CN110602135A - Network attack processing method and device and electronic equipment - Google Patents
Network attack processing method and device and electronic equipment Download PDFInfo
- Publication number
- CN110602135A CN110602135A CN201910912571.5A CN201910912571A CN110602135A CN 110602135 A CN110602135 A CN 110602135A CN 201910912571 A CN201910912571 A CN 201910912571A CN 110602135 A CN110602135 A CN 110602135A
- Authority
- CN
- China
- Prior art keywords
- network
- attack
- network attack
- node
- response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Abstract
The application provides a network attack processing method and a network attack processing device, wherein the method comprises the following steps: network attack information is obtained by monitoring network attack on a network terminal; the network attack information comprises response content, a response state return value and initiation times of a network terminal to the network attack; determining attack success probability according to whether the response content is abnormal, a response state return value of the network side to the network attack and the launching times of the network attack; and determining whether to process the network attack according to the attack success probability. Therefore, network attack information is obtained through monitoring of the network end, attack success probability is further determined, whether the network attack is effective or not is determined according to the attack success probability, the technical problem that the false alarm rate is high when the network attack is detected through network flow and network logs in the prior art is solved, and the efficiency of reporting the network attack is improved.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a network attack processing method and apparatus, and an electronic device.
Background
With the rapid development of internet technology, in internet services, Web services already account for a larger and larger proportion, and therefore, the network attack harm to the Web services is also larger and larger. At present, when some common Web vulnerabilities are generally identified by using network traffic and system logs, the identified vulnerability results can be sent to security management personnel for viewing, or related personnel can be reminded by using some alarm mechanisms.
However, a Web vulnerability alarm scheme based on network traffic and system logs may generate a large amount of false positives, so that a security manager wastes a large amount of time to check whether the false positives generate a real attack effect or whether the vulnerability exists in the system.
Disclosure of Invention
The present application is directed to solving, at least to some extent, one of the technical problems in the related art.
Therefore, a first objective of the present application is to provide a network attack processing method, so as to solve the technical problem in the prior art that a false alarm rate is high when a network attack is detected through network traffic and a network log.
An embodiment of a first aspect of the present application provides a network attack processing method, including:
monitoring network attack on a network end to obtain network attack information; the network attack information comprises response content, a response state return value and initiation times of the network terminal to the network attack;
determining attack success probability according to whether the response content is abnormal, a response state return value of the network side to the network attack and the launching times of the network attack;
and determining whether to process the network attack or not according to the attack success probability.
As a first possible implementation manner of the embodiment of the present application, determining an attack success probability according to whether the response content is abnormal, a response state return value of the network end to the network attack, and the number of times of initiating the network attack includes:
acquiring an established decision tree model;
judging whether the response content is abnormal or not by adopting a root node of the decision tree model;
determining a target first-stage node corresponding to the abnormal judgment result of the response content from each first-stage node, and judging whether the response state return value is a set value or not by adopting the target first-stage node; the first level node is a child node of the root node;
determining a target second-stage node corresponding to the response state return value judgment result from each second-stage node, and judging whether the initiation times of the network attack are greater than the set times by adopting the target second-stage node; the second level node is a child node of the target first level node;
determining a target third-level node corresponding to the initiation frequency judgment result from each third-level node; the third level node is a child node of the target second level node;
and taking the value indicated by the target third-level node as the attack success probability.
As a second possible implementation manner of the embodiment of the present application, before the obtaining of the established decision tree model, the method further includes:
obtaining a plurality of network attack samples, wherein each network attack sample is marked whether the attack is successful or not;
inputting the multiple network attack samples into the decision tree model, and determining a third-level node to which each network attack sample belongs;
for each third-level node, counting the proportion of network attack samples which are successfully marked for attack in the contained network attack samples;
and determining the attack success probability indicated by each third-level node according to the ratio.
As a third possible implementation manner of the embodiment of the present application, whether the response content is abnormal includes:
and the response content contains sensitive information, or the response time of the response content is greater than a threshold value, and the response content is determined to have an abnormality.
As a fourth possible implementation manner of the embodiment of the present application, the sensitive information includes one or more combinations of private data, an executable system command, a rule setting function, and middleware service information with a bug.
As a fifth possible implementation manner of the embodiment of the present application, the monitoring a network attack on a network end to obtain network attack information includes:
monitoring the network request to determine that an attack request of the network attack exists;
and recording response content, initiation times and response state return values of the attack requests as the network attack information.
The network attack processing method of the embodiment of the application obtains the network attack information by monitoring the network attack to the network terminal; the network attack information comprises response content, a response state return value and initiation times of a network terminal to the network attack; determining attack success probability according to whether the response content is abnormal, a response state return value of the network side to the network attack and the launching times of the network attack; and determining whether to process the network attack according to the attack success probability. Therefore, after the attack success probability is determined through the network attack information obtained by monitoring the network end, whether the network attack is effective or not is determined according to the attack success probability, the technical problem that the false alarm rate is high when the network attack is detected through network flow and network logs in the prior art is solved, the effective rate of reporting the network attack is improved, meanwhile, the network security management personnel are prevented from spending a large amount of time to judge the effectiveness of the network attack, and the working efficiency of network security protection is improved.
