CN109995750B - Network attack defense method and electronic equipment - Google Patents

Network attack defense method and electronic equipment Download PDF

Info

Publication number
CN109995750B
CN109995750B CN201910046009.9A CN201910046009A CN109995750B CN 109995750 B CN109995750 B CN 109995750B CN 201910046009 A CN201910046009 A CN 201910046009A CN 109995750 B CN109995750 B CN 109995750B
Authority
CN
China
Prior art keywords
request
attack
model
log
response information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910046009.9A
Other languages
Chinese (zh)
Other versions
CN109995750A (en
Inventor
尚侠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Mule Network Technology Co ltd
Original Assignee
Shanghai Mule Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Mule Network Technology Co ltd filed Critical Shanghai Mule Network Technology Co ltd
Priority to CN201910046009.9A priority Critical patent/CN109995750B/en
Publication of CN109995750A publication Critical patent/CN109995750A/en
Application granted granted Critical
Publication of CN109995750B publication Critical patent/CN109995750B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a network attack defense method and electronic equipment, which are applied to the technical field of network security and used for acquiring a first request of an attack side for a protection target; the first request is an attack request; extracting attack features in the first request; determining a response confusion model corresponding to the attack features in the first request according to the pre-established corresponding relation between various attack features and the response confusion model and the attack features in the first request; generating the partial response information using the determined response confusion model construction; acquiring the dynamic area information of the pre-identified protection target; the dynamic area information is information indicating an addition position of the partial response information; and adding the partial response information to the position indicated by the dynamic area information to obtain the response information of the first request, and feeding back the response information to the attack side, so that the defense effect is improved.

Description

Network attack defense method and electronic equipment
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method for defending against network attacks and an electronic device.
Background
With the progress of science and technology, computer network technology develops rapidly, which is convenient for people to live and has certain potential safety hazard and faces various network attacks.
When a user accesses a website, data is sent to the website, the process of sending the data is called a request, the website returns the data requested by the user after receiving the request, and the process of returning the data is called a response. When an attacker attacks a website, an attack code is added into a request to try to trigger a website vulnerability, so that data which cannot be obtained by the attacker, such as sensitive information or information which can cause further attack, is obtained through response information.
In the related technology, a relatively common defense mode for network attacks is to directly intercept an attack request and return fixed data to an attacker as response information, although the current access behavior of the attacker can be directly interrupted, the attacker is clearly informed that the attacker is found and the current attack mode cannot be effective, the attacker can immediately try a new attack point or change an attack means, and if the attacker uses an automatic scanner to scan vulnerabilities, the operation efficiency and the scanning result cannot be effectively interfered, and the defense effect is poor.
Disclosure of Invention
The application aims to provide a network attack defense method and electronic equipment to solve the problem that the defense effect of a defense mode for directly intercepting an attack request in the related art is poor.
The purpose of the application is realized by the following technical scheme:
a method for defending against cyber attacks, comprising:
acquiring a first request of an attack side for a protection target; the first request is an attack request;
extracting attack features in the first request;
determining a response confusion model corresponding to the attack features in the first request according to the pre-established corresponding relation between various attack features and the response confusion model and the attack features in the first request; the response confusion model is obtained according to a first log and a second log which are collected in advance, and a model for generating partial response information matched with the attack characteristics in the first request is constructed; the first log comprises second requests and corresponding response information, and the second requests are attack requests aiming at unprotected target planes; the second log comprises third requests and corresponding response information, wherein the third requests are normal requests for the drone aircraft;
generating the partial response information using the determined response confusion model construction;
acquiring the dynamic area information of the pre-identified protection target; the dynamic area information is information indicating the adding position of the partial response information and is obtained according to a third log, the third log comprises a fourth request and corresponding response information, and the fourth request is a daily normal request for the protection target;
and adding the partial response information to the position indicated by the dynamic area information to obtain the response information of the first request, and feeding back the response information to the attack side.
Optionally, the response confusion model comprises a first model and a second model;
the defense method further comprises the following steps:
acquiring a first log collected in advance;
acquiring part or all of the logs from the first log as a fourth log;
acquiring the second log collected in advance;
acquiring part or all of the logs from the second log as a fifth log;
comparing the fourth log with the fifth log to obtain the difference content between the response information corresponding to the second request and the response information corresponding to the third request;
adopting a first algorithm to divide the difference content into a plurality of phrases for storage;
extracting attack characteristics in the second request, and storing the attack characteristics in association with each corresponding word group;
classifying attack characteristics in the second request;
and in each type of attack characteristics, obtaining each word group associated with the attack characteristics in each second request as a first model, and processing each word group by adopting a second algorithm to obtain a second model corresponding to the attack characteristics of the type.
Optionally, the second algorithm is a hidden markov model algorithm; the second model, comprising: a state transition matrix, an observation matrix and an initial probability matrix;
the generating the partial response information using the determined response confusion model construct comprises:
selecting a phrase from the first model by adopting the initial probability matrix;
and generating the partial response information by adopting the state transition matrix and the observation matrix and taking the selected phrase as an initial phrase structure based on each phrase in the first model.
Optionally, the first request, the second request, and the third request each include information of a server or an application; the defense method further comprises the following steps: taking the information of the server or the application as a mark of each phrase in the first model;
the second algorithm is a hidden Markov model algorithm; the second model, comprising: a state transition matrix, an observation matrix and an initial probability matrix; the generating the partial response information using the determined response confusion model construct comprises:
acquiring information of a server or an application in the first request;
acquiring marks of all the phrases in the first model;
assigning a weight value to the phrase which is marked in the first model and is consistent with the information of the server or the application in the first request according to a preset algorithm;
superimposing the weight values on the basis of the initial probability matrix;
selecting an initial phrase from the first model according to the initial probability matrix superposed with the weight value;
and generating the partial response information by adopting the state transition matrix and the observation matrix and taking the selected phrase as an initial phrase structure based on each phrase in the first model.
Optionally, the method further includes:
processing the attack characteristics in the second request by adopting a Gaussian distribution model to obtain Gaussian distribution parameters;
after the extracting of the attack features in the first request and before the determining of the response confusion model corresponding to the attack features of the first request, the defense method further includes:
and carrying out normalization processing on the attack characteristics in the first request according to the Gaussian distribution parameters.
Optionally, the classifying the attack features in the second request includes:
classifying the attack characteristics in the second request by adopting a clustering algorithm;
or classifying the attack characteristics in the second request in the form of a mapping table according to a preset rule.
Optionally, the method further includes:
acquiring the third log collected in advance; the third log comprises a fourth request and corresponding response information, wherein the fourth request is a daily normal request for the protection target;
acquiring part or all of the third log as a sixth log;
dividing the response information in the sixth log into a plurality of phrases by adopting a first algorithm;
and comparing phrases of each response message aiming at the same protection target, and determining the part with the matching degree smaller than the preset matching degree as the dynamic area message and storing the dynamic area message.
Optionally, the first algorithm is an n-gram algorithm or a character edit distance recognition algorithm.
Optionally, the method further includes:
adopting various vulnerability scanners to carry out attack scanning on the unprotected drone aircraft, and collecting the first log;
and/or the presence of a gas in the gas,
and normally accessing the target drone by adopting a web crawler and collecting the second log.
An electronic device, comprising:
a processor, and a memory coupled to the processor;
the memory is used for storing a computer program;
the processor is configured to call and execute the computer program in the memory to execute the method for defending against a network attack as described in any one of the above.
This application adopts above technical scheme, has following beneficial effect:
the method comprises the steps of collecting a first log comprising attack requests and corresponding response information of an unprotected target drone in advance and a second log comprising normal requests and corresponding response information of the unprotected target drone in advance, constructing and generating response confusion models corresponding to various attack characteristics by taking real data of the first log and the second log as support, constructing and generating response information of the attack requests, extracting the attack characteristics in the first request when a first request with aggressivity for a protection target is available on the basis of the pre-established corresponding relation between various attack characteristics and the response confusion models, determining the category to which the attack characteristics in the first request belong, determining the corresponding response confusion model according to the corresponding relation, and constructing and generating partial response information matched with the attack characteristics in the first request by using the response confusion module, then, according to the dynamic area information of the protection target identified in advance, the partial response information is added to the position indicated by the dynamic area information, wherein the dynamic area information is obtained in advance according to a third log comprising a normal request for the protection target, the partial response information can be accurately added to a proper position, the response information of the first request is obtained and fed back to the attack side, so compared with the related art, for the attack request, the scheme of the embodiment does not directly intercept, but constructs a false response information and feeds back through a response confusion model, and as the constructed response information is obtained based on the real data of the first log, the second log and the third log, the constructed response information of the first request can be distinguished from the response information of the normal request and can be confused with the response information of the actual attack request, the false information with the vulnerability is provided, an attacker is confused, the attacker cannot find attack failure immediately, even if the attacker finds abnormality, a large amount of response information with a large structure is fed back in the face of a large amount of attack requests, the attacker cannot verify the authenticity of the response information one by one, the attack thought of the attacker is disturbed, the attack is abandoned, the defense effect is improved, if the attacker adopts a scanner to scan the vulnerability, if the feedback response information prompts the vulnerability, the existing vulnerability can be continuously detected, the scanning of the next vulnerability can not be continuously carried out, the vulnerability scanning efficiency and the detection accuracy of an attack side are reduced, and the defense effect is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a method for defending against a network attack according to an embodiment of the present application;
FIG. 2 is a flow chart of a method for generating a response confusion model according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail below. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the examples given herein without making any creative effort, shall fall within the protection scope of the present application.
Examples
Referring to fig. 1, fig. 1 is a flowchart of a method for defending against a network attack according to an embodiment of the present application.
As shown in fig. 1, the method for defending against a network attack provided by this embodiment at least includes the following steps:
step 11, acquiring a first request of an attack side for a protection target; the first request is an attack request.
Wherein the protection target may be a website.
And 12, extracting attack characteristics in the first request.
Step 13, determining a response confusion model corresponding to the attack characteristics in the first request according to the pre-established corresponding relation between various attack characteristics and the response confusion model and the attack characteristics in the first request; the response confusion model is obtained according to a first log and a second log which are collected in advance, and a model for generating partial response information matched with the attack characteristics in the first request is constructed; the first log comprises each second request and corresponding response information, and each second request is an attack request aiming at the unprotected target drone; the second log includes each third request and corresponding response information, each third request being a normal request for the drone.
Wherein, the partial response information is response information with the characteristics of attack success response information.
And 14, generating partial response information by adopting the determined response confusion model structure.
Step 15, acquiring dynamic area information of a pre-identified protection target; the dynamic area information is information indicating a position where the partial response information is added, and is obtained according to a third log, wherein the third log includes a fourth request and corresponding response information, and the fourth request is a daily normal request for the protection target.
And step 16, adding part of the response information to the position indicated by the dynamic area information to obtain the response information of the first request, and feeding back the response information to the attack side.
The first log, the second log, and the third log may include requested content and response information, and may further include information of a server and an application of a website, a development language used, a response mode, and the like.
The method comprises the steps of collecting a first log comprising attack requests and corresponding response information of an unprotected target drone in advance and a second log comprising normal requests and corresponding response information of the unprotected target drone in advance, constructing and generating response confusion models corresponding to various attack characteristics by taking real data of the first log and the second log as support, constructing and generating response information of the attack requests, extracting the attack characteristics in the first request when a first request with aggressivity for a protection target is available on the basis of the pre-established corresponding relation between various attack characteristics and the response confusion models, determining the category to which the attack characteristics in the first request belong, determining the corresponding response confusion model according to the corresponding relation, and constructing and generating partial response information matched with the attack characteristics in the first request by using the response confusion module, then, according to the dynamic area information of the protection target identified in advance, the partial response information is added to the position indicated by the dynamic area information, wherein the dynamic area information is obtained in advance according to a third log comprising a normal request for the protection target, the partial response information can be accurately added to a proper position, the response information of the first request is obtained and fed back to the attack side, so compared with the related art, for the attack request, the scheme of the embodiment does not directly intercept, but constructs a false response information and feeds back through a response confusion model, and as the constructed response information is obtained based on the real data of the first log, the second log and the third log, the constructed response information of the first request can be distinguished from the response information of the normal request and can be confused with the response information of the actual attack request, the false information with the vulnerability is provided, an attacker is confused, the attacker cannot find attack failure immediately, even if the attacker finds abnormality, a large amount of response information with a large structure is fed back in the face of a large amount of attack requests, the attacker cannot verify the authenticity of the response information one by one, the attack thought of the attacker is disturbed, the attack is abandoned, the defense effect is improved, if the attacker adopts a scanner to scan the vulnerability, if the feedback response information prompts the vulnerability, the existing vulnerability can be continuously detected, the scanning of the next vulnerability can not be continuously carried out, the vulnerability scanning efficiency and the detection accuracy of an attack side are reduced, and the defense effect is improved.
In practice, there are many specific structures of the response confusion model. The structure of the response confusion model is different, and correspondingly, the method for obtaining the response confusion model is also different. The following examples are given.
In some embodiments, the response confusion model comprises a first model and a second model; correspondingly, referring to fig. 2, the defense method of the present embodiment may further include:
and step 21, acquiring a first log collected in advance.
Specifically, attack scanning is carried out on the unprotected drone by adopting various vulnerability scanners, and a first log is collected. The target drone is scanned in advance through various website vulnerability scanners and logs are collected, so that each protected target does not need to be collected independently, and the collection effect is more comprehensive and efficient.
And step 22, acquiring a part of or all logs from the first logs as fourth logs.
In this step, a part of the log that needs to be processed may be obtained from the first log, and a Uniform Resource Locator (URL) in the access log is taken as an example for explanation, assuming that the website 1 is www.a.com/api/1 and the website 2 is www.a.com/api/2, where www.a.com is a host part and/api/1 is a path part, in this embodiment, related information may be extracted based on the path part of the URL, and a variable extraction may be performed, for example, the website 1 and the website 2 are subjected to variable extraction, so as to obtain www.a.com/api/id, and id is a variable, and a value may be 1 or 2.
And step 23, acquiring a second log collected in advance.
Specifically, normal access is carried out on the target drone by adopting a common web crawler, and a second log is collected.
And 24, acquiring a part of or all the logs from the second logs as fifth logs.
In this step, the same portion as the fourth log is acquired from the second log, and for example, the relevant information is extracted based on the path portion of the URL, and the variable extraction is performed.
And step 25, comparing the fourth log with the fifth log to obtain the difference content between the response information corresponding to the second request and the response information corresponding to the third request.
And 26, segmenting the difference content into a plurality of phrases by adopting a first algorithm for storage.
The first algorithm is an n-gram algorithm or a character editing distance recognition algorithm, and the specific algorithm implementation can refer to the related technology, which is not described herein again. If the difference content is segmented by using an n-gram algorithm, a word vector comprising a plurality of phrases can be obtained, for example, the difference content is "private a b c", and if every two words are grouped, the word vector is segmented into phrases "private a", "a b", "b c", so that the word vector { "private a", "a b", "b c" }.
And 27, extracting the attack characteristics in the second request, and storing the attack characteristics in association with corresponding phrases.
Specifically, the features extracted from the attack request include: request verb types (various request verbs of HTTP such as POST, GET, PATCH and the like), recognized attack types (various attack categories such as SQL injection, XSS, remote command injection and the like), characteristic characters containing threats, positions of threat contents in HTTP data packets, attack data length, whether attack data contain functional characteristics, whether attack data contain phase data and the like. And combining the extracted features into feature vectors, and storing the feature vectors in association with corresponding word vectors.
And step 28, classifying the attack characteristics in the second request.
Specifically, the attack characteristics in the second request can be classified by adopting a clustering algorithm, so that the classification is simpler and more accurate; or classifying the attack characteristics in the second request in the form of a mapping table according to a preset rule. Of course, other classification schemes may be used.
And step 29, in each type of attack characteristics, obtaining each phrase associated with the attack characteristics in each second request as a first model, and processing each phrase by adopting a second algorithm to obtain a second model corresponding to the attack characteristics of the class.
Wherein the second algorithm may be a Hidden Markov (HMM) algorithm, and accordingly, the second Model includes: a state transition matrix, an observation matrix and an initial probability matrix; correspondingly, the determined response confusion model is adopted to construct and generate partial response information, and the specific implementation mode can be as follows: selecting a phrase from the first model by adopting an initial probability matrix; and based on each phrase in the first model, generating partial response information by adopting a state transition matrix and an observation matrix and taking the selected phrase as an initial phrase structure. For specific implementation of the HMM algorithm, reference may be made to related technologies, which are not described herein again.
In order to improve the accuracy of the selected initial phrase, the information of the server or the application where the protection target is located may be referred to, and optionally, the first request, the second request, and the third request each include information of the server or the application; the defense method of the embodiment further comprises the following steps: taking the information of the server or the application as the mark of each phrase in the first model; if the second algorithm is an HMM algorithm; a second model comprising: a state transition matrix, an observation matrix and an initial probability matrix; the determined response confusion model structure is adopted to generate partial response information, and the specific implementation mode can be as follows: acquiring information of a server or an application in the first request; acquiring marks of all phrases in the first model; distributing a weight value to the phrases which are marked in the first model and are consistent with the information of the server or the application in the first request according to a preset algorithm; stacking the weighted values on the basis of the initial probability matrix; selecting an initial phrase from the first model according to the initial probability matrix after the weight values are superposed; and based on each phrase in the first model, generating the partial response information by adopting a state transition matrix and an observation matrix and taking the selected phrase as an initial phrase structure.
Wherein, the sum of the weight values allocated to each phrase is 1.
Assuming that the first model includes phrases a, B, and C, the respective specific gravities of the initial probabilities are 1, 1, and only B is the above-mentioned matched phrase, a weight value of 1 is assigned to B, at this time, the respective specific gravities after superposition are 1, 2, and 1, and the probability of B after superposition becomes 1/2.
The second algorithm may also be naive bayes, etc.
Considering that there are some variants in the attack characteristics when an attacker is actually attacking, in order to solve the problem, the inventor proposes the following scheme: processing the attack characteristics in the second request by adopting a Gaussian distribution model to obtain Gaussian distribution parameters; after extracting the attack features in the first request and before determining the response confusion model corresponding to the attack features of the first request, the defense method of this embodiment may further include: and carrying out normalization processing on the attack characteristics in the first request according to the Gaussian distribution parameters. Wherein, the Gaussian distribution parameters comprise a mean value and a standard deviation. Because the characteristics of the gaussian distribution model are similar to the two-eight rule, a large amount of data can be concentrated, and only a small amount of data can deviate from the concentrated part, in the embodiment, the extracted attack characteristics of the first request are normalized through the gaussian distribution model, and even though the attack characteristics are subjected to variation means, the attack characteristics can still be accurately classified after normalization. For example, the number of words of an offensive request is often large, and the feature of the number of words can be normalized.
In some embodiments, optionally, the defense method of this embodiment may further include: acquiring a third log collected in advance; the third log comprises a fourth request and corresponding response information, wherein the fourth request is a daily normal request aiming at the protection target; acquiring part or all of the logs from the third log as a sixth log; dividing the response information in the sixth log into a plurality of phrases by adopting a first algorithm; and comparing phrases of each response message aiming at the same protection target, and determining the part with the matching degree smaller than the preset matching degree as the dynamic area message and storing the dynamic area message. In this embodiment, if the matching degree is small, it is described that this part is a part that differs depending on the access user, and is a dynamic area, and it is necessary to construct response information.
Specifically, the same part as the fourth log is acquired from the third log, and for example, the relevant information is extracted based on the path part of the URL, and the variable extraction is performed.
Also, the first algorithm employed is an n-gram algorithm or a character edit distance recognition algorithm.
Fig. 3 is a schematic structural diagram of an electronic device according to another embodiment of the present application.
The present embodiment provides an electronic device, as shown in fig. 3, including:
a processor 301, and a memory 302 connected to the processor 301;
the memory 302 is used to store computer programs;
the processor 301 is configured to call and execute a computer program in the memory to execute the method for defending against a network attack according to any of the above embodiments.
The specific implementation of the electronic device provided in this embodiment may refer to the implementation of the network attack defense method in any of the above examples, and details are not described here.
It is understood that the same or similar parts in the above embodiments may be mutually referred to, and the same or similar parts in other embodiments may be referred to for the content which is not described in detail in some embodiments.
It should be noted that, in the description of the present application, the terms "first", "second", etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. Further, in the description of the present application, the meaning of "a plurality" means at least two unless otherwise specified.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and the scope of the preferred embodiments of the present application includes other implementations in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present application.
It should be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present application may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.
In the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Although embodiments of the present application have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present application, and that variations, modifications, substitutions and alterations may be made to the above embodiments by those of ordinary skill in the art within the scope of the present application.

Claims (9)

1. A method for defending against network attacks is characterized by comprising the following steps:
acquiring a first request of an attack side for a protection target; the first request is an attack request;
extracting attack features in the first request;
determining a response confusion model corresponding to the attack features in the first request according to the pre-established corresponding relation between various attack features and the response confusion model and the attack features in the first request; the response confusion model is obtained according to a first log and a second log which are collected in advance, and a model for generating partial response information matched with the attack characteristics in the first request is constructed; the first log comprises second requests and corresponding response information, and the second requests are attack requests aiming at unprotected target planes; the second log comprises third requests and corresponding response information, wherein the third requests are normal requests for the drone aircraft;
generating the partial response information using the determined response confusion model construction;
acquiring a third log collected in advance;
acquiring part or all of the third log as a sixth log; dividing the response information in the sixth log into a plurality of phrases by adopting a first algorithm; comparing phrases of each response message aiming at the same protection target, determining a part with the matching degree smaller than the preset matching degree as dynamic area information and storing the dynamic area information;
acquiring the dynamic area information of the pre-identified protection target; the dynamic area information is information indicating the adding position of the partial response information, the third log comprises a fourth request and corresponding response information, and the fourth request is a daily normal request for the protection target;
and adding the partial response information to the position indicated by the dynamic area information to obtain the response information of the first request, and feeding back the response information to the attack side.
2. The defense method of claim 1, wherein the response confusion model comprises a first model and a second model;
the defense method further comprises the following steps:
acquiring a first log collected in advance;
acquiring part or all of the logs from the first log as a fourth log;
acquiring the second log collected in advance;
acquiring part or all of the logs from the second log as a fifth log;
comparing the fourth log with the fifth log to obtain the difference content between the response information corresponding to the second request and the response information corresponding to the third request;
adopting a first algorithm to divide the difference content into a plurality of phrases for storage;
extracting attack characteristics in the second request, and storing the attack characteristics in association with each corresponding word group;
classifying attack characteristics in the second request;
and in each type of attack characteristics, obtaining each word group associated with the attack characteristics in each second request as a first model, and processing each word group by adopting a second algorithm to obtain a second model corresponding to the attack characteristics of the type.
3. The defense method of claim 2, wherein the second algorithm is a hidden markov model algorithm; the second model, comprising: a state transition matrix, an observation matrix and an initial probability matrix;
the generating the partial response information using the determined response confusion model construct comprises:
selecting a phrase from the first model by adopting the initial probability matrix;
and generating the partial response information by adopting the state transition matrix and the observation matrix and taking the selected phrase as an initial phrase structure based on each phrase in the first model.
4. The defense method according to claim 2, wherein the first, second and third requests each include information of a server or an application; the defense method further comprises the following steps: taking the information of the server or the application as a mark of each phrase in the first model;
the second algorithm is a hidden Markov model algorithm; the second model, comprising: a state transition matrix, an observation matrix and an initial probability matrix; the generating the partial response information using the determined response confusion model construct comprises: acquiring information of a server or an application in the first request; acquiring marks of all the phrases in the first model;
assigning a weight value to the phrase which is marked in the first model and is consistent with the information of the server or the application in the first request according to a preset algorithm;
superimposing the weight values on the basis of the initial probability matrix;
selecting an initial phrase from the first model according to the initial probability matrix superposed with the weight value; and generating the partial response information by adopting the state transition matrix and the observation matrix and taking the selected phrase as an initial phrase structure based on each phrase in the first model.
5. The defense method of claim 2, further comprising:
processing the attack characteristics in the second request by adopting a Gaussian distribution model to obtain Gaussian distribution parameters; after the extracting of the attack features in the first request and before the determining of the response confusion model corresponding to the attack features of the first request, the defense method further includes:
and carrying out normalization processing on the attack characteristics in the first request according to the Gaussian distribution parameters.
6. The defense method of claim 2, wherein the classifying the attack signature in the second request comprises:
classifying the attack characteristics in the second request by adopting a clustering algorithm; or classifying the attack characteristics in the second request in the form of a mapping table according to a preset rule.
7. The defense method according to claim 1 or 2, characterized in that the first algorithm is an n-gram algorithm or a character edit distance recognition algorithm.
8. The defense method of claim 1, further comprising:
adopting various vulnerability scanners to carry out attack scanning on the unprotected drone aircraft, and collecting the first log;
and/or the presence of a gas in the gas,
and normally accessing the target drone by adopting a web crawler and collecting the second log.
9. An electronic device, comprising: a processor, and a memory coupled to the processor;
the memory is used for storing a computer program;
the processor is used for calling and executing the computer program in the memory to execute the network attack defense method according to any one of claims 1-8.
CN201910046009.9A 2019-01-17 2019-01-17 Network attack defense method and electronic equipment Active CN109995750B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910046009.9A CN109995750B (en) 2019-01-17 2019-01-17 Network attack defense method and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910046009.9A CN109995750B (en) 2019-01-17 2019-01-17 Network attack defense method and electronic equipment

Publications (2)

Publication Number Publication Date
CN109995750A CN109995750A (en) 2019-07-09
CN109995750B true CN109995750B (en) 2021-07-23

Family

ID=67129225

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910046009.9A Active CN109995750B (en) 2019-01-17 2019-01-17 Network attack defense method and electronic equipment

Country Status (1)

Country Link
CN (1) CN109995750B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535703A (en) * 2019-08-30 2019-12-03 艾西威汽车科技(北京)有限公司 A kind of car networking communication check method, apparatus and platform and computer readable storage medium
CN112637205A (en) * 2020-12-22 2021-04-09 北京天融信网络安全技术有限公司 Web attack recognition method and device
CN113141347B (en) * 2021-03-16 2022-06-10 中国科学院信息工程研究所 Social work information protection method and device, electronic equipment and storage medium
CN113783848B (en) * 2021-08-25 2023-04-07 湖南省金盾信息安全等级保护评估中心有限公司 Network active defense method and device based on deceptive artificial intelligence
CN114567472B (en) * 2022-02-22 2024-07-09 深信服科技股份有限公司 Data processing method and device, electronic equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103227798A (en) * 2013-04-23 2013-07-31 西安电子科技大学 Immunological network system
CN105721442A (en) * 2016-01-22 2016-06-29 耿童童 Spurious response system and method based on dynamic variation and network security system and method
CN107070852A (en) * 2016-12-07 2017-08-18 东软集团股份有限公司 Network attack detecting method and device
WO2017189593A1 (en) * 2016-04-26 2017-11-02 Acalvio Technologies, Inc. Responsive deception mechanisms
CN107332823A (en) * 2017-06-06 2017-11-07 北京明朝万达科技股份有限公司 A kind of server camouflage method and system based on machine learning

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103227798A (en) * 2013-04-23 2013-07-31 西安电子科技大学 Immunological network system
CN105721442A (en) * 2016-01-22 2016-06-29 耿童童 Spurious response system and method based on dynamic variation and network security system and method
WO2017189593A1 (en) * 2016-04-26 2017-11-02 Acalvio Technologies, Inc. Responsive deception mechanisms
CN107070852A (en) * 2016-12-07 2017-08-18 东软集团股份有限公司 Network attack detecting method and device
CN107332823A (en) * 2017-06-06 2017-11-07 北京明朝万达科技股份有限公司 A kind of server camouflage method and system based on machine learning

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于网络欺骗的网站防护技术研究;林建宝;《中国优秀硕士学位论文全文数据库 信息科技辑》;20181115;全文 *

Also Published As

Publication number Publication date
CN109995750A (en) 2019-07-09

Similar Documents

Publication Publication Date Title
CN109995750B (en) Network attack defense method and electronic equipment
US11558418B2 (en) System for query injection detection using abstract syntax trees
CN107666490B (en) A kind of suspicious domain name detection method and device
US10904286B1 (en) Detection of phishing attacks using similarity analysis
CN110099059B (en) Domain name identification method and device and storage medium
CN108932426B (en) Unauthorized vulnerability detection method and device
US20180103043A1 (en) System and methods of detecting malicious elements of web pages
US8769684B2 (en) Methods, systems, and media for masquerade attack detection by monitoring computer user behavior
WO2022126981A1 (en) Malicious code recognition method and apparatus, and computer device and medium
CN108924118B (en) Method and system for detecting database collision behavior
US20180082061A1 (en) Scanning device, cloud management device, method and system for checking and killing malicious programs
US20220030029A1 (en) Phishing Protection Methods and Systems
WO2020000743A1 (en) Webshell detection method and related device
CN107547490B (en) Scanner identification method, device and system
Huang et al. Mitigate web phishing using site signatures
US12021896B2 (en) Method for detecting webpage spoofing attacks
Ramesh et al. Identification of phishing webpages and its target domains by analyzing the feign relationship
CN113190839A (en) Web attack protection method and system based on SQL injection
EP4024252A1 (en) A system and method for identifying exploited cves using honeypots
CN112751804A (en) Method, device and equipment for identifying counterfeit domain name
US20220377095A1 (en) Apparatus and method for detecting web scanning attack
US20200099718A1 (en) Fuzzy inclusion based impersonation detection
CN115809466A (en) Security requirement generation method and device based on STRIDE model, electronic equipment and medium
EP3306511B1 (en) System and methods of detecting malicious elements of web pages
CN114079576A (en) Security defense method, security defense device, electronic apparatus, and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
PE01 Entry into force of the registration of the contract for pledge of patent right
PE01 Entry into force of the registration of the contract for pledge of patent right

Denomination of invention: Defense methods and electronic equipment of network attack

Effective date of registration: 20230220

Granted publication date: 20210723

Pledgee: Shanghai Pudong Development Bank Co.,Ltd. Songjiang Sub branch

Pledgor: Shanghai Mule Network Technology Co.,Ltd.

Registration number: Y2023310000033