CN110401626B - Hacker attack grading detection method and device - Google Patents

Hacker attack grading detection method and device Download PDF

Info

Publication number
CN110401626B
CN110401626B CN201910193522.0A CN201910193522A CN110401626B CN 110401626 B CN110401626 B CN 110401626B CN 201910193522 A CN201910193522 A CN 201910193522A CN 110401626 B CN110401626 B CN 110401626B
Authority
CN
China
Prior art keywords
http
log information
field
behavior
hacking
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910193522.0A
Other languages
Chinese (zh)
Other versions
CN110401626A (en
Inventor
陈剑
胡珀
郭冕
牛保龙
洪旭升
李相垚
易楠
周雨阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201910193522.0A priority Critical patent/CN110401626B/en
Publication of CN110401626A publication Critical patent/CN110401626A/en
Application granted granted Critical
Publication of CN110401626B publication Critical patent/CN110401626B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a hacking grading detection method and a hacking grading detection device, wherein the method comprises the following steps: acquiring log information; extracting relevant fields from the log information according to an aggregation model, wherein the aggregation model is obtained by fitting the corresponding relation between each field in the log information and the hacking behavior and acquiring the relevant fields with pointing effect on the hacking behavior judgment; acquiring corresponding attribute values of the relevant fields; performing aggregation calculation on the corresponding attribute values of the related fields to obtain scores corresponding to the log information; and carrying out grading judgment on the behavior corresponding to the log information according to the grade and a preset grading judgment rule of the hacker behavior. The invention can reduce the manual workload, realize the graded prejudgment of the hacking level and fuzzily detect a new hacking technique, thereby facilitating security personnel to further position and analyze the hacking technique and achieving the purpose of preventing other strategies.