An embodiment of a second aspect of the present application provides a network attack processing apparatus, including:
the monitoring module is used for monitoring network attack on a network end to obtain network attack information; the network attack information comprises response content, a response state return value and initiation times of the network terminal to the network attack;
a determining module, configured to determine an attack success probability according to whether the response content is abnormal, a response state return value of the network end to the network attack, and the number of times of initiating the network attack;
and the processing module is used for determining whether to process the network attack according to the attack success probability.
The network attack processing device of the embodiment of the application obtains the network attack information by monitoring the network attack to the network terminal; the network attack information comprises the response content of the network end to the network attack, a response state return value and the initiation times; determining attack success probability according to whether the response content is abnormal, a response state return value of the network side to the network attack and the launching times of the network attack; and determining whether to process the network attack according to the attack success probability. Therefore, after the attack success probability is determined through the network attack information obtained by monitoring the network end, whether the network attack is effective or not is determined according to the attack success probability, the technical problem that the false alarm rate is high when the network attack is detected through network flow and network logs in the prior art is solved, the effective rate of reporting the network attack is improved, meanwhile, the network security management personnel are prevented from spending a large amount of time to judge the effectiveness of the network attack, and the working efficiency of network security protection is improved.
An embodiment of a third aspect of the present application provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor executes the computer program to implement the network attack processing method described in the foregoing embodiment.
A fourth aspect of the present application provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the network attack processing method as described in the foregoing embodiments.
Additional aspects and advantages of the present application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the present application.
Drawings
The foregoing and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 is a schematic flowchart of a network attack processing method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a network attack processing method according to a second embodiment of the present application;
fig. 3 is a schematic flowchart of a network attack processing method provided in the third embodiment of the present application;
fig. 4 is a schematic flowchart of a network attack processing method according to a fourth embodiment of the present application;
fig. 5 is a schematic structural diagram of a network attack processing apparatus according to a fifth embodiment of the present application.
Detailed Description
Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are exemplary and intended to be used for explaining the present application and should not be construed as limiting the present application.
Aiming at the technical problem that a large number of false alarm conditions are generated when a network attack is alarmed based on a network flow and system log method in the prior art, the embodiment of the application provides a network attack processing method, wherein network attack information is obtained by monitoring the network attack on a network end; the network attack information comprises response content of the network side to the network attack, a response state return value and launching times, further, according to whether the response content is abnormal, the response state return value of the network side to the network attack and the launching times of the network attack, attack success probability is determined, and whether the network attack is processed or not is determined according to the attack success probability.
The network attack processing method, apparatus, and electronic device according to the embodiments of the present application are described below with reference to the drawings.
Fig. 1 is a schematic flowchart of a network attack processing method according to an embodiment of the present application.
The network attack processing method is exemplified by being configured in a network attack processing device in the embodiment of the present application, and the network attack processing device may be applied to any electronic device, so that the electronic device may execute a network attack processing function.
The electronic device may be a Personal Computer (PC), a cloud device, a mobile device, and the like, and the mobile device may be a hardware device having various operating systems, touch screens, and/or display screens, such as a mobile phone, a tablet Computer, a Personal digital assistant, a wearable device, and an in-vehicle device.
As shown in fig. 1, the network attack processing method includes the following steps:
step 101, monitoring network attack on a network end to obtain network attack information.
The network attack refers to an attack on hardware and software of a network system and data in the system by using vulnerabilities and security defects existing in the network. The network attack information comprises the response content of the network side to the network attack, the response state return value and the initiation times.
It should be explained that, the network attack information obtained by monitoring the network attack of the network end includes not only the network attack information obtained by using the vulnerability in the network system to successfully attack the network end, but also the information that the attacker attempts to attack and is detected by the firewall or other devices under the condition that no vulnerability exists, which may be a real attack.
In the embodiment of the application, most of network attacks are directed at vulnerabilities of a Web level, no perfect and non-vulnerability software exists, and many hackers can attack the vulnerabilities through Web pages, links, software and the like, such as analysis vulnerabilities of some Web servers, Sql injection, Cross-script attacks (XSS for short) and the like. In order to more accurately acquire the network attack information to process the network attack, the network attack on the network terminal can be monitored to obtain the network attack information. For example, network attacks on the network side can be monitored to acquire network attack information in real time or at regular time.
As a possible implementation manner, when monitoring the network attack of the network, the method can monitor the response content, the response return value, and the attack initiation times of the network for the network attack, so that the electronic device obtains the response content, the response state return value, and the attack initiation times of the network for the network attack.
For example, when monitoring a network attack from a hacker on a network side, the number of times of initiating the network attack may be obtained every half hour, for example, the number of times of initiating the network attack is 8.
And step 102, determining attack success probability according to whether the response content is abnormal, the response state return value of the network side to the network attack and the launching times of the network attack.
As a possible implementation manner of the embodiment of the present application, in order to determine whether a network attack is effective, that is, whether a network end is successfully attacked, response content, a response state return value, and an order of attack initiation times of the network end to the network attack in a decision tree model may be determined, and then, whether the response content in the network attack information is abnormal or not is determined according to the decision tree model, whether the response state return value is a set value or not, and a probability that the attack initiation times of the network attack determines a success probability of the network end being attacked.
The decision tree model is built based on Bayesian theorem, namely, a series of rules are solved, and data are divided according to the rules to obtain a prediction result.
In the embodiment of the application, when the decision tree model is used for determining the attack success probability, each node of the decision tree model is determined firstly, that is, each node of the decision tree model is determined from the obtained network attack information. Specifically, network attacks on the network end are monitored, response contents of the network end to the network attacks are obtained, and after response state return values and network attack initiation times are obtained, the response contents, the response state return values and the network attack initiation times of the network end to the network attacks are sequenced according to the sequence of the information gains from large to small through calculation of the information entropy and the information gains. For example, when the information gain of the response content of the network side to the network attack is the maximum, the characteristic of the response content of the network side to the network attack may be used as the root node of the decision tree model.
It should be noted that the information entropy is used for feature selection, and measures the uncertainty of the result, and the smaller the information entropy, the simpler the result. The information gain is the difference between the information entropy and the feature conditional entropy, and the larger the information gain is, the better the feature is represented.
After the decision tree is generated, the decision tree can be pruned, and the decision tree pruning algorithm subtracts sub-trees from the bottom of the decision tree, so that the decision tree is reduced, and the probability of success of network attack can be more accurately predicted. The decision tree pruning algorithm consists of two steps: firstly, continuously pruning from the bottom of a decision tree generated by a generating algorithm until a root node, and forming a sub-tree sequence; and then verifying the sub-tree sequences on the independent verification data sets through a cross verification method, and selecting the optimal sub-tree from the sub-tree sequences. The core purpose of pruning the decision tree is to reduce some low-efficiency branches in the algorithm process so as to improve the working efficiency of judging the success probability of the network attack.
It should be explained that, when determining whether the response content is abnormal, it may be determined whether the response content is abnormal by determining whether the response content includes sensitive information or whether the response time of the response content is greater than a threshold. The sensitive information comprises one or more combinations of private data, executable system commands, rule setting functions and middleware service information with vulnerabilities. For example, when the sensitive information is private data, the sensitive information may include encrypted content, password fields, log information, database information, user identity information, enterprise privacy information, and valid data carried in a network request.
As a possible implementation manner, after the network side is monitored to obtain the response content of the network side to the network attack, the sensitive information of one or more combinations of the privacy data, the executable system command, the rule setting function and the middleware service information with the bug in the response content is determined, and then the response content of the network side to the network attack is determined to have abnormality.
As another possible implementation manner, after the network side is monitored to obtain the response content of the network side to the network attack, when it is determined that the response time of the network side to the response content of the network attack is greater than the threshold value, it is determined that the response content of the network side to the network attack is abnormal.
For example, the set response time threshold of the response content of the network end to the network attack is 3 seconds, and when the response time of the network end to the response content of the network end to the network attack is 5 seconds, it is determined that the response content of the network end to the network attack is abnormal.
And 103, determining whether to process the network attack or not according to the attack success probability.
In the embodiment of the application, after the success probability of the network attack is determined, whether the network attack is processed or not is judged according to the determined success probability of the attack.
As a possible situation, when it is determined that the attack success probability is greater than the threshold, in this case, it can be shown that the probability that the network end is attacked successfully is relatively high, and the network attack needs to be reported to the server end to process the network attack in time.
For example, if the attack success probability threshold is 55%, if the network attack success probability is 75%, it may be determined that the attack is valid, and the network attack is reported to the server side to process the network attack in time.
As another possible case, when the attack success probability is determined to be smaller than the threshold, in this case, the attack may be invalid, and the network attack does not need to be processed.
For example, if the attack success probability threshold is 55%, if the network attack success probability is 25%, it may be determined that the attack is invalid, and it is not necessary to report the network attack to the server, but only necessary to continue monitoring the network attack on the network, so as to avoid timely processing the effective attack on the network.
The network attack processing method of the embodiment of the application obtains the network attack information by monitoring the network attack to the network terminal; the network attack information comprises response content of the network end to the network attack, a response state return value and launching times, furthermore, according to whether the response content is abnormal, the response state return value of the network end to the network attack and the launching times of the network attack, attack success probability is determined, and finally whether the network attack is processed or not is determined according to the attack success probability. Therefore, after the attack success probability is determined through the network attack information obtained by monitoring the network end, whether the network attack is effective or not is determined according to the attack success probability, the technical problem that the false alarm rate is high when the network attack is detected through network flow and network logs in the prior art is solved, the effective rate of reporting the network attack is improved, meanwhile, the network security management personnel are prevented from spending a large amount of time to judge the effectiveness of the network attack, and the working efficiency of network security protection is improved.
On the basis of the above embodiment, as a possible implementation manner, in step 102, the attack success probability may be determined according to a pre-established decision tree model. Next, the above processes are described in detail with reference to the second embodiment, and fig. 2 is a schematic flow chart of a network attack processing method provided in the second embodiment of the present application.
As shown in fig. 2, step 102 may further include the steps of:
step 201, obtaining the established decision tree model.
In the embodiment of the application, when judging whether the network attack is processed, whether the network attack is effective or not can be judged through the decision tree model, so that the pre-established decision tree model needs to be obtained.
It should be noted that the decision tree model has determined each node according to the response content of the network end to the network attack, the response state return value, and the information gain of the attack initiation times.
For example, as shown in table 1 below, the network end is monitored to obtain the network attack information for performing 12 attack requests on the network end, and specifically, the network end includes that the response content abnormal times of the network end to the network attack is 9 times, the response content normal times is 3 times, the response state is that the set value times is 8 times, the response state is not that the set value times is 4 times, the attack requests with the attack initiation times greater than 10 times are 4 times, the attack requests with the attack initiation times less than 10 times are 8 times, the attack success times are 8 times, and the attack unsuccessful times are 4 times.
TABLE 1
In this example, each node of the decision tree model is determined by calculating the response content of the network side to the network attack, the response state return value, and the information gain of the number of initiations. The specific calculation process is as follows:
whether attack succeeds or not is judged according to the corresponding information entropy:
Info(D)=-(8/12)log2(8/12)-(4/12)log2(4/12)=0.918bits
responding to the information entropy corresponding to the content exception:
Info result(D)=9/12*(-(8/9)log2(8/9)-(1/9)log2(1/9))+3/12*(-(1/3)log2(1/3)-(2/3)log2(2/3))=0.607
whether the response state is (200, 30X, 403, 500) the corresponding information entropy:
Info statuscode(D)=8/12*(-(5/8)log2(5/8)-(3/8)log2(3/8))+4/12*(-(3/4)log2(3/4)-(1/4)log2(1/4))=0.866
whether the attack times are greater than 10 corresponding information entropies or not:
Info total(D)=5/12*(-(4/5)log2(4/5)-(1/5)log2(1/5))+7/12*(-(4/7)log2(4/7)-(3/7)log2(3/7))=0.875
the information gain is next calculated:
Gain(result)=Info(D)-Infor_result(D)=0.311
Gain(statuscode)=Info(D)-Infor_statuscode(D)=0.052
Gain(total)=Info(D)-Infor_total(D)=0.043
and sequencing the response content, the response state return value and the network attack initiation times of the network end to the network attack according to the sequence of the information gain from large to small so as to determine each node of the decision tree model.
Step 202, adopting the root node of the decision tree model to judge whether the response content is abnormal.
In the embodiment of the application, the root node of the decision tree model is the response content of the network end with the largest information gain value to the network attack, and after the network end is attacked by the network, whether the response content of the network end to the network attack is abnormal is judged by adopting the root node of the decision tree model.
It should be noted that whether the response content includes the sensitive information or not may be determined, or whether the response time of the response content is greater than a threshold value or not, to determine that the response content is abnormal, and the process of determining whether the response content is abnormal may refer to the implementation process of step 102 in the foregoing embodiment, which is not described herein again.
Step 203, determining a target first-stage node corresponding to the abnormal judgment result of the response content from each first-stage node, and judging whether the response state return value is a set value by using the target first-stage node.
Wherein, the first level node is a child node of the root node.
In the embodiment of the application, after the root node of the decision tree model is adopted to judge whether the response content is abnormal, further, a target first-stage node corresponding to the abnormal judgment result of the response content is determined from each first-stage node, and whether the response state return value is a set value is judged by adopting the target first-stage node.
As a possible situation, when determining that the response content is abnormal, the root node of the decision tree model is used to determine a target first-level node corresponding to the abnormal response content from each first-level node, and then the target first-level node is used to determine whether the response state return value is a set value.
For example, if the set response status return value is (200, 30X, 403, 500), it is determined whether the response status return value of the network to the network attack is (200, 30X, 403, 500) according to the corresponding target first-level node when the response content of the network is abnormal.
As another possible situation, when determining that there is no abnormality in the response content, the root node of the decision tree model is used to determine a target first-level node corresponding to the response content when there is no abnormality in the response content, and then the target first-level node is used to determine whether the response status return value is a set value.
And 204, determining a target second-stage node corresponding to the response state return value judgment result from each second-stage node, and judging whether the initiation frequency of the network attack is greater than the set frequency by using the target second-stage node.
And the second-level node is a child node of the target first-level node.
In the embodiment of the application, after the target first-stage node corresponding to the abnormal judgment result of the response content is adopted to judge whether the response state return value is a set value, the target second-stage node corresponding to the response state return value judgment result is determined from each second-stage node according to the response state return value judgment result, and the target second-stage node is adopted to judge whether the initiation frequency of the network attack is greater than the set frequency.
As a possible situation, when the target first-stage node corresponding to the result of the abnormal judgment of the response content judges that the response state return value of the network end to the network attack is a set value, the target second-stage node corresponding to the response state return value as the set value is determined from each second-stage node, and further, the determined target second-stage node is adopted to judge whether the initiation frequency of the network attack is greater than the set frequency.
As another possible situation, when the target first-stage node corresponding to the result of the abnormal judgment of the response content is used to judge that the response state return value of the network end to the network attack is not the set value, the target second-stage node corresponding to the response state return value is determined from each second-stage node when the response state return value is not the set value, and further, the determined target second-stage node is used to judge whether the initiation frequency of the network attack is greater than the set frequency.
Step 205, determining a target third-level node corresponding to the initiation frequency judgment result from each third-level node.
And the third-level node is a child node of the target second-level node.
In the embodiment of the application, the target second-level node corresponding to the response state return value judgment result is adopted to judge whether the initiation frequency of the network attack is greater than the set frequency, and then the target third-level node corresponding to the initiation frequency judgment result is determined from all the third-level nodes according to the determined attack initiation frequency judgment result.
For example, the target second-level node is adopted to determine whether the attack initiation times is greater than 10, and the attack initiation times is greater than 10 and is less than 10, which respectively correspond to different third-level nodes.
And step 206, taking the value indicated by the target third-level node as the attack success probability.
In the embodiment of the application, according to the determined attack initiation frequency judgment result, the target third-level node corresponding to the initiation frequency judgment result is determined from all the third-level nodes, the value indicated by the target third-level node is used as the attack success probability, the effectiveness of the network attack is determined according to the network attack success probability, and whether the attack is reported to the server or not is determined according to the effectiveness.
For example, the value indicated by the target third-level node is 75%, and when it is determined that the attack initiation number determination result corresponds to the target third-level node, the success probability of the network attack is 75%.
The network attack processing method comprises the steps of judging whether response content is abnormal or not by acquiring an established decision tree model and adopting a root node of the decision tree model, determining a target first-stage node corresponding to an abnormal judgment result of the response content from each first-stage node, judging whether a response state return value is a set value or not by adopting the target first-stage node, wherein the first-stage node is a child node of the root node, determining a target second-stage node corresponding to the response state return value judgment result from each second-stage node, and judging whether the initiation times of network attack are greater than the set times or not by adopting the target second-stage node; the second-level node is a child node of the target first-level node, and the target third-level node corresponding to the initiation frequency judgment result is determined from all the third-level nodes; and the third-level node is a child node of the target second-level node, and the value indicated by the target third-level node is used as the attack success probability. Therefore, the success probability of the network attack is determined through the decision tree model, the effectiveness of the network attack is judged according to the success probability of the attack, the technical problem that the false alarm rate is high when the network attack is detected through network flow and network logs in the prior art is solved, and the effective rate of reporting the network attack is improved.
As a possible scenario, before the step 201, the attack success probability indicated by each third-level node in the decision tree model may be determined through a plurality of network attack samples. The above process is described with reference to the third embodiment, and fig. 3 is a schematic flow chart of a network attack processing method provided in the third embodiment of the present application.
As shown in fig. 3, the network attack processing method may further include the steps of:
step 301, a plurality of network attack samples are obtained.
Wherein, each network attack sample marks whether the attack is successful or not.
In the embodiment of the application, whether the attack on the network terminal is successful or not is marked in each network attack sample, so that after a plurality of network attack samples are input into the decision tree model, the attack success probability corresponding to the third-level node to which each network attack sample belongs can be accurately obtained.
Step 302, inputting a plurality of network attack samples into the decision tree model, and determining a third-level node to which each network attack sample belongs.
In the embodiment of the application, whether the attacks are marked successfully or not is obtained for a plurality of network attack samples, after each network attack sample is input into a decision tree model, a target first-stage node is determined from each first-stage node according to whether the response content of a network end to the network attacks in the network attack sample is abnormal or not, further, whether a response state return value is a set value or not is determined by the target first-stage node, a target second-stage node is determined from each second-stage node, further, whether the initiation times of the network attacks are larger than the set times is judged by the target second-stage node, and a third-stage node corresponding to the initiation times judgment result is determined from each third-stage node. Therefore, after each network attack sample is input into the decision tree model by the method, the third-level node to which each network attack sample belongs can be determined.
And 303, counting the proportion of network attack samples which are successfully marked for attack in the contained network attack samples for each third-level node.
In the embodiment of the application, after the third-level node to which each network attack sample belongs is determined, the number of network attack samples successfully labeled and attacked in the network attack samples contained in each third-level node is counted, and then the number of attack samples successfully labeled and attacked corresponding to each third-level node and the total number of network attack samples are calculated, so that the ratio of the network attack samples successfully labeled and attacked corresponding to each third-level node is obtained.
For example, if the total number of the network attack samples is 12, the number of the network attack samples successfully labeled in a certain third-level node included network attack sample is 6, the number of the actual attack samples successfully labeled in the network attack samples included in the third-level node is 4, and the ratio of the network attack samples successfully labeled in the network attack samples included in the third-level node is 4/6.
And step 304, determining attack success probability indicated by each third-level node according to the occupation ratio.
In the embodiment of the application, after the proportion of the network attack samples marked with successful attack in the contained network attack samples is determined for each third-level node of the decision tree model, the attack success probability indicated by each third-level node can be determined according to the proportion corresponding to each third-level node.
For example, if the proportion of the network attack samples marked as successful attacks in the network attack samples included in a certain third-level node is 4/6, the probability of successful attacks indicated by the third-level node is 66.66%.
According to the network attack processing method, a plurality of network attack samples are obtained, whether attack is successful or not is marked on each network attack sample, the network attack samples are input into a decision tree model, a third-level node to which each network attack sample belongs is determined, and the proportion of the network attack samples marked with successful attack in the contained network attack samples is counted for each third-level node; and determining attack success probability indicated by each third-level node according to the occupation ratio. Therefore, by inputting a plurality of network attack samples marked whether the attack is successful into the decision tree model, the attack success probability indicated by each third-level node of the decision tree model can be determined, so that after the network attack information is input into the decision tree model, the attack success probability of the network attack can be accurately judged, the network attack is correspondingly processed, and the false alarm rate of the success of the network attack is reduced.
On the basis of the above embodiment, as a possible implementation manner, in step 101, monitoring the network attack of the network end is implemented, and when obtaining the network attack information, the network request may also be monitored to determine that the attack request of the network attack exists, and the response content, the initiation number, and the response state return value of the attack request are recorded to be used as the network attack information. The above process is described in detail with reference to the fourth embodiment, and fig. 4 is a schematic flow chart of a network attack processing method provided in the fourth embodiment of the present application.
As shown in fig. 4, step 101 may further include the steps of:
step 401, the network request is monitored to determine that there is an attack request of the network attack.
In the embodiment of the application, the network of the electronic equipment has inevitable bugs and security defects, and the attack request with the network attack can be determined by monitoring the network request of the electronic equipment in real time.
Step 402, recording response content, initiation times and response state return value of the attack request as network attack information.
In the embodiment of the application, the network request is monitored, when the attack request of the network attack is determined to exist, the response content, the attack initiation times and the response state return value of the attack request are recorded to serve as the network attack information, and whether the network attack is successful or not is judged according to the network attack information.
Further, an attack request with network attack is determined, response content, attack initiation times and response state return values in the recorded network attack information are input into the decision tree model, and then a target value of attack success probability can be determined, so that whether the network attack is processed or not is determined according to the target value.
The network attack processing method of the embodiment of the application determines the attack request with the network attack by monitoring the network request, and records the response content, the initiation times and the response state return value of the attack request as the network attack information. Therefore, the target value of the attack success probability can be determined according to the network attack information so as to determine whether to report the network attack or not, and therefore the efficiency of reporting the network attack is improved.
In order to implement the above embodiments, the present application further provides a network attack processing apparatus.
Fig. 5 is a schematic structural diagram of a network attack processing apparatus according to a fifth embodiment of the present application.
As shown in fig. 5, the cyber attack processing apparatus 100 includes: a monitoring module 110, a determination module 120, and a processing module 130.
The monitoring module 110 is configured to monitor a network attack on a network to obtain network attack information; the network attack information comprises response content, response state return value and initiation times of the network side to the network attack.
The determining module 120 is configured to determine the attack success probability according to whether the response content is abnormal, a response state return value of the network end to the network attack, and/or the number of times of initiating the network attack.
And the processing module 130 is configured to determine whether to process the network attack according to the attack success probability.
As a possible implementation manner, the determining module 120 may be further specifically configured to:
acquiring an established decision tree model;
judging whether the response content is abnormal or not by adopting a root node of the decision tree model;
determining a target first-stage node corresponding to the abnormal judgment result of the response content from each first-stage node, and judging whether the response state return value is a set value or not by adopting the target first-stage node; the first-level node is a child node of the root node;
determining a target second-stage node corresponding to the response state return value judgment result from each second-stage node, and judging whether the initiation times of the network attack are greater than the set times by adopting the target second-stage node; the second level node is a child node of the target first level node;
determining a target third-level node corresponding to the initiation frequency judgment result from each third-level node; the third-level node is a child node of the target second-level node;
and taking the value indicated by the target third-level node as the attack success probability.
As another possible implementation manner, the determining module 120 may be further specifically configured to:
acquiring a plurality of network attack samples, wherein each network attack sample is marked whether the attack is successful or not;
inputting a plurality of network attack samples into a decision tree model, and determining a third-level node to which each network attack sample belongs;
for each third-level node, counting the proportion of network attack samples which are successfully marked for attack in the contained network attack samples;
and determining attack success probability indicated by each third-level node according to the occupation ratio.
As another possible implementation manner, the determining module 120 may be further specifically configured to:
and the response content contains sensitive information, or the response time of the response content is larger than a threshold value, and the response content is determined to have an abnormality.
As another possible implementation, the sensitive information includes one or more combinations of private data, executable system commands, rule-set functions, and middleware service information with vulnerabilities.
As another possible implementation manner, the monitoring module 110 may be further specifically configured to:
monitoring the network request to determine that an attack request of the network attack exists;
and recording response content, initiation times and response state return values of the attack requests as network attack information.
It should be noted that the foregoing explanation on the embodiment of the network attack processing method is also applicable to the network attack processing apparatus of this embodiment, and details are not described here.
The network attack processing device of the embodiment of the application obtains the network attack information by monitoring the network attack to the network terminal; the network attack information comprises the response content of the network side to the network attack, a response state return value and the initiation times; determining attack success probability according to whether the response content is abnormal, a response state return value of the network side to the network attack and/or the launching times of the network attack; and determining whether to process the network attack according to the attack success probability. Therefore, after the attack success probability is determined through the network attack information obtained by monitoring the network end, whether the network attack is effective or not is determined according to the attack success probability, the technical problem that the false alarm rate is high when the network attack is detected through network flow and network logs in the prior art is solved, the effective rate of reporting the network attack is improved, meanwhile, the network security management personnel are prevented from spending a large amount of time to judge the effectiveness of the network attack, and the working efficiency of network security protection is improved.
In order to implement the foregoing embodiments, the present application further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and running on the processor, and when the processor executes the computer program, the network attack processing method in the foregoing embodiments is implemented.
In order to implement the above embodiments, the present application also proposes a non-transitory computer-readable storage medium on which a computer program is stored, which when executed by a processor implements the network attack processing method as in the above embodiments.
In the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present application, "plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing steps of a custom logic function or process, and alternate implementations are included within the scope of the preferred embodiment of the present application in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present application.
The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.
It should be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. If implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware that is related to instructions of a program, and the program may be stored in a computer-readable storage medium, and when executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present application may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a separate product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc. Although embodiments of the present application have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present application, and that variations, modifications, substitutions and alterations may be made to the above embodiments by those of ordinary skill in the art within the scope of the present application.
Claims (9)
1. A network attack processing method, characterized in that the method comprises:
monitoring network attack on a network end to obtain network attack information; the network attack information comprises response content, a response state return value and initiation times of the network terminal to the network attack;
determining attack success probability according to whether the response content is abnormal, a response state return value of the network side to the network attack and the launching times of the network attack;
and determining whether to process the network attack or not according to the attack success probability.
2. The method according to claim 1, wherein determining an attack success probability according to whether the response content is abnormal, a response state return value of the network side to the network attack, and the number of times of launching the network attack comprises:
acquiring an established decision tree model;
judging whether the response content is abnormal or not by adopting a root node of the decision tree model;
determining a target first-stage node corresponding to the abnormal judgment result of the response content from each first-stage node, and judging whether the response state return value is a set value or not by adopting the target first-stage node; the first level node is a child node of the root node;
determining a target second-stage node corresponding to the response state return value judgment result from each second-stage node, and judging whether the initiation times of the network attack are greater than the set times by adopting the target second-stage node; the second level node is a child node of the target first level node;
determining a target third-level node corresponding to the initiation frequency judgment result from each third-level node; the third level node is a child node of the target second level node;
and taking the value indicated by the target third-level node as the attack success probability.
3. The network attack processing method according to claim 2, wherein before the obtaining the established decision tree model, the method further comprises:
obtaining a plurality of network attack samples, wherein each network attack sample is marked whether the attack is successful or not;
inputting the multiple network attack samples into the decision tree model, and determining a third-level node to which each network attack sample belongs;
for each third-level node, counting the proportion of network attack samples which are successfully marked for attack in the contained network attack samples;
and determining the attack success probability indicated by each third-level node according to the ratio.
4. The network attack processing method according to any one of claims 1 to 3, wherein whether the response content is abnormal or not includes:
and the response content contains sensitive information, or the response time of the response content is greater than a threshold value, and the response content is determined to have an abnormality.
5. The network attack processing method according to claim 4,
the sensitive information comprises one or more combinations of private data, executable system commands, rule setting functions and middleware service information with vulnerabilities.
6. The network attack processing method according to any one of claims 1 to 3, wherein the monitoring of the network attack on the network side to obtain the network attack information includes:
monitoring the network request to determine that an attack request of the network attack exists;
and recording response content, initiation times and response state return values of the attack requests as the network attack information.
7. A network attack processing apparatus, the apparatus comprising:
the monitoring module is used for monitoring network attack on a network end to obtain network attack information; the network attack information comprises response content, a response state return value and initiation times of the network terminal to the network attack;
a determining module, configured to determine an attack success probability according to whether the response content is abnormal, a response state return value of the network end to the network attack, and the number of times of initiating the network attack;
and the processing module is used for determining whether to process the network attack according to the attack success probability.
8. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the cyber attack processing method according to any one of claims 1 to 6 when executing the program.
9. A non-transitory computer-readable storage medium having stored thereon a computer program, wherein the program, when executed by a processor, implements the network attack processing method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910912571.5A CN110602135B (en) | 2019-09-25 | 2019-09-25 | Network attack processing method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910912571.5A CN110602135B (en) | 2019-09-25 | 2019-09-25 | Network attack processing method and device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110602135A true CN110602135A (en) | 2019-12-20 |
| CN110602135B CN110602135B (en) | 2022-04-29 |
Family
ID=68863601
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910912571.5A Active CN110602135B (en) | 2019-09-25 | 2019-09-25 | Network attack processing method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110602135B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111144373A (en) * | 2019-12-31 | 2020-05-12 | 广州市昊链信息科技股份有限公司 | Information identification method and device, computer equipment and storage medium |
| CN112039914A (en) * | 2020-09-07 | 2020-12-04 | 中国人民解放军63880部队 | Network attack chain efficiency modeling method |
| CN113193978A (en) * | 2021-03-24 | 2021-07-30 | 中国人民解放军国防科技大学 | XSS attack risk analysis method and device based on Bayesian network model |
| CN115277383A (en) * | 2022-07-28 | 2022-11-01 | 北京天融信网络安全技术有限公司 | Log generation method and device, electronic equipment and computer readable storage medium |
| CN115296941A (en) * | 2022-10-10 | 2022-11-04 | 北京知其安科技有限公司 | Method for detecting traffic safety monitoring equipment, attack request generation method and equipment |
| CN115981877A (en) * | 2023-03-21 | 2023-04-18 | 航天万源云数据河北有限公司 | Data safety operation method, device, server and medium of data center |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102934122A (en) * | 2010-05-07 | 2013-02-13 | 阿尔卡特朗讯公司 | Method for adapting security policies of an information system infrastructure |
| CN103139220A (en) * | 2013-03-07 | 2013-06-05 | 南京理工大学常熟研究院有限公司 | Network security attack defense method using state attack and defense graph model |
| CN103905373A (en) * | 2012-12-24 | 2014-07-02 | 珠海市君天电子科技有限公司 | Method and device for intercepting network attack based on cloud |
| CN105337966A (en) * | 2015-10-16 | 2016-02-17 | 中国联合网络通信集团有限公司 | Processing method for network attacks and device |
| US20160182450A1 (en) * | 2011-02-16 | 2016-06-23 | Fortinet, Inc. | Load balancing in a network with session information |
| CN106302495A (en) * | 2016-08-25 | 2017-01-04 | 北京神州绿盟信息安全科技股份有限公司 | The means of defence of a kind of ACK Flood attack and intervening guard device |
-
2019
- 2019-09-25 CN CN201910912571.5A patent/CN110602135B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102934122A (en) * | 2010-05-07 | 2013-02-13 | 阿尔卡特朗讯公司 | Method for adapting security policies of an information system infrastructure |
| US20160182450A1 (en) * | 2011-02-16 | 2016-06-23 | Fortinet, Inc. | Load balancing in a network with session information |
| CN103905373A (en) * | 2012-12-24 | 2014-07-02 | 珠海市君天电子科技有限公司 | Method and device for intercepting network attack based on cloud |
| CN103139220A (en) * | 2013-03-07 | 2013-06-05 | 南京理工大学常熟研究院有限公司 | Network security attack defense method using state attack and defense graph model |
| CN105337966A (en) * | 2015-10-16 | 2016-02-17 | 中国联合网络通信集团有限公司 | Processing method for network attacks and device |
| CN106302495A (en) * | 2016-08-25 | 2017-01-04 | 北京神州绿盟信息安全科技股份有限公司 | The means of defence of a kind of ACK Flood attack and intervening guard device |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111144373A (en) * | 2019-12-31 | 2020-05-12 | 广州市昊链信息科技股份有限公司 | Information identification method and device, computer equipment and storage medium |
| CN112039914A (en) * | 2020-09-07 | 2020-12-04 | 中国人民解放军63880部队 | Network attack chain efficiency modeling method |
| CN113193978A (en) * | 2021-03-24 | 2021-07-30 | 中国人民解放军国防科技大学 | XSS attack risk analysis method and device based on Bayesian network model |
| CN113193978B (en) * | 2021-03-24 | 2022-05-24 | 中国人民解放军国防科技大学 | XSS attack risk analysis method and device based on Bayesian network model |
| CN115277383A (en) * | 2022-07-28 | 2022-11-01 | 北京天融信网络安全技术有限公司 | Log generation method and device, electronic equipment and computer readable storage medium |
| CN115277383B (en) * | 2022-07-28 | 2024-03-12 | 北京天融信网络安全技术有限公司 | Log generation method, device, electronic equipment and computer readable storage medium |
| CN115296941A (en) * | 2022-10-10 | 2022-11-04 | 北京知其安科技有限公司 | Method for detecting traffic safety monitoring equipment, attack request generation method and equipment |
| CN115981877A (en) * | 2023-03-21 | 2023-04-18 | 航天万源云数据河北有限公司 | Data safety operation method, device, server and medium of data center |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110602135B (en) | 2022-04-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110602135B (en) | Network attack processing method and device and electronic equipment | |
| US11792229B2 (en) | AI-driven defensive cybersecurity strategy analysis and recommendation system | |
| US11647039B2 (en) | User and entity behavioral analysis with network topology enhancement | |
| US11025674B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
| US20220014560A1 (en) | Correlating network event anomalies using active and passive external reconnaissance to identify attack information | |
| US11799900B2 (en) | Detecting and mitigating golden ticket attacks within a domain | |
| CN110177108B (en) | Abnormal behavior detection method, device and verification system | |
| US11848966B2 (en) | Parametric analysis of integrated operational technology systems and information technology systems | |
| US20220224723A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| US20220201042A1 (en) | Ai-driven defensive penetration test analysis and recommendation system | |
| US8549645B2 (en) | System and method for detection of denial of service attacks | |
| US11757920B2 (en) | User and entity behavioral analysis with network topology enhancements | |
| CN112073389B (en) | Cloud host security situation awareness system, method, device and storage medium | |
| US9674210B1 (en) | Determining risk of malware infection in enterprise hosts | |
| US20210360032A1 (en) | Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance | |
| US20210281609A1 (en) | Rating organization cybersecurity using probe-based network reconnaissance techniques | |
| JP2019003598A (en) | System and method for detecting abnormal events | |
| WO2021216163A2 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| US20230319019A1 (en) | Detecting and mitigating forged authentication attacks using an advanced cyber decision platform | |
| US20230412620A1 (en) | System and methods for cybersecurity analysis using ueba and network topology data and trigger - based network remediation | |
| US20230388278A1 (en) | Detecting and mitigating forged authentication object attacks in multi - cloud environments with attestation | |
| CN112995236A (en) | Internet of things equipment safety management and control method, device and system | |
| KR20150133370A (en) | System and method for web service access control | |
| CN116248381A (en) | Alarm aggregation method and device, electronic equipment and storage medium | |
| EP3721364A1 (en) | Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |