improve protection effect so that it be made to abandon attacking, if attacker using scanner carry out vulnerability scanning, If there are loopholes for the response message prompt of feedback, existing loophole will persistently be detected, will not continue to carry out next leakage The scanning in hole improves protection effect to reduce the vulnerability scanning efficiency of attack side and the accuracy of detection.
When it is implemented, responding there are many specific structures for obscuring model.The structure that model is obscured in response is different, accordingly , obtain response obscure model method it is also different.It is exemplified below.
In some embodiments, it includes the first model and the second model that model is obscured in response;Correspondingly, referring to fig. 2, this implementation Example defence method can also include:
Step 21 obtains the first log gathered in advance.
Specifically, carrying out attack scanning to not protected target drone using various vulnerability scanners, the first log is acquired.It is logical It is previously-scanned to above-mentioned target drone and acquire log to cross various website vulnerability scanners, just no longer needs to for each by objective of defense list It solely acquires, the effect of acquisition is more comprehensively efficient.
Step 22, fetching portion or whole logs from the first log, as the 4th log.
Partial log to be treated can be obtained in this step, from the first log with the unified resource in access log It being illustrated for finger URL (Uniform Resource Locator, URL), it is assumed that network address 1 is www.a.com/api/1, Network address 2 is www.a.com/api/2, wherein www.a.com is the part host, and/api/1 is path sections, in the present embodiment, Relevant information can be extracted, and carry out variable extraction based on the path sections of URL, for example, by network address 1 and network address 2 into Row variable extracts, and obtains www.a.com/api/id, and id is variable, and value can be 1 or 2.
Step 23 obtains the second log gathered in advance.
Specifically, normally being accessed using common web crawlers target drone, the second log is acquired.
Step 24, fetching portion or whole logs from the second log, as the 5th log.
In this step, part identical with the 4th log is obtained from the second log, for example, also with the path sections of URL Based on, relevant information is extracted, and carry out variable extraction.
Step 25, the 4th log of comparison and the 5th log obtain the corresponding response message of the second request and third request pair The difference content between response message answered.
Difference content is divided into several phrases to store by step 26 using the first algorithm.
Wherein, the first algorithm is n-gram algorithm or character edit distance recognizer, and specific algorithm is realized can be with With reference to the relevant technologies, details are not described herein again.If be split using n-gram algorithm to difference content, an available packet The term vector of multiple phrases is included, for example, difference content is " private a b c ", if being one group by every two word, is divided into Phrase " private a ", " a b ", " b c " obtain term vector { " private a ", " a b ", " b c " }.
Step 27, extract second request in attack signature, and with corresponding each phrase associated storage.
Specifically, the feature extracted from query-attack, comprising: request verb type (such as POST, GET, PATCH All kinds of request verbs of HTTP), the attack type that is identified (such as SQL injection, XSS, the various attacks point of remote command injection Class), the characteristic character containing threat, threaten position of the content in HTTP data packet, attack data length, attack data whether It whether include phase data etc. comprising Function feature, attack data.By the feature composition characteristic vector of extraction, with corresponding word to Measure associated storage.
Step 28 classifies the attack signature in the second request.
Specifically, the attack signature in the second request can be classified using clustering algorithm, simpler standard of classifying Really;Alternatively, the attack signature in the second request is classified in the form of mapping table according to preset rules.It is of course also possible to Using other mode classifications.
Step 29, in every a kind of attack signature, obtain each phrase associated by the attack signature in each second request, make For the first model, each phrase is handled using the second algorithm, obtains corresponding second model of attack signature of this class.
Wherein, the second algorithm can be hidden Markov (Hidden Markov Model, HMM) algorithm, correspondingly, the Two models, comprising: state-transition matrix, observing matrix and probability matrix;Correspondingly, obscuring model using determining response Generating portion response message is constructed, concrete implementation mode, which may is that, selects one from the first model using probability matrix A phrase;Based on each phrase in the first model, adoption status transfer matrix and observing matrix are using the phrase selected as initial word Group construction generating portion response message.Wherein, the specific implementation of HMM algorithm can refer to the relevant technologies, and details are not described herein again.
Server or application in order to improve the accuracy as initial phrase selected, where the objective of defense being referred to Information, optionally, in the first request, the second request and third request include the information of server or application;This implementation The defence method of example further include: the label by server or the information of application, as each phrase in the first model;If second Algorithm is HMM algorithm;Second model, comprising: state-transition matrix, observing matrix and probability matrix;Using determining sound Construction of A Model generating portion response message should be obscured, specific implementation may is that the server obtained in the first request or answer Information;Obtain the label of each phrase in the first model;To in the first model, label with first request in server or The phrase that the information of application is consistent distributes weighted value according to preset algorithm;Weighted value is superimposed on the basis of probability matrix; According to the probability matrix after superposition weighted value, an initial phrase is selected from the first model;Based in the first model Each phrase, adoption status transfer matrix and observing matrix generate above-mentioned part response letter with the phrase selected for initial phrase construction Breath.
Wherein, the sum of the weighted value for the distribution of each phrase is 1.
It is 1,1,1 according to the respective specific gravity of probability assuming that including phrase A, B, C in the first model, only B is above-mentioned The phrase met then distributes weighted value 1 for B, at this point, superimposed respective specific gravity is 1,2,1, the probability of B becomes after superposition 1/2。
Above-mentioned second algorithm can also be naive Bayesian etc..
In view of attacker is in true attack, there can be the means of some mutation in attack signature, in order to solve this Problem, inventor propose following scheme: being handled using Gaussian distribution model by the attack signature in the second request, obtained Gaussian Distribution Parameters;After attack signature in extraction first is requested, the corresponding response of the attack signature of the first request is determined Before obscuring model, the defence method of the present embodiment can also include: according to Gaussian Distribution Parameters to the attack in the first request Feature is normalized.Wherein, Gaussian Distribution Parameters include mean value and standard deviation.The characteristics of due to Gaussian distribution model class Like sixteen rules, a large amount of data can compare concentrations, and only a small number of data can deviate the part of concentration, in the present embodiment, general The attack signature for the first request extracted is normalized by Gaussian distribution model, even the means by mutation, After normalization, it still is able to Accurate classification.For example, the word quantity with aggressive request mostly can be relatively more, it can It is normalized with this feature to word quantity.
In some embodiments, optionally, the defence method of the present embodiment can also include: to obtain third day gathered in advance Will;Third log includes the 4th request and corresponding response message, and the 4th request is normally asked for the daily of the objective of defense It asks;Fetching portion or whole logs from third log, as the 6th log;Using the first algorithm by the sound in the 6th log Information is answered to be divided into several phrases;Matching degree is less than default by the phrase for comparing each response message for the same objective of defense The part of matching degree is determined as dynamic area information and stores.In the present embodiment, if matching degree is smaller, illustrate this part be because The part that access user is different and has differences, is dynamic area, needs to construct response message.
Specifically, obtaining part identical with the 4th log from third log, such as also using the path sections of URL as base Plinth extracts relevant information, and carries out variable extraction.
Equally, the first algorithm used is n-gram algorithm or character edit distance recognizer.
Fig. 3 is the structural schematic diagram for a kind of electronic equipment that another embodiment of the application provides.
The present embodiment provides a kind of electronic equipment, as shown in Figure 3, comprising:
Processor 301, and the memory 302 being connected with processor 301;
Memory 302 is for storing computer program;
Processor 301 is for calling and executing the computer program in memory, to execute such as any of the above embodiment The defence method of network attack.
The specific embodiment of electronic equipment provided in this embodiment can be with reference to the anti-of the network attack of any of the above example The embodiment of imperial method, details are not described herein again.
It is understood that same or similar part can mutually refer in the various embodiments described above, in some embodiments Unspecified content may refer to the same or similar content in other embodiments.
It should be noted that term " first ", " second " etc. are used for description purposes only in the description of the present application, without It can be interpreted as indication or suggestion relative importance.In addition, in the description of the present application, unless otherwise indicated, the meaning of " multiple " Refer at least two.
Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes It is one or more for realizing specific logical function or process the step of executable instruction code module, segment or portion Point, and the range of the preferred embodiment of the application includes other realization, wherein can not press shown or discussed suitable Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, Lai Zhihang function, this should be by the application Embodiment person of ordinary skill in the field understood.
It should be appreciated that each section of the application can be realized with hardware, software, firmware or their combination.Above-mentioned In embodiment, software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage Or firmware is realized.It, and in another embodiment, can be under well known in the art for example, if realized with hardware Any one of column technology or their combination are realized: having a logic gates for realizing logic function to data-signal Discrete logic, with suitable combinational logic gate circuit specific integrated circuit, programmable gate array (PGA), scene Programmable gate array (FPGA) etc..
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
It, can also be in addition, can integrate in a processing module in each functional unit in each embodiment of the application It is that each unit physically exists alone, can also be integrated in two or more units in a module.Above-mentioned integrated mould Block both can take the form of hardware realization, can also be realized in the form of software function module.The integrated module is such as Fruit is realized and when sold or used as an independent product in the form of software function module, also can store in a computer In read/write memory medium.
Storage medium mentioned above can be read-only memory, disk or CD etc..
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example Point is contained at least one embodiment or example of the application.In the present specification, schematic expression of the above terms are not Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any One or more embodiment or examples in can be combined in any suitable manner.
Although embodiments herein has been shown and described above, it is to be understood that above-described embodiment is example Property, it should not be understood as the limitation to the application, those skilled in the art within the scope of application can be to above-mentioned Embodiment is changed, modifies, replacement and variant.

Claims (10)

1. a kind of defence method of network attack characterized by comprising
Obtain first request of the attack side to the objective of defense;First request is query-attack;
Extract the attack signature in first request;
Attacking in the corresponding relationship and first request of model is obscured according to all kinds of attack signatures pre-established and response Feature is hit, determines that model is obscured in the corresponding response of attack signature in first request;It is basis that model is obscured in the response What the first log and the second log gathered in advance obtained, construction generates and the matched portion of attack signature in first request Divide the model of response message;First log includes each second request and corresponding response message, and each second request is For the query-attack of not protected target drone;Second log includes each third request and corresponding response message, each institute Stating third request is the normal request for the target drone;
Construction of A Model is obscured using the determining response and generates the part response message;
Obtain the dynamic area information of the objective of defense identified in advance;The dynamic area information is that the instruction part is rung The information for answering information point of addition is obtained according to third log, and the third log includes the 4th request and corresponding sound Information is answered, the 4th request is the daily normal request for the objective of defense;
The part response message is added in position indicated by the dynamic area information, first request is obtained Response message, and feed back to the attack side.
2. defence method according to claim 1, which is characterized in that it includes the first model and that model is obscured in the response Two models;
The defence method further include:
Obtain the first log gathered in advance;
Fetching portion or whole logs from first log, as the 4th log;
Obtain second log gathered in advance;
Fetching portion or whole logs from second log, as the 5th log;
The 4th log and the 5th log are compared, the corresponding response message of second request is obtained and is asked with the third Seek the difference content between corresponding response message;
It is divided into several phrases to store the difference content using the first algorithm;
Extract it is described second request in attack signature, and with corresponding each phrase associated storage;
Attack signature in second request is classified;
In every a kind of attack signature, each phrase associated by the attack signature in each second request is obtained, as First model is handled each phrase using the second algorithm, obtains corresponding second model of attack signature of this class.
3. defence method according to claim 2, which is characterized in that second algorithm is hidden Markov model calculation Method;Second model, comprising: state-transition matrix, observing matrix and probability matrix;
It is described that the Construction of A Model generation part response message is obscured using the determining response, comprising:
One phrase is selected from first model using the probability matrix;
Based on each phrase in first model, use the state-transition matrix and the observing matrix with the choosing The phrase selected is that initial phrase construction generates the part response message.
4. defence method according to claim 2, which is characterized in that first request, the second request and third request In include server or application information;The defence method further include: by the server or the information of application, make For the label of each phrase in first model;
Second algorithm is hidden Markov model algorithm;Second model, comprising: state-transition matrix, observing matrix With probability matrix;It is described that the Construction of A Model generation part response message is obscured using the determining response, comprising:
Obtain the server in first request or the information of application;
Obtain the label of each phrase in first model;
To in first model, label with described first request in server or application the phrase that is consistent of information, according to Preset algorithm distributes weighted value;
The weighted value is superimposed on the basis of the probability matrix;
According to the probability matrix after the superposition weighted value, an initial phrase is selected from first model;
Based on each phrase in first model, use the state-transition matrix and the observing matrix with the choosing The phrase selected is that initial phrase construction generates the part response message.
5. defence method according to claim 2, which is characterized in that further include:
It is handled using Gaussian distribution model by the attack signature in second request, obtains Gaussian Distribution Parameters;
After the attack signature extracted in first request, the attack signature of determination first request is corresponding Response obscure model before, the defence method further include:
The attack signature in first request is normalized according to the Gaussian Distribution Parameters.
6. defence method according to claim 2, which is characterized in that it is described by it is described second request in attack signature into Row classification, comprising:
The attack signature in second request is classified using clustering algorithm;
Alternatively, the attack signature in second request is classified in the form of mapping table according to preset rules.
7. defence method according to claim 1, which is characterized in that further include:
Obtain the third log gathered in advance;
Fetching portion or whole logs from the third log, as the 6th log;
Response message in 6th log is divided by several phrases using the first algorithm;
The part that matching degree is less than preset matching degree is determined as by the phrase for comparing each response message for the same objective of defense Dynamic area information simultaneously stores.
8. the defence method according to claim 2 or 7, which is characterized in that first algorithm be n-gram algorithm or Character edit distance recognizer.
9. defence method according to claim 1, which is characterized in that further include:
Attack scanning is carried out to the not protected target drone using various vulnerability scanners, acquires first log;
And/or
The target drone is normally accessed using web crawlers, acquires second log.
10. a kind of electronic equipment characterized by comprising
Processor, and the memory being connected with the processor;
The memory is for storing computer program;
The processor is for calling and executing the computer program in the memory, to execute such as claim 1~9 The defence method of described in any item network attacks.
CN201910046009.9A 2019-01-17 2019-01-17 Network attack defense method and electronic equipment Active CN109995750B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910046009.9A CN109995750B (en) 2019-01-17 2019-01-17 Network attack defense method and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910046009.9A CN109995750B (en) 2019-01-17 2019-01-17 Network attack defense method and electronic equipment

Publications (2)

Publication Number Publication Date
CN109995750A true CN109995750A (en) 2019-07-09
CN109995750B CN109995750B (en) 2021-07-23

Family

ID=67129225

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910046009.9A Active CN109995750B (en) 2019-01-17 2019-01-17 Network attack defense method and electronic equipment

Country Status (1)

Country Link
CN (1) CN109995750B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535703A (en) * 2019-08-30 2019-12-03 艾西威汽车科技(北京)有限公司 A kind of car networking communication check method, apparatus and platform and computer readable storage medium
CN112637205A (en) * 2020-12-22 2021-04-09 北京天融信网络安全技术有限公司 Web attack recognition method and device
CN113141347A (en) * 2021-03-16 2021-07-20 中国科学院信息工程研究所 Social work information protection method and device, electronic equipment and storage medium
CN113783848A (en) * 2021-08-25 2021-12-10 张惠冰 Network active defense method and device based on deceptive artificial intelligence
CN114553529A (en) * 2022-02-22 2022-05-27 深信服科技股份有限公司 Data processing method, device, network equipment and storage medium
CN114567472A (en) * 2022-02-22 2022-05-31 深信服科技股份有限公司 Data processing method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103227798A (en) * 2013-04-23 2013-07-31 西安电子科技大学 Immunological network system
CN105721442A (en) * 2016-01-22 2016-06-29 耿童童 Spurious response system and method based on dynamic variation and network security system and method
CN107070852A (en) * 2016-12-07 2017-08-18 东软集团股份有限公司 Network attack detecting method and device
WO2017189593A1 (en) * 2016-04-26 2017-11-02 Acalvio Technologies, Inc. Responsive deception mechanisms
CN107332823A (en) * 2017-06-06 2017-11-07 北京明朝万达科技股份有限公司 A kind of server camouflage method and system based on machine learning

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103227798A (en) * 2013-04-23 2013-07-31 西安电子科技大学 Immunological network system
CN105721442A (en) * 2016-01-22 2016-06-29 耿童童 Spurious response system and method based on dynamic variation and network security system and method
WO2017189593A1 (en) * 2016-04-26 2017-11-02 Acalvio Technologies, Inc. Responsive deception mechanisms
CN107070852A (en) * 2016-12-07 2017-08-18 东软集团股份有限公司 Network attack detecting method and device
CN107332823A (en) * 2017-06-06 2017-11-07 北京明朝万达科技股份有限公司 A kind of server camouflage method and system based on machine learning

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
林建宝: "基于网络欺骗的网站防护技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535703A (en) * 2019-08-30 2019-12-03 艾西威汽车科技(北京)有限公司 A kind of car networking communication check method, apparatus and platform and computer readable storage medium
CN112637205A (en) * 2020-12-22 2021-04-09 北京天融信网络安全技术有限公司 Web attack recognition method and device
CN113141347A (en) * 2021-03-16 2021-07-20 中国科学院信息工程研究所 Social work information protection method and device, electronic equipment and storage medium
CN113783848A (en) * 2021-08-25 2021-12-10 张惠冰 Network active defense method and device based on deceptive artificial intelligence
CN114553529A (en) * 2022-02-22 2022-05-27 深信服科技股份有限公司 Data processing method, device, network equipment and storage medium
CN114567472A (en) * 2022-02-22 2022-05-31 深信服科技股份有限公司 Data processing method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN109995750B (en) 2021-07-23

Similar Documents

Publication Publication Date Title
CN109995750A (en) The defence method and electronic equipment of network attack
Sonowal et al. PhiDMA–A phishing detection model with multi-filter approach
Adikari et al. Identifying fake profiles in linkedin
Rao et al. Detection of phishing websites using an efficient feature-based machine learning framework
US8769684B2 (en) Methods, systems, and media for masquerade attack detection by monitoring computer user behavior
CN110099059B (en) Domain name identification method and device and storage medium
Kshetri Cybercrime and cyber-security issues associated with China: some economic and institutional considerations
US20140298460A1 (en) Malicious uniform resource locator detection
WO2016201938A1 (en) Multi-stage phishing website detection method and system
CN107204960A (en) Web page identification method and device, server
US20090235178A1 (en) Method, system, and computer program for performing verification of a user
Abbasi et al. A comparison of tools for detecting fake websites
Tong et al. A method for detecting DGA botnet based on semantic and cluster analysis
Chan et al. Baddet: Backdoor attacks on object detection
Ussath et al. Identifying suspicious user behavior with neural networks
Liu et al. An efficient multistage phishing website detection model based on the CASE feature framework: Aiming at the real web environment
Rethinavalli et al. Botnet attack detection in internet of things using optimization techniques
Xiao et al. A multitarget backdooring attack on deep neural networks with random location trigger
Song et al. A comprehensive approach to detect unknown attacks via intrusion detection alerts
Yampolskiy et al. Direct and indirect human computer interaction based biometrics.
Atimorathanna et al. NoFish; total anti-phishing protection system
Shapira et al. Being single has benefits. instance poisoning to deceive malware classifiers
Rani PyCaret based URL detection of phishing websites
Dwan Jr et al. Predictive Analysis: Machine Learning Models for URL Classification
Alsufyani et al. Social Engineering Attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Defense methods and electronic equipment of network attack

Effective date of registration: 20230220

Granted publication date: 20210723

Pledgee: Shanghai Pudong Development Bank Co.,Ltd. Songjiang Sub branch

Pledgor: Shanghai Mule Network Technology Co.,Ltd.

Registration number: Y2023310000033

PE01 Entry into force of the registration of the contract for pledge of patent right