Description

Hacker attack grading detection method and device
Technical Field
The invention relates to the field of hacker detection, in particular to a hacking hierarchical detection method and a hacking hierarchical detection device.
Background
The hacking behavior is a behavior that damages and damages the interests of the user by using a security vulnerability, and includes but is not limited to stealing user privacy and virtual property by using the vulnerability, invading a service system, stealing user data, affecting the normal operation of the service, and maliciously spreading the vulnerability. The feature representation is a tagged user model abstracted according to user behavior information such as hacking behaviors, methods and means. The tags are highly refined signatures derived from analysis of hacker behavior. By tagging, a hacker can be identified by utilizing some highly generalized and easily understood characteristics, the attack behavior action of the hacker can be more easily identified, and the purposes of rapid abnormal alarm and source tracing analysis after the fact are achieved.
As shown in fig. 1, it shows a schematic diagram of feature profile acquisition in the prior art, that is, only in the case of requesting logs, and the payload (payload) of an attack needs to be known in advance to extract keywords to analyze hacking behavior, so as to construct a feature profile. It has the following significant disadvantages:
(1) the labor cost is high, and the professional is required to judge and extract the keywords by adopting the existing rules so as to analyze.
(2) Absent a grading, no grading judgment is available for hacking.
(3) New attack forms cannot be detected, and rules are written based on existing attack forms.
Disclosure of Invention
The invention provides a hacking grading detection method and a hacking grading detection device.
In one aspect, the present invention provides a hacking grading detection method, including:
acquiring log information;
extracting relevant fields from the log information according to an aggregation model, wherein the aggregation model is obtained by fitting the corresponding relation between each field in the log information and the hacking behavior and acquiring the relevant fields with pointing effect on the hacking behavior judgment;
acquiring corresponding attribute values of the relevant fields;
performing aggregation calculation on the corresponding attribute values of the related fields to obtain scores corresponding to the log information;
and carrying out grading judgment on the behavior corresponding to the log information according to the grade and a preset grading judgment rule of the hacker behavior.
Another aspect provides a hacking grading detection apparatus, the apparatus comprising:
the log information acquisition module is used for acquiring log information;
the extraction module is used for extracting relevant fields from the log information according to an aggregation model, wherein the aggregation model is obtained by fitting the corresponding relation between each field in the log information and the hacking behavior and acquiring the relevant fields with the pointing effect on the hacking behavior judgment;
the attribute value acquisition module is used for acquiring the corresponding attribute value of the related field;
the scoring module is used for carrying out aggregation calculation on the corresponding attribute values of the related fields to obtain scores corresponding to the log information;
and the judging module is used for carrying out grading judgment on the behavior corresponding to the log information according to the grade and a preset grading judgment rule of the hacker behavior.
Another aspect provides a computer readable storage medium storing a program which, when executed, implements a hacking grading test as described.
In another aspect, a terminal device is provided, where the terminal device includes the hacking grading detection apparatus.
The hacking grading detection method and the hacking grading detection device can reduce the manual workload, realize the grading prejudgment of the hacking grade, and further extract the characteristic portrait corresponding to the hacking behavior based on the prejudgment result. Compared with the prior art which only can give an alarm and analyze afterwards, the method provided by the embodiment of the invention can be used for fuzzily detecting a new hacking technique, so that security personnel can further position and analyze the hacking technique to achieve the purpose of preventing other strategies.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions and advantages of the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a schematic diagram of prior art feature image acquisition as provided by the background of the invention;
FIG. 2 is a schematic diagram of a hacking grading detection system provided by an embodiment of the invention;
FIG. 3 is a flowchart of a hacking grading test method provided by an embodiment of the invention;
FIG. 4 is a flow chart of a process for providing log information according to an embodiment of the present invention;
fig. 5 is a schematic flowchart of performing hierarchical determination on a behavior corresponding to log information according to the score and a preset hierarchical determination rule of hacker behavior according to an embodiment of the present invention;
FIG. 6 is a block diagram of a hacking grading test device provided by an embodiment of the invention;
FIG. 7 is a block diagram of a decision module provided by an embodiment of the invention;
fig. 8 is a hardware structural diagram of an apparatus for implementing the method provided by the embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In the prior art, usually, only the hacking behavior that has already occurred can be alarmed afterwards, and the basic flow is as follows: firstly, log related configuration is started in a service server according to actual requirements, records for behavior logs generated by all user requests are printed and output on a local server, then a security researcher collects the user behavior logs generated by all the local servers together through a log collection server, and then keyword detection is carried out on the user behavior logs through a detection server to extract relevant data of hacker attack behaviors, so that specific hacker attack behaviors are analyzed, and post-incident alarm is carried out on relevant services. The detection server can detect the keywords based on a rule which is manually written, but the rule can only be written according to the hacking behavior which occurs, and cannot be used for detecting the hacking behavior in advance; moreover, the manually written rule has poor adaptability, needs to be modified and perfected frequently by relying on manual work, and the detection server cannot be separated from manual work to realize full-automatic detection.
In view of this, the embodiments of the present invention are directed to provide a hacking hierarchical detecting scheme, so as to achieve the purpose of imaging the hacking behavior features in a more efficient and comprehensive manner, so as to discover the hacking behavior hierarchically.
Referring to fig. 2, fig. 2 is a schematic diagram of a hacking grading detection system according to an embodiment of the present invention, and as shown in fig. 2, the hacking grading detection system includes at least one service server, a log summarizing server, and a grading identification engine. Specifically, the service server, the log summarizing server and the hierarchical identification engine may all include a server operating independently, or a distributed server, or a server cluster composed of a plurality of servers.
The service server may provide service for other terminals through the internet, and may also be attacked by hackers, where the other terminals may be physical devices of smart phones, desktop computers, tablet computers, notebook computers, vehicle-mounted terminals, digital assistants, smart wearable devices, and the like, and may also include software running in the physical devices, such as application programs and the like.
And the log summarizing server is in communication connection with all the service servers and is used for receiving and summarizing the logs transmitted by the service servers.
The grading identification engine is in bidirectional communication connection with the log summarizing server and is used for automatically analyzing the hacking behaviors according to the logs in the log summarizing server and grading the hacking behaviors.
As shown in fig. 3, an embodiment of the present invention provides a hacking grading detection method, which may be implemented by the hacking grading detection system described above, and the method includes:
s101, obtaining log information.
Specifically, the log information may be obtained by summarizing logs output by each service server by a log summarizing server, and each piece of log information may be analyzed, that is, relevant information of hacking may be extracted from the log information.
In a possible embodiment, the log summarizing server may control the on/off of log capture and log output of any one service server through communication with each service server.
S103, extracting relevant fields from the log information according to an aggregation model, wherein the aggregation model is obtained by fitting the corresponding relation between each field in the log information and the hacker behavior and acquiring the relevant fields with the pointing effect on the judgment of the hacker behavior.
Specifically, the aggregation model can be obtained by a machine learning method, and iterative optimization is performed in an actual use process, so that changes of the aggregation model can be brought about in different use scenes, different hacking behaviors and combination behaviors thereof. Fields in the aggregation model are all inherent attributes of fields in the log information, and do not relate to specific contents of the fields in the log information, so that the method does not need to rely on manual analysis and rule writing on specific contents of a certain field, and does not need to manually extract keywords from the specific contents of a certain field according to the rule for analysis, so that full-automatic information extraction can be realized by relying on the aggregation model, and the characteristic portrait is constructed according to an information extraction result.
In one possible embodiment, the aggregate model includes an input layer, an intermediate hidden layer, and an output layer. The nodes in the input layer represent the characteristics of the sample, the edges between the nodes in the input layer and the nodes in the middle hidden layer represent the connection weights between the nodes, the nodes in the middle hidden layer receive signals from the nodes in the input layer, generate output values after the action of an activation function and transmit the output values to the nodes in the next layer, and the calculated relation f (X, W) between the characteristics of the output layer and the input layer is represented by using, wherein X and W correspond to input and output respectively. Deep neural network learning process, namely solving optimization equation
Figure BDA0001995093520000061
Wherein L (y)i,f(XiW)) is a loss function, r (W) is a regularization term, avoiding model overfitting, and m identifies nodes. The purpose of solving the optimization equation is to find an optimal set of W such that f (X, W) is in the doublet XiWith minimal loss.
The embodiment of the invention does not limit the training method of the aggregation model.
In one possible embodiment, the aggregation model may be trained by a gradient descent method, which requires only gradient vector information. The parameters of the aggregate model are trained by calculating the direction of gradient descent and an appropriate learning rate.
In another possible implementation, the aggregation model may be trained by a newton algorithm, which uses the hessian matrix in the embodiment of the present invention, i.e., the second partial derivative of the loss function is used to find a better learning direction.
In another possible implementation, the polymerization model may be trained by using a conjugate gradient method, which is between a gradient descent method and a newton algorithm, and may solve the problem that the convergence speed of the conventional gradient descent method is too slow, while avoiding calculating and storing a hessian matrix. The search of the conjugate gradient method is along the conjugate direction, which usually converges faster than the direction along the gradient descent method, and these training directions are conjugated to the hessian matrix.
In another possible implementation, the aggregation model may also be trained by using a quasi-newton method, and since the newton method needs to calculate the hessian matrix and the inverse matrix, and needs more calculation resources, the embodiment of the present invention is changed and may be referred to as a quasi-newton method, which may compensate for the defect of large calculation amount. The method does not directly calculate the hessian matrix and the inverse matrix thereof, but calculates the inverse matrix of the hessian matrix by estimation at each iteration, and only needs the first partial derivative of the loss function.
In another possible implementation, the aggregate model may also be trained using the least squares method of attenuation, which is in the form of sum of squares errors for the loss function, and does not require accurate computation of the hessian matrix, but requires the use of gradient vectors and jacobian matrices.
The fields that can be fitted by the aggregation model in the embodiment of the present invention include, but are not limited to, a request time field of HTTP, a client _ ip field of HTTP, a HOST field of HTTP, a request header field of HTTP, a CGI field of HTTP, a GET parameter field of HTTP, a POST body field of HTTP, a request method field of HTTP, a user _ agent field of HTTP, a referrer field of HTTP, a cookie field of HTTP, and/or a POST body field of HTTP in the relevant HTTP protocol log in the log information. The inherent properties of the fields include, but are not limited to, field length, and the property value corresponding to the field.
In one possible implementation, the fields that have a significant pointing effect on hacking are the client _ ip field of HTTP, the HOST field of HTTP and the CGI field of HTTP.
In the embodiment, the user IP address types are classified into proxy, IDC, foreign IP address, gateway IP address, black IP address, and special area IP address. The IP is an Internet Protocol Address (Internet Protocol Address) and is a digital label assigned to an Internet Protocol device used by a user for accessing the Internet. The IDC provides services such as large-scale, high-quality, safe and reliable specialized server hosting, space renting, network wholesale bandwidth, dynamic server pages (ASP) and the like for Internet content providers, enterprises, media and various websites. IDC is a place hosted by a group of residential (Hosting) enterprises, merchants, or web servers; is the infrastructure on which electronic commerce of various modes operates safely, and is also a platform for supporting enterprises and business alliances (distributors, suppliers, customers and the like) thereof to implement value chain management.
The attribute value of the client _ IP field of the HTTP is obtained, so that the attribute of the user IP address can be obtained, namely, the user IP address is judged to be any one of an agent, an IDC, a foreign IP address, a gateway IP address, a black IP address and a special area IP address. In the embodiment of the present invention, an attribute obtained by using an attribute value of a client _ ip field of HTTP is referred to as a K1 attribute.
In the described embodiment, the service attributes are obtained from the HOST field of HTTP. The embodiment of the invention can divide the service attributes into common services, key services and core services. The service attribute can be obtained by obtaining the attribute value of the HOST field of the HTTP, and in the embodiment of the present invention, the attribute obtained by the attribute value of the HOST field of the HTTP is referred to as the K2 attribute.
In the described embodiment, the interface attributes are derived from the CGI field of HTTP. In the embodiment of the invention, the interface attribute can be divided into an uploading interface, a payment interface and a login entrance. The interface attribute can be obtained by obtaining an attribute value of the CGI field of the HTTP, and in the embodiment of the present invention, an attribute obtained by the attribute value of the CGI field of the HTTP is referred to as a K3 attribute.
And S105, acquiring the corresponding attribute value of the related field.
And S107, carrying out aggregation calculation on the corresponding attribute values of the related fields to obtain the scores corresponding to the log information.
Specifically, the aggregation calculation may score an aggregation based on a triple structure based on a preset artificial intelligence model.
The artificial intelligence model can be matched with the aggregation model or constructed by a machine learning method, and iterative optimization is carried out in the actual use process.
Corresponding to the above-mentioned embodiment, the process of obtaining the score according to the client _ ip field of HTTP, the HOST field of HTTP and the CGI field of HTTP can be represented by the formula n-K1 (w) + K2(w) + K3(w), where w is log information and n is the score.
In a possible embodiment, as shown in fig. 4, after log information is obtained based on a network, fields of the log information are classified and cut according to an HTTP protocol, and a client _ ip field of the HTTP, a HOST field of the HTTP, and a CGI field of the HTTP are analyzed, aggregation statistics may be performed on scores corresponding to each log information, and a curve may be obtained according to an aggregation statistical result, where the curve may be used for performing hacker behavior analysis.
And S109, carrying out grading judgment on the behavior corresponding to the log information according to the grade and a preset grading judgment rule of the behavior of the hacker.
Specifically, the hacking behavior grading judgment rule includes a score interval corresponding to each grade, and a judgment result of a behavior corresponding to the log information is obtained by comparing a relationship between the score and the score interval.
In a possible embodiment, taking three-level grading as an example, the grading and determining the behavior corresponding to the log information according to the score and a preset grading and determining rule of the hacking behavior is shown in fig. 5, and includes:
s1091, judging whether the score is lower than a first threshold value.
S1092, if yes, judging that the behavior corresponding to the log information is a non-hacker attack behavior.
S1093, if not, judging whether the score is lower than a second threshold value.
S1094, if yes, determining that the behavior corresponding to the log information is a weak hacker attack behavior.
S1095, if not, determining that the behavior corresponding to the log information is a strong hacking behavior.
Further, the embodiment of the invention can also generate the hacking behavior feature portrait according to the judgment result.
In a feasible implementation manner, if the behavior corresponding to the log information is a non-hacking behavior, the log information does not need to be processed; and if the behavior corresponding to the log information is a strong hacking behavior, bringing the log information into a first information base, wherein the first information base is used for subsequently analyzing the characteristic portrait corresponding to the strong hacking behavior.
Optionally, a second information base may also be established for the weak hacking behavior for collecting log information generated by the weak hacking behavior, so as to subsequently analyze the feature representation corresponding to the weak hacking behavior.
The embodiment of the invention discloses a hacking graded detection method, which can reduce the manual workload, realize graded prejudgment of hacking grades, and further extract a characteristic portrait corresponding to hacking behaviors based on a prejudgment result. Compared with the prior art which only can give an alarm and analyze afterwards, the method provided by the embodiment of the invention can be used for fuzzily detecting a new hacking technique, so that security personnel can further position and analyze the hacking technique to achieve the purpose of preventing other strategies.
The embodiment of the invention also discloses a hacking grading detection device, as shown in fig. 6, the device comprises:
a log information obtaining module 201, configured to obtain log information.
An extracting module 202, configured to extract relevant fields from the log information according to an aggregation model, where the aggregation model is obtained by fitting a corresponding relationship between each field in the log information and a hacking behavior and obtaining relevant fields having a pointing effect on hacking behavior determination.
The fields that can be fitted by the aggregation model in the embodiment of the present invention include, but are not limited to, a request time field of HTTP, a client _ ip field of HTTP, a HOST field of HTTP, a request header field of HTTP, a CGI field of HTTP, a GET parameter field of HTTP, a POST body field of HTTP, a request method field of HTTP, a user _ agent field of HTTP, a referrer field of HTTP, a cookie field of HTTP, and/or a POST body field of HTTP in the relevant HTTP protocol log in the log information. The inherent properties of the fields include, but are not limited to, field length, and the property value corresponding to the field.
In one possible implementation, the fields that have a significant pointing effect on hacking are the client _ ip field of HTTP, the HOST field of HTTP and the CGI field of HTTP.
An attribute value obtaining module 203, configured to obtain a corresponding attribute value of the relevant field.
And the scoring module 204 is configured to perform aggregation calculation on the corresponding attribute values of the relevant fields to obtain a score corresponding to the log information.
Corresponding to the above-mentioned embodiment, the process of obtaining the score according to the client _ ip field of HTTP, the HOST field of HTTP and the CGI field of HTTP can be represented by the formula n-K1 (w) + K2(w) + K3(w), where w is log information and n is the score.
And the judging module 205 is used for performing grading judgment on the behavior corresponding to the log information according to the score and a preset grading judgment rule of the hacker behavior.
The hacker behavior grading judgment rule comprises a score interval corresponding to each grade, and a judgment result of the behavior corresponding to the log information is obtained by comparing the relationship between the score and the score interval.
Further, still include:
and the characteristic portrait acquiring module 206 is used for generating a hacking behavior characteristic portrait according to the judgment result.
If the behavior corresponding to the log information is a non-hacking behavior, the log information does not need to be processed; and if the behavior corresponding to the log information is a strong hacking behavior, bringing the log information into a first information base, wherein the first information base is used for subsequently analyzing the characteristic portrait corresponding to the strong hacking behavior.
Optionally, a second information base may also be established for the weak hacking behavior for collecting log information generated by the weak hacking behavior, so as to subsequently analyze the feature representation corresponding to the weak hacking behavior.
As shown in fig. 7, the determining module 205 includes:
a first judgment subunit 2051, configured to judge whether the score is lower than a first threshold; if yes, judging the behavior corresponding to the log information is a non-hacker attack behavior; if not, the second determination subunit 2052 is activated.
A second judging subunit 2052, configured to judge whether the score is lower than a second threshold; if so, judging that the behavior corresponding to the log information is a weak hacker attack behavior; and if not, judging that the behavior corresponding to the log information is a strong hacking behavior.
The hacking grading detection device and the method provided by the embodiment of the invention are based on the same inventive concept.
The embodiment of the invention also provides a computer storage medium, wherein the computer storage medium can store a plurality of instructions, and the instructions are suitable for being loaded by a processor and executing the steps of the hacking grading detection method.
Specifically, the content of the instruction includes:
acquiring log information;
extracting relevant fields from the log information according to an aggregation model, wherein the aggregation model is obtained by fitting the corresponding relation between each field in the log information and the hacking behavior and acquiring the relevant fields with pointing effect on the hacking behavior judgment;
acquiring corresponding attribute values of the relevant fields;
performing aggregation calculation on the corresponding attribute values of the related fields to obtain scores corresponding to the log information;
and carrying out grading judgment on the behavior corresponding to the log information according to the grade and a preset grading judgment rule of the hacker behavior.
Further, the content of the instruction further comprises:
and generating a hacking behavior characteristic portrait according to the judgment result.
Further, the content of the instruction further comprises:
if the behavior corresponding to the log information is a non-hacking behavior, the log information does not need to be processed; and if the behavior corresponding to the log information is a strong hacking behavior, bringing the log information into a first information base, wherein the first information base is used for subsequently analyzing the characteristic portrait corresponding to the strong hacking behavior.
Further, the fields fitted by the aggregation model include a request time field of HTTP, a client _ ip field of HTTP, a HOST field of HTTP, a request header field of HTTP, a CGI field of HTTP, a GET parameter field of HTTP, a POST body field of HTTP, a request method field of HTTP, a user _ agent field of HTTP, a referrer field of HTTP, a cookie field of HTTP, and/or a POST body field of HTTP in the relevant HTTP protocol log in the log information.
In one possible embodiment, the extracting the relevant fields from the log information according to the aggregation model includes:
and extracting a client _ ip field of the HTTP, a HOST field of the HTTP and a CGI field of the HTTP from the log information.
Correspondingly, the obtaining of the corresponding attribute value of the relevant field includes:
obtaining the attribute value of a user IP address by obtaining the attribute value of a client _ IP field of HTTP, wherein the attribute of the user IP address is an agent, IDC, foreign IP address, gateway IP address, black IP address or special area IP address;
obtaining a service attribute by obtaining an attribute value of an HOST field of HTTP, wherein the service attribute is a common service, a key service or a core service;
and obtaining an interface attribute by obtaining an attribute value of a CGI field of the HTTP, wherein the interface attribute is an uploading interface, a payment interface or a login entry.
Further, the step of performing hierarchical judgment on the behavior corresponding to the log information according to the score and a preset hierarchical judgment rule of the hacking behavior includes:
determining whether the score is below a first threshold.
If the log information is lower than a first threshold value, judging the behavior corresponding to the log information is a non-hacking attack behavior;
otherwise, judging whether the score is lower than a second threshold value;
if so, judging that the behavior corresponding to the log information is a weak hacker attack behavior;
and if not, judging that the behavior corresponding to the log information is a strong hacking behavior.
Further, fig. 8 is a schematic diagram illustrating a hardware structure of a device for implementing the method provided by the embodiment of the present invention, where the device may be a computer terminal, a mobile terminal, or a server, and the device may also participate in forming the apparatus or recommendation system provided by the embodiment of the present invention. As shown in fig. 8, the computer terminal 10 (or mobile device 10 or server 10) may include one or more (shown as 102a, 102b, … …, 102 n) processors 102 (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.), a memory 104 for storing data, and a transmission device 106 for communication functions. Besides, the method can also comprise the following steps: a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a power source, and/or a camera. It will be understood by those skilled in the art that the structure shown in fig. 8 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 8, or have a different configuration than shown in FIG. 8.
It should be noted that the one or more processors 102 and/or other data processing circuitry described above may be referred to generally herein as "data processing circuitry". The data processing circuitry may be embodied in whole or in part in software, hardware, firmware, or any combination thereof. Further, the data processing circuit may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computer terminal 10 (or mobile device). As referred to in the embodiments of the application, the data processing circuit acts as a processor control (e.g. selection of a variable resistance termination path connected to the interface).
The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the methods described in the embodiments of the present invention, and the processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, so as to implement the above-mentioned hacking hierarchical detection method. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 10 (or mobile device).
It should be noted that: the precedence order of the above embodiments of the present invention is only for description, and does not represent the merits of the embodiments. And specific embodiments thereof have been described above. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the device and server embodiments, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the partial description of the method embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (10)

1. A hacking grading test method, the method comprising:
acquiring log information, wherein the log information is obtained by summarizing logs output by each service server by a log summarizing server, and the log summarizing server controls the on-off of log capture and the on-off of log output of each service server through communication with each service server;
automatically extracting related fields from the log information according to an aggregation model, wherein the related fields are inherent attributes of the fields in the log information; the aggregation model is a machine learning model obtained by fitting the corresponding relation between each field in the log information and the hacking behavior and acquiring related fields with pointing effect on the hacking behavior judgment, and the aggregation model performs iterative optimization according to different use scenes, different hacking behaviors and combined behaviors thereof, wherein the related fields comprise a client _ ip field of HTTP, a HOST field of HTTP and a CGI field of HTTP;
acquiring corresponding attribute values of the relevant fields, wherein the attribute values of the client _ IP field of the HTTP are acquired to obtain a user IP address attribute, the attribute values of the HOST field of the HTTP are acquired to obtain a service attribute, and the attribute values of the CGI field of the HTTP are acquired to obtain an interface attribute;
performing aggregation calculation on the corresponding attribute values of the related fields to obtain scores corresponding to the log information;
and carrying out grading judgment on the behavior corresponding to the log information according to the grade and a preset grading judgment rule of the hacker behavior.
2. The method of claim 1, further comprising: and generating a hacking behavior characteristic portrait according to the judgment result.
3. The method of claim 2, wherein:
and if the behavior corresponding to the log information is a strong hacking behavior, bringing the log information into a first information base, wherein the first information base is used for subsequently analyzing the characteristic portrait corresponding to the strong hacking behavior.
4. The method of claim 1, further comprising:
the fields to be fitted by the aggregation model include a request time field of HTTP, a client _ ip field of HTTP, a HOST field of HTTP, a request header field of HTTP, a CGI field of HTTP, a GET parameter field of HTTP, a POST body field of HTTP, a request method field of HTTP, a user _ agent field of HTTP, a referrer field of HTTP, a cookie field of HTTP, and/or a POST body field of HTTP in the log information.
5. The method of claim 1, wherein:
the user IP address is characterized by an agent, IDC, foreign IP address, gateway IP address, black IP address or special area IP address;
the service attribute is a common service, a key service or a core service;
the interface attribute is an uploading interface, a payment interface or a login entry.
6. The method according to claim 1, wherein the step of performing hierarchical judgment on the behavior corresponding to the log information according to the score and a preset hierarchical judgment rule of the hacking behavior comprises:
determining whether the score is below a first threshold;
if the log information is lower than a first threshold value, judging the behavior corresponding to the log information is a non-hacking attack behavior;
otherwise, judging whether the score is lower than a second threshold value;
if so, judging that the behavior corresponding to the log information is a weak hacker attack behavior;
and if not, judging that the behavior corresponding to the log information is a strong hacking behavior.
7. A hacking grading test apparatus, the apparatus comprising:
the log information acquisition module is used for acquiring log information, the log information is obtained by summarizing logs output by each service server by a log summarizing server, and the log summarizing server controls the log capture on/off of each service server and the log output on/off of each service server through communication with each service server;
the extraction module is used for automatically extracting relevant fields from the log information according to an aggregation model, wherein the relevant fields are inherent attributes of the fields in the log information; the aggregation model is a machine learning model obtained by fitting the corresponding relation between each field in the log information and the hacking behavior and acquiring related fields with pointing effect on the hacking behavior judgment, and the aggregation model performs iterative optimization according to different use scenes, different hacking behaviors and combined behaviors thereof, wherein the related fields comprise a client _ ip field of HTTP, a HOST field of HTTP and a CGI field of HTTP;
an attribute value acquisition module, configured to acquire a corresponding attribute value of the relevant field, where the attribute value includes an attribute value of a client _ IP field of HTTP to acquire a user IP address attribute, an attribute value of a HOST field of HTTP to acquire a service attribute, and an attribute value of a CGI field of HTTP to acquire an interface attribute;
the scoring module is used for carrying out aggregation calculation on the corresponding attribute values of the related fields to obtain scores corresponding to the log information;
and the judging module is used for carrying out grading judgment on the behavior corresponding to the log information according to the grade and a preset grading judgment rule of the hacker behavior.
8. The apparatus of claim 7, further comprising:
and the characteristic image acquisition module is used for generating a hacker attack behavior characteristic image according to the judgment result.
9. A computer-readable storage medium storing a program, wherein the program when executed implements a hacking grading detection method according to any of claims 1-6.
10. An electronic device comprising a processor and a memory, the memory storing at least one instruction for causing the processor to perform a hacking grading detection method according to any of claims 1-6.
CN201910193522.0A 2019-03-14 2019-03-14 Hacker attack grading detection method and device Active CN110401626B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910193522.0A CN110401626B (en) 2019-03-14 2019-03-14 Hacker attack grading detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910193522.0A CN110401626B (en) 2019-03-14 2019-03-14 Hacker attack grading detection method and device

Publications (2)

Publication Number Publication Date
CN110401626A CN110401626A (en) 2019-11-01
CN110401626B true CN110401626B (en) 2022-02-18

Family

ID=68322409

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910193522.0A Active CN110401626B (en) 2019-03-14 2019-03-14 Hacker attack grading detection method and device

Country Status (1)

Country Link
CN (1) CN110401626B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113794699B (en) * 2021-08-30 2022-06-07 西安交通大学 Network analysis processing method
CN116070720B (en) * 2023-03-23 2023-07-21 山东海量信息技术研究院 Data processing method, system, equipment and storage medium based on distributed cluster

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101018121A (en) * 2007-03-15 2007-08-15 杭州华为三康技术有限公司 Log convergence processing method and convergence processing device
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
CN106375331A (en) * 2016-09-23 2017-02-01 北京网康科技有限公司 Mining method and device of attacking organization
CN106790211A (en) * 2017-01-06 2017-05-31 浙江中都信息技术有限公司 A kind of Mathematical Statistical System and method for predicting malware infection
CN106790062A (en) * 2016-12-20 2017-05-31 国家电网公司 A kind of method for detecting abnormality and system based on the polymerization of inverse dns nailing attribute
CN106790256A (en) * 2017-01-24 2017-05-31 浙江中都信息技术有限公司 For the active machine learning system of dangerous Host Detection
CN107276982A (en) * 2017-05-08 2017-10-20 微梦创科网络科技(中国)有限公司 A kind of abnormal login detecting method and device
CN108712426A (en) * 2018-05-21 2018-10-26 携程旅游网络技术(上海)有限公司 Reptile recognition methods and system a little are buried based on user behavior
CN108881194A (en) * 2018-06-07 2018-11-23 郑州信大先进技术研究院 Enterprises user anomaly detection method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9773029B2 (en) * 2016-01-06 2017-09-26 International Business Machines Corporation Generation of a data model

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101018121A (en) * 2007-03-15 2007-08-15 杭州华为三康技术有限公司 Log convergence processing method and convergence processing device
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
CN106375331A (en) * 2016-09-23 2017-02-01 北京网康科技有限公司 Mining method and device of attacking organization
CN106790062A (en) * 2016-12-20 2017-05-31 国家电网公司 A kind of method for detecting abnormality and system based on the polymerization of inverse dns nailing attribute
CN106790211A (en) * 2017-01-06 2017-05-31 浙江中都信息技术有限公司 A kind of Mathematical Statistical System and method for predicting malware infection
CN106790256A (en) * 2017-01-24 2017-05-31 浙江中都信息技术有限公司 For the active machine learning system of dangerous Host Detection
CN107276982A (en) * 2017-05-08 2017-10-20 微梦创科网络科技(中国)有限公司 A kind of abnormal login detecting method and device
CN108712426A (en) * 2018-05-21 2018-10-26 携程旅游网络技术(上海)有限公司 Reptile recognition methods and system a little are buried based on user behavior
CN108881194A (en) * 2018-06-07 2018-11-23 郑州信大先进技术研究院 Enterprises user anomaly detection method and device

Also Published As

Publication number Publication date
CN110401626A (en) 2019-11-01

Similar Documents

Publication Publication Date Title
CN108768943B (en) Method and device for detecting abnormal account and server
CN109922032B (en) Method, device, equipment and storage medium for determining risk of logging in account
CN111401416B (en) Abnormal website identification method and device and abnormal countermeasure identification method
US20180219907A1 (en) Method and apparatus for detecting website security
CN108334758B (en) Method, device and equipment for detecting user unauthorized behavior
US10885466B2 (en) Method for performing user profiling from encrypted network traffic flows
CN110198248B (en) Method and device for detecting IP address
CN104615760A (en) Phishing website recognizing method and phishing website recognizing system
CN110401626B (en) Hacker attack grading detection method and device
CN114244564B (en) Attack defense method, device, equipment and readable storage medium
CN111049783A (en) Network attack detection method, device, equipment and storage medium
CN110020161B (en) Data processing method, log processing method and terminal
WO2017054307A1 (en) Recognition method and apparatus for user information
Park et al. Improving tor hidden service crawler performance
CN109446807A (en) The method, apparatus and electronic equipment of malicious robot are intercepted for identification
CN112347457A (en) Abnormal account detection method and device, computer equipment and storage medium
Lee et al. ATMSim: An anomaly teletraffic detection measurement analysis simulator
US20210084008A1 (en) Fully qualified domain name (fqdn) determination
CN117254983A (en) Method, device, equipment and storage medium for detecting fraud-related websites
CN111310796B (en) Web user click recognition method oriented to encrypted network flow
CN113395367B (en) HTTPS service identification method and device, storage medium and electronic equipment
US10419351B1 (en) System and method for extracting signatures from controlled execution of applications and application codes retrieved from an application source
CN110460620A (en) Website defence method, device, equipment and storage medium
CN116015800A (en) Scanner identification method and device, electronic equipment and storage medium
CN113794731B (en) Method, device, equipment and medium for identifying CDN (content delivery network) -based traffic masquerading attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant