CN110740144A - Method, device, equipment and storage medium for determining attack target - Google Patents

Method, device, equipment and storage medium for determining attack target Download PDF

Info

Publication number
CN110740144A
CN110740144A CN201911181577.6A CN201911181577A CN110740144A CN 110740144 A CN110740144 A CN 110740144A CN 201911181577 A CN201911181577 A CN 201911181577A CN 110740144 A CN110740144 A CN 110740144A
Authority
CN
China
Prior art keywords
message
port number
header data
attack
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911181577.6A
Other languages
Chinese (zh)
Other versions
CN110740144B (en
Inventor
李丹
董志强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201911181577.6A priority Critical patent/CN110740144B/en
Publication of CN110740144A publication Critical patent/CN110740144A/en
Application granted granted Critical
Publication of CN110740144B publication Critical patent/CN110740144B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The method comprises the steps of receiving a request message, detecting the request message according to or more items of information in message header data of the request message to obtain a detection result, if the detection result indicates that the request message does not conform to a white list condition, determining that an attack target is a local terminal when a source port number in the message header data belongs to a source port number set corresponding to a known attack type, and otherwise, determining a node corresponding to a source Internet Protocol (IP) address in the message header data as the attack target when effective load data in the request message belongs to an effective load data set corresponding to the known attack type.

Description

Method, device, equipment and storage medium for determining attack target
Technical Field
The present application relates to the field of network security technologies, and in particular, to methods, apparatuses, devices, and storage media for determining an attack target.
Background
In the process of the reflection type network attack, an attack node firstly sends scanning messages to all nodes of the whole network so as to scan all the nodes, and therefore available nodes in all the nodes are determined according to whether feedback of each node is received or not. Then, the attacking node forges a source IP (Internet Protocol) address of the attacking node as an IP address of the attacked node, and sends an attack packet to the available node, so that the available node sends a feedback packet to the attacked node to use the attacked node as an attack target, thereby generating a network attack on the attack target. Such network attacks may cause the attack target to fail to operate properly, and may even cause the whole network to be paralyzed, and in order to reduce the occurrence of such situations, it is necessary to detect the network attacks and determine the attack target in time.
In the related technology, after receiving a request message, an available node sends a feedback message to a node corresponding to a source IP address of the request message, in addition, the available node analyzes the request message received within periods, judges whether the payload data of each received request message belongs to a reference payload data set, if so, determines that the corresponding request message is an attack message, wherein the reference payload data set comprises the payload data of the attack message, when more than a specified number threshold of request messages in the request message received within periods belong to the attack message, the network attack is determined to be detected, and the available node determines all the nodes corresponding to the source IP addresses of the plurality of request messages as an attack target.
However, in the above method, it is necessary to detect the payload data of the request packet after receiving a plurality of request packets, and then determine the attack target, which takes a long time, so that when a network attack is detected, the transmitted feedback packet may have a great negative effect on the attack target.
Disclosure of Invention
The application provides methods, devices, equipment and storage media for determining an attack target, which can solve the problem that determining the attack target in the related art takes longer time.
, there are provided methods of determining an attack target, the method comprising:
receiving a request message;
detecting the request message according to items or a plurality of items of information in the message header data of the request message to obtain a detection result;
if the detection result indicates that the request message does not conform to the white list condition, determining that the attack target is the home terminal when the source port number in the message header data belongs to a source port number set corresponding to a known attack type, wherein the white list condition comprises a condition corresponding to a non-attack message;
and if the source port number in the message header data does not belong to the source port number set corresponding to the known attack type, determining the node corresponding to the source Internet Protocol (IP) address in the message header data as the attack target when the effective load data in the request message belongs to the effective load data set corresponding to the known attack type.
In another aspect, there is provided apparatus for determining an attack target, the apparatus comprising:
the receiving module is used for receiving the request message;
the detection module is used for detecting the request message according to items or a plurality of items of information in the message header data of the request message to obtain a detection result;
an determining module, configured to determine that an attack target is a home terminal when a source port number in the header data of the packet belongs to a source port number set corresponding to a known attack type if the detection result indicates that the request packet does not conform to a white list condition, where the white list condition includes a condition corresponding to a non-attack packet;
a second determining module, configured to determine, if the source port number in the header data does not belong to the source port number set corresponding to the known attack type, the node corresponding to the source internet protocol IP address in the header data as the attack target when the payload data in the request message belongs to the payload data set corresponding to the known attack type.
In another aspect, devices are provided, the devices including a processor and a memory, the memory having stored therein at least instructions, at least programs, code sets, or instruction sets, the at least instructions, the at least programs, the code sets, or the instruction sets being loaded and executed by the processor to implement the method of determining an attack target described above.
In another aspect, computer readable storage media are provided, wherein at least instructions, at least program segments, code sets, or instruction sets are stored in the storage media, and wherein the at least instructions, the at least program segments, code sets, or instruction sets are loaded and executed by a processor to implement the above-described method for determining an attack target.
, there is provided computer program product containing instructions which, when run on a computer, cause the computer to perform the method of determining an attack target as described above.
The technical scheme provided by the application can at least bring the following beneficial effects:
when the source port number in the message header data does not belong to the source port number set corresponding to the known attack type, steps are needed for judging, when the effective load data in the request message belongs to the effective load data set corresponding to the known attack type, the network attack is determined to be detected, the attack target is determined to be the node corresponding to the source IP address in the message header data, and thus, after the request message is received, the request message is judged according to the white list condition, the source port number and the effective load data, the normal communication among the nodes can be avoided, the network attack is determined to be the node corresponding to the source IP address in the message header data, and the efficiency of detecting the multiple attack messages is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram of the scanning processes shown in accordance with an exemplary embodiment of ;
FIG. 2 is a schematic diagram of the attack process shown in accordance with an exemplary embodiment of ;
FIG. 3 is a flowchart illustrating a method of determining an attack target according to an exemplary embodiment of ;
FIG. 4 is a schematic diagram of the attack procedures shown in accordance with another exemplary embodiment;
FIG. 5 is a schematic illustration of the scanning processes shown in accordance with another exemplary embodiment;
FIG. 6 is a flowchart illustrating a method of determining an attack target according to another exemplary embodiment;
FIG. 7 is a block diagram illustrating a means for targeting an attack according to an exemplary embodiment of ;
fig. 8 is a schematic diagram of the structure of the devices shown in accordance with the exemplary embodiment.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further with reference to the accompanying drawings.
Before explaining the method for determining the attack target provided by the embodiment of the present application in detail, an application scenario and an implementation environment provided by the embodiment of the present application are introduced.
First, an application scenario provided in the embodiment of the present application is introduced.
When an attack node uses a reflection method to attack a network, firstly, a scanning message is sent to all nodes of the whole network, and whether a feedback message is received or not is determined. The attack node knows whether the scanning message sent by the attack node is the scanning message of the known attack type or not and the feedback message corresponding to each known attack type. Therefore, if a feedback message is received, the attack node can determine whether the feedback message is a feedback message corresponding to a known attack type, and if so, the node sending the feedback message is recorded. In general, the payload data of the feedback packet corresponding to the known attack type is fixed. When the received feedback message is not the feedback message corresponding to the known attack type, judging whether the length of the effective load data of the feedback message is larger than a length threshold value, if so, recording the nodes sending the feedback message, wherein the recorded nodes are available nodes which can be utilized when network attack is carried out. This process is commonly referred to as the scanning process and the implementation can be seen in fig. 1.
The length threshold may be set by a user according to actual needs, or may be set by a node default, which is not limited in the embodiment of the present application. Illustratively, the length threshold may be 1400 bytes.
When an attack is initiated, the attacking node changes the source IP address of the attacking message into the IP address of the attacked node, sends the attacking message to the available node, and after the available node receives the attacking message, sends a feedback message to the node corresponding to the source IP address of the attacking message, namely sends the feedback message to the attacked node, so that the attacked node is used as an attack target, and thus, the reflective network attack is formed. This process is commonly referred to as an attack process and the implementation process can be seen in fig. 2.
The method for determining the attack target provided by the embodiment of the application can be applied to scenes of DDOS (distributed denial of Service) attack detection, attack flow cleaning, threat information perception and the like, and is used for detecting network attacks and determining the attack target so as to take corresponding measures in advance.
Next, an implementation environment provided by the embodiment of the present application is described.
The implementation environment provided by the embodiment of the present application includes a plurality of nodes, where the plurality of nodes all belong to the internet, and any two nodes in the plurality of nodes may be in communication connection, where the communication connection may be a wired connection or a wireless connection, and the embodiment of the present application does not limit this.
The plurality of nodes may be a plurality of servers in the network, and nodes other than the attack node among the plurality of nodes may be configured to receive the request packet and transmit the feedback packet according to the received request packet.
Those skilled in the art will appreciate that the above described nodes are by way of example only and that other existing or future nodes, as may be suitable for use in the present application, are also encompassed within the scope of the present application and are hereby incorporated by reference.
After the application scenario and the implementation environment provided by the embodiment of the present application are introduced, a detailed explanation is next given to the method for determining an attack target provided by the embodiment of the present application.
Fig. 3 is a flowchart of methods for determining an attack target, which are provided by an embodiment of the present application and are applied in the foregoing implementation environment, please refer to fig. 3, which may include the following steps:
step 301: and receiving a request message.
As examples, the request message may include five-tuple information, payload data length, physical address, and tag information, among others.
For example, the quintuple information may include a source IP address, a source port number, a destination IP address, a destination port number, and payload data, that is, the quintuple information in the embodiment of the present application may be customized by a user, which is sets of customized information.
As another examples, the request message may include heptatuple information, payload data length, physical address, and tag information, etc. where the heptatuple information may include a source IP address, a source port number, a destination IP address, a destination port number, a transport layer protocol number, a service type, and an interface index.
As yet another examples, the request message may include, among other things, quad information, payload data length, physical address and tag information.
Step 302, according to items or a plurality of items of information in the message header data of the request message, the request message is detected to obtain a detection result.
The header data of the request message may at least include quintuple information; or, the header data of the request message may at least include seven-tuple information; alternatively, the header data of the request message may include at least quadruple information.
As examples, the request packet may be detected according to items or multiple items of information in the source IP address, the source port number, the destination IP address and the destination port number in the header data of the request packet, so as to obtain a detection result.
Further , after receiving the request message, it may also determine the transport layer protocol used by the request message according to the transport layer protocol number in the header data, so that it can subsequently determine what kind of transport layer protocol network attack is detected.
For example, it may be determined whether a transport layer protocol indicated by a transport layer protocol number of the header data is a UDP (user datagram protocol) protocol, and when it is determined that the transport layer protocol is the UDP protocol, it is determined that a network attack using the UDP protocol is to be detected, at which point step 302 is performed , if the transport layer protocol is not the UDP protocol, the request message may be stored but not processed
Step 302 and subsequent operations.
It should be noted that, when it is determined that the transport layer protocol is the UDP protocol, the request message also needs to be stored, and then 302 and subsequent steps are performed. In practical implementation, the request message may be stored in the form of log information.
Step 303: and if the detection result indicates that the request message does not conform to the white list condition, determining that the attack target is the home terminal when the source port number in the message header data belongs to the source port number set corresponding to the known attack type, wherein the white list condition comprises a condition corresponding to the non-attack message.
The white list condition can be any or more of a specified source IP address, a specified destination IP address, a specified source PORT number and a specified destination PORT number, and the specified source IP address, the specified destination IP address, the specified source PORT number and the specified destination PORT number can be or more.
In , it may be detected whether the request packet meets the white list condition according to items or more in the header data of the request packet, so as to obtain the detection result.
Illustratively, assuming that the white list condition is a plurality of specified source IP addresses, when detecting whether the request packet meets the white list condition, when the plurality of specified source IP addresses include the source IP address of the request packet, the request packet may be considered not to be an attack packet, and no subsequent operation is performed on the attack packet, and when the plurality of specified source IP addresses do not include the source IP address of the request packet, the request packet may be considered to be an attack packet, and the subsequent operation is required to make the determination at step .
Or, assuming that the white list condition is a plurality of specified source IP addresses and a plurality of specified source port numbers, when detecting whether the request packet meets the white list condition, when the plurality of specified source IP addresses include the source IP address of the request packet and the plurality of specified source port numbers include the source port number of the request packet, it may be determined that the request packet is not an attack packet and no subsequent operation is performed on the request packet, and when the plurality of specified source IP addresses do not include the source IP address of the request packet and/or the plurality of specified source port numbers do not include the source port number of the request packet, it may be considered that the request packet is possibly an attack packet and a subsequent operation is required to make a further determination.
That is, when the detection result indicates that the request packet does not meet the white list condition, it may be considered that the request packet may be an attack packet, and further steps of detection need to be performed on the request packet, and when the detection result indicates that the request packet meets the white list condition, it may be considered that the request packet is not an attack packet, and is a non-attack packet received by performing normal data communication between nodes.
It should be noted that the white list condition is actually filter rules, and may be set by a user according to actual needs, or may be set by a node default, which is not limited in this embodiment of the present application.
In , if the detection result indicates that the request packet does not meet the white list condition, it is determined that the attack target is the home terminal when the source port number in the header data of the packet belongs to the set of source port numbers corresponding to known attack types.
The known attack types are analyzed network attack types, the number of the known attack types can be multiple, each known attack type can correspond to at least source port numbers, and the source port numbers of the multiple known attack types form a source port number set.
That is to say, when the detection result indicates that the request packet does not meet the white list condition, it may be determined that the request packet may be an attack packet, and the determination may be continued according to the source port number of the header data of the request packet.
As examples, it is assumed that the source port number set corresponding to the known attack type includes source port 1, source port 3, source port 4, and source port 6, the source port number in the header data is source port 6, it can be considered that the source port number set includes the source port number of the header data, the request packet is an attack packet, and the attack target is a local end.
In another embodiments, if the detection result indicates that the request packet does not meet the white list condition, when the number of request packets received by the local terminal for the next time is far more than several tens of thousands, it is not necessary to determine the source port number, and it can be directly determined that the network attack is detected and the attack target is the local terminal.
It should be noted that this step describes an implementation method when the source port number in the header data belongs to a set of source port numbers corresponding to known attack types. Next, an implementation method when the source port number in the header data does not belong to the set of source port numbers corresponding to the known attack types is described. There is no precedence between step 303 and step 304.
Step 304: and if the source port number in the message header data does not belong to the source port number set corresponding to the known attack type, determining the node corresponding to the source IP address in the message header data as an attack target when the effective load data in the request message belongs to the effective load data set corresponding to the known attack type.
The number of the known attack types can be multiple, and each known attack type can correspond to at least pieces of payload data, and the plurality of payload data of the multiple known attack types form a payload data set.
That is to say, when the source port number in the header data of the packet does not belong to the source port number set corresponding to the known attack type, it is described that the request packet may not be an attack packet, and it is necessary to perform steps to detect whether the payload data of the request packet belongs to the payload data set corresponding to the known attack type, and perform steps according to the detection result.
As examples, it is assumed that a source port number set corresponding to a known attack type includes a source port 1, a source port 3, a source port 4, and a source port 6, and a source port number in the header data is a source port 9, and it may be considered that the source port number set does not include the source port number of the header data, and the request packet may not be an attack packet, and it needs to detect a payload of the request packet in steps to determine the payload.
As examples, when the payload data of the request packet belongs to the payload data set corresponding to the known attack type, it may be determined that the request packet is an attack packet, which indicates that a network attack is detected, and the attacking node regards the home terminal as an available node, and when the request packet is sent to the home terminal, the source IP address in the packet header data is disguised as the IP address of the attacked node, so that it may be determined that the node corresponding to the source IP address in the packet header data is an attack target, which may be specifically referred to fig. 4.
Exemplarily, it is assumed that a payload data set corresponding to a known attack type includes payload data a, payload data B, payload data D, and payload data F, and the payload data of the request packet is payload data a, it can be considered that the payload data set includes the payload data of the request packet, the request packet is an attack packet, and an attack target is a node corresponding to a source IP address in packet header data.
It should be noted that, this step describes an implementation method when the payload data of the request packet belongs to a payload data set corresponding to a known attack type. Next, an implementation method when the payload data of the request packet does not belong to the payload data set corresponding to the known attack type is described. There is no precedence between step 304 and step 305.
Step 305: and when the effective load data in the request message does not belong to the effective load data corresponding to the known attack type, determining the request message as a scanning message.
That is, when the payload data in the request message does not belong to the payload data corresponding to the known attack type, it is indicated that the request message is not an attack message, and the request message is a scan message sent by the attack node in the scanning process.
In the scanning process, after the scanning data of the attack node is received, since the attack node determines whether the node is available according to whether the feedback message is received and the length of the payload data of the feedback message, in order to make the attack node consider the local terminal as an available node and further send the attack message to the local terminal, the feedback message needs to be sent to the attack node according to the requirement of the attack node.
In , after determining that the request packet is a scan packet, a feedback packet corresponding to the scan packet may be determined according to a destination port number in the header data, and the feedback packet is sent to a node corresponding to a source IP address in the header data.
As examples, after determining that the request message is a scan message, according to a destination port number in the header data of the message, determining a specific implementation of a feedback message corresponding to the scan message may include, when the destination port number in the header data of the message belongs to a set of destination port numbers corresponding to known attack types, acquiring a message corresponding to the known attack type, and taking the acquired message as the feedback message.
The length threshold may be set by a user according to actual needs, or may be set by a node default, and may be adjusted according to actual conditions, which is not limited in the embodiments of the present application.
The number of the known attack types can be multiple, each known attack type can correspond to at least destination port numbers, and the destination port numbers of the multiple known attack types form a destination port number set.
That is, when determining the feedback packet corresponding to the scan packet, the feedback packet needs to be determined according to the destination port number in the header data of the packet. When the destination port number in the message header data belongs to the destination port number set corresponding to the known attack type, for the request message of the known attack type, a corresponding message which is analyzed in advance already exists, and the node only needs to acquire the message corresponding to the known attack type and take the acquired message as a feedback message. When the destination port number in the message header data does not belong to the destination port number set corresponding to the known attack type, in order to enable the attack node to confirm the segment as the available node, the judgment condition of the available node can be determined according to the attack node, a message with the length larger than the length threshold value is constructed, and the constructed message is used as a feedback message.
In other examples, after determining that the request message is a scan message, the attack node may not determine a feedback message according to the destination port number, because the attack node only concerns whether to send the feedback message and the length of the payload data of the feedback message in the scanning stage, but does not concern the specific characteristics of the feedback message, the attack node may directly construct a message with the length greater than the length threshold value, and use the constructed message as the feedback message.
As examples, after determining the feedback packet, the node may directly send the feedback packet to the node corresponding to the source IP address in the header data, which may be specifically shown in fig. 5.
As another examples, referring to fig. 6, before sending the feedback packet to the node corresponding to the source IP address in the header data, check information may be obtained, items or more items in the header data of the request packet may be checked based on the check information, and when items or more items in the header data of the request packet pass the check, the step of sending the feedback packet to the node corresponding to the source IP address in the header data may be performed.
The check information may include items or more items in the header data of the packet, or may be a check code obtained by performing MD5(Message-digest Algorithm5, fifth version of information-digest Algorithm) calculation based on the source IP address, the destination port, and the timestamp.
Illustratively, when the check information includes at least source IP addresses, the source IP address in the header data of the request message may be compared with at least source IP addresses of the check information, when the at least source IP addresses of the check information include the source IP address in the header data, the local end may be considered to have sent a feedback message to the node corresponding to the source IP address in the header data, that is, it is determined that the check is failed, and no feedback message is sent.
In possible implementation manners, when the check information is a plurality of check codes, MD5 may be performed according to the source IP address, the destination port, and the timestamp of the request packet to obtain the check code of the request packet, when the plurality of check codes include the check code of the request packet, it may be determined that the check fails, and when the plurality of check codes do not include the check code of the request packet, it may be determined that the check passes, and a feedback packet is sent to the node corresponding to the source IP address in the packet header data.
Illustratively, the check code of the UDP scan packet may be obtained by performing MD5 calculation according to the hour timestamp, the source IP address, the destination IP address, and the destination port. The check code of the TCP scan packet may be obtained by performing MD5 calculation according to the timestamp, the source IP address, the destination IP address, and the destination port.
It is worth to mention that when sending a feedback packet to a node corresponding to a source IP address in header data of a packet, only a small amount of feedback packets may be sent, so as to prevent the local end from being actually utilized.
It should be noted that, when the number of available nodes is very large, the attacking node may only need to send attack packets to each available node in the attack phase, and in the scanning phase, the attacking node may also only send scan packets to each node, and at this time, the scan packets may be the same as the attack packets.
In embodiments , after determining that the request packet is a scan packet, the method may further include reporting the scan packet, and receiving an analysis result fed back by the scan packet, and when the analysis result indicates that the scan packet is an attack packet, obtaining an attack type in the analysis result, determining the attack type as a known attack type, and storing the determined known attack type in correspondence with a source port number of the scan packet, or storing the determined known attack type in correspondence with payload data of the scan packet.
As examples, after determining that the request packet is a scan packet, the scan packet may be reported to a device corresponding to the product side, the scan packet is analyzed by a manual device, an analysis result fed back by the scan packet is received, an attack type in the analysis result is obtained, and the attack type is determined as a known attack type, that is, an unknown attack type may be found in time according to the analysis result.
As examples, when the attack target of the known attack type is determined to be the local terminal according to the analysis result, the determined known attack type is stored in correspondence with the source port number of the scan packet, or when the attack target of the known attack type is determined not to be the local terminal according to the analysis result, the determined known attack type is stored in correspondence with the payload data of the scan packet.
, reporting the attack data and the scan data, synchronizing with the product side, linking with network attack detection, network attack cleaning products or other threat information products, and identifying attack nodes, which provides important information for later network attack detection.
Further , referring to fig. 6, when the node receives the request message, it may also monitor the traffic of the received request message, and when the traffic of the received request message is large, detect the request message to determine the attack target.
In the embodiment of the application, after a request message is received, the request message is detected according to or more pieces of information in header data of the request message to obtain a detection result, if the detection result indicates that the request message does not conform to a white list condition, the request message is not a non-attack message received by normal data transmission between nodes and may be an attack message, then, when a source port number in the header data of the message belongs to a source port number set corresponding to a known attack type, an attack target may be determined to be a home terminal, and when the source port number in the header data of the message does not belong to a source port number set corresponding to a known attack type, a step of judgment is required, when payload data in the request message belongs to a payload data set corresponding to a known attack type, a network attack is determined to be detected, and an attack target may be a node corresponding to a source IP address in the header data.
Fig. 7 is a schematic structural diagram of a apparatus for determining an attack target according to an exemplary embodiment of , where the apparatus may be implemented by software, hardware, or a combination of the two as part of or all of a device, please refer to fig. 7, the apparatus may include a receiving module 701, a detecting module 702, a determining module 703, and a second determining module 704.
A receiving module 701, configured to receive a request packet;
a detection module 702, configured to detect the request message according to items or multiple items of information in the header data of the request message, so as to obtain a detection result;
, a determining module 703, configured to determine that the attack target is the home terminal when the source port number in the header data of the packet belongs to the source port number set corresponding to the known attack type if the detection result indicates that the request packet does not conform to the white list condition, where the white list condition includes a condition corresponding to a non-attack packet;
a second determining module 704, configured to determine, if the source port number in the header data does not belong to the source port number set corresponding to the known attack type, a node corresponding to the source internet protocol IP address in the header data as an attack target when the payload data in the request message belongs to the payload data set corresponding to the known attack type.
In possible implementation manners of the present application, the second determining module 704 is further configured to:
when the effective load data in the request message does not belong to the effective load data set corresponding to the known attack type, determining the request message as a scanning message;
determining a feedback message corresponding to the scanning message according to a destination port number in the message header data;
and sending a feedback message to a node corresponding to the source IP address in the message header data.
In possible implementation manners of the present application, the second determining module 704 is configured to:
when the destination port number in the message header data belongs to a destination port number set corresponding to a known attack type, acquiring a message corresponding to the known attack type, and taking the acquired message as a feedback message;
and when the destination port number in the message header data does not belong to the destination port number set corresponding to the known attack type, constructing a message with the length larger than the length threshold value, and taking the constructed message as a feedback message.
In possible implementation manners of the present application, the second determining module 704 is further configured to:
acquiring verification information;
items or a plurality of items in the message header data of the request message are checked based on the checking information;
and when items or more items in the message header data of the request message are verified, the step of sending the feedback message to the node corresponding to the source IP address in the message header data is executed.
In possible implementation manners of the present application, the second determining module 704 is further configured to:
reporting a scanning message;
receiving an analysis result fed back by aiming at the scanning message;
when the analysis result indicates that the scanning message is an attack message, acquiring an attack type in the analysis result, and determining the attack type as a known attack type;
and correspondingly storing the determined known attack type and the source port number of the scanning message, or correspondingly storing the determined known attack type and the payload data of the scanning message.
In the embodiment of the application, after a request message is received, the request message is detected according to or more pieces of information in header data of the request message to obtain a detection result, if the detection result indicates that the request message does not conform to a white list condition, the request message is not a non-attack message received by normal data transmission between nodes and may be an attack message, then, when a source port number in the header data of the message belongs to a source port number set corresponding to a known attack type, an attack target may be determined to be a home terminal, and when the source port number in the header data of the message does not belong to a source port number set corresponding to a known attack type, a step of judgment is required, when payload data in the request message belongs to a payload data set corresponding to a known attack type, a network attack is determined to be detected, and an attack target may be a node corresponding to a source IP address in the header data.
It should be noted that, when the device for determining an attack target provided in the foregoing embodiment determines an attack target, only the division of the functional modules is illustrated, and in practical applications, the function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above.
FIG. 8 is a block diagram of a variety of devices, which may be servers, shown in accordance with an exemplary embodiment of . device 800 includes a Central Processing Unit (CPU) 801, a system Memory 804 including a Random Access Memory (RAM) 802 and a Read-Only Memory (ROM) 803, and a system bus 805 connecting system Memory 804 and central Processing unit 801. device 800 also includes a basic Input/Output system (I/O system) 806 to facilitate the transfer of information between the various devices within the computer, and a mass storage device 807 for storing an operating system 813, application programs 814, and other program modules 815.
The basic input/output system 806 includes a display 808 for displaying information and an input device 809 such as a mouse, keyboard, etc. for user input of information. Wherein a display 808 and an input device 809 are connected to the central processing unit 801 through an input output controller 810 connected to the system bus 805. The basic input/output system 806 may also include an input/output controller 810 for receiving and processing input from a number of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, input-output controller 810 also provides output to a display screen, a printer, or other type of output device.
The mass storage device 807 is connected to the central processing unit 801 through a mass storage controller (not shown) connected to the system bus 805. The mass storage device 807 and its associated computer-readable media provide non-volatile storage for the device 800. That is, the mass storage device 807 may include a computer-readable medium (not shown) such as a hard disk or CD-ROM (Compact disk-Only Memory) drive.
Computer storage media includes RAM, ROM, EPROM (Erasable Programmable Read Only Memory), EEPROM (electrically Erasable Programmable Read Only Memory), flash Memory or other solid state storage technology, CD-ROM, DVD (Digital Video Disc) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices.
According to various embodiments of the present application, device 800 may also operate as a remote computer connected to a network through a network, such as the Internet. That is, the device 800 may be connected to a network 812 through a network interface unit 811 coupled to the system bus 805, or may be connected to other types of networks or remote computer systems (not shown) using the network interface unit 811.
The memory further includes or or more programs, or or more programs are stored in the memory and configured to be executed by the CPU.
In embodiments, there are also provided computer readable storage media having stored therein at least instructions, at least segments of programs, code sets, or instruction sets, at least instructions, at least segments of programs, code sets, or instruction sets, loaded and executed by a processor to implement the method of determining an attack objective in the above embodiments.
It is noted that the computer-readable storage medium referred to herein may be a non-volatile storage medium, in other words, a non-transitory storage medium.
When implemented in software, the implementation may be implemented in whole or in part in the form of a computer program product comprising or more computer instructions.
That is, in embodiments, computer program products containing instructions that, when executed on a computer, cause the computer to perform the above-described method for determining an attack target are also provided.
The above-mentioned embodiments are provided not to limit the present application, and any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (10)

  1. A method for determining an attack target of , which is applied to any node in the Internet, the method comprises:
    receiving a request message;
    detecting the request message according to items or a plurality of items of information in the message header data of the request message to obtain a detection result;
    if the detection result indicates that the request message does not conform to the white list condition, determining that the attack target is the home terminal when the source port number in the message header data belongs to a source port number set corresponding to a known attack type, wherein the white list condition comprises a condition corresponding to a non-attack message;
    and if the source port number in the message header data does not belong to the source port number set corresponding to the known attack type, determining the node corresponding to the source Internet Protocol (IP) address in the message header data as the attack target when the effective load data in the request message belongs to the effective load data set corresponding to the known attack type.
  2. 2. The method of claim 1, wherein the method further comprises:
    when the effective load data in the request message does not belong to the effective load data set corresponding to the known attack type, determining the request message as a scanning message;
    determining a feedback message corresponding to the scanning message according to a destination port number in the message header data;
    and sending the feedback message to a node corresponding to the source IP address in the message header data.
  3. 3. The method of claim 2, wherein the determining the feedback packet corresponding to the scan packet according to the destination port number in the header data comprises:
    when the destination port number in the message header data belongs to a destination port number set corresponding to a known attack type, acquiring a message corresponding to the known attack type, and taking the acquired message as the feedback message;
    and when the destination port number in the message header data does not belong to the destination port number set corresponding to the known attack type, constructing a message with the length larger than the length threshold value, and taking the constructed message as the feedback message.
  4. 4. The method of claim 2, wherein before sending the feedback packet to the node corresponding to the source IP address in the header data, the method further comprises:
    acquiring verification information;
    items or more in the message header data of the request message are checked based on the checking information;
    and when items or more items in the message header data of the request message pass the verification, executing the step of sending the feedback message to the node corresponding to the source IP address in the message header data.
  5. 5. The method of claim 2, wherein after determining that the request message is a scan message, further comprising:
    reporting the scanning message;
    receiving an analysis result fed back by aiming at the scanning message;
    when the analysis result indicates that the scanning message is an attack message, acquiring an attack type in the analysis result, and determining the attack type as a known attack type;
    and correspondingly storing the determined known attack type and the source port number of the scanning message, or correspondingly storing the determined known attack type and the payload data of the scanning message.
  6. An apparatus for determining an attack target, the apparatus comprising:
    the receiving module is used for receiving the request message;
    the detection module is used for detecting the request message according to items or a plurality of items of information in the message header data of the request message to obtain a detection result;
    an determining module, configured to determine that an attack target is a home terminal when a source port number in the header data of the packet belongs to a source port number set corresponding to a known attack type if the detection result indicates that the request packet does not conform to a white list condition, where the white list condition includes a condition corresponding to a non-attack packet;
    a second determining module, configured to determine, if the source port number in the header data does not belong to the source port number set corresponding to the known attack type, the node corresponding to the source internet protocol IP address in the header data as the attack target when the payload data in the request message belongs to the payload data set corresponding to the known attack type.
  7. 7. The apparatus of claim 6, wherein the second determining module is further to:
    when the effective load data in the request message does not belong to the effective load data set corresponding to the known attack type, determining the request message as a scanning message;
    determining a feedback message corresponding to the scanning message according to a destination port number in the message header data;
    and sending the feedback message to a node corresponding to the source IP address in the message header data.
  8. 8. The apparatus of claim 7, wherein the second determination module is to:
    when the destination port number in the message header data belongs to a destination port number set corresponding to a known attack type, acquiring a message corresponding to the known attack type, and taking the acquired message as the feedback message;
    and when the destination port number in the message header data does not belong to the destination port number set corresponding to the known attack type, constructing a message with the length larger than the length threshold value, and taking the constructed message as the feedback message.
  9. Apparatus according to claim 9, , comprising a processor and a memory, wherein the memory has stored therein at least instructions, at least program segments, a set of codes, or a set of instructions, wherein the at least instructions, the at least program segments, the set of codes, or the set of instructions are loaded and executed by the processor to implement the method for determining an attack target according to any one of claims 1 to 5 and .
  10. 10, computer-readable storage medium, wherein at least instructions, at least program segments, a set of codes, or a set of instructions are stored in the storage medium, wherein the at least instructions, the at least program segments, the set of codes, or the set of instructions are loaded and executed by a processor to implement the method for determining an attack target according to any one of claims 1 to 5 .
CN201911181577.6A 2019-11-27 2019-11-27 Method, device, equipment and storage medium for determining attack target Active CN110740144B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911181577.6A CN110740144B (en) 2019-11-27 2019-11-27 Method, device, equipment and storage medium for determining attack target

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911181577.6A CN110740144B (en) 2019-11-27 2019-11-27 Method, device, equipment and storage medium for determining attack target

Publications (2)

Publication Number Publication Date
CN110740144A true CN110740144A (en) 2020-01-31
CN110740144B CN110740144B (en) 2022-09-16

Family

ID=69273872

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911181577.6A Active CN110740144B (en) 2019-11-27 2019-11-27 Method, device, equipment and storage medium for determining attack target

Country Status (1)

Country Link
CN (1) CN110740144B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112351002A (en) * 2020-10-21 2021-02-09 新华三信息安全技术有限公司 Message detection method, device and equipment
CN112953895A (en) * 2021-01-26 2021-06-11 深信服科技股份有限公司 Attack behavior detection method, device, equipment and readable storage medium
CN114095274A (en) * 2021-12-10 2022-02-25 北京天融信网络安全技术有限公司 Attack studying and judging method and device
CN115150187B (en) * 2022-07-28 2024-04-26 中汽创智科技有限公司 Vehicle-mounted bus message security detection method and device, vehicle-mounted terminal and storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070289013A1 (en) * 2006-06-08 2007-12-13 Keng Leng Albert Lim Method and system for anomaly detection using a collective set of unsupervised machine-learning algorithms
CN101170402A (en) * 2007-11-08 2008-04-30 华为技术有限公司 A method and system for preventing from TCP attack based on network stream technology
CN103997489A (en) * 2014-05-09 2014-08-20 北京神州绿盟信息安全科技股份有限公司 Method and device for recognizing DDoS bot network communication protocol
CN106506486A (en) * 2016-11-03 2017-03-15 上海三零卫士信息安全有限公司 A kind of intelligent industrial-control network information security monitoring method based on white list matrix
CN106534100A (en) * 2016-11-07 2017-03-22 深圳市楠菲微电子有限公司 Distributed attack detection method and device based on custom field for use in switch chip
CN108737344A (en) * 2017-04-20 2018-11-02 腾讯科技(深圳)有限公司 A kind of network attack protection method and device
CN108881294A (en) * 2018-07-23 2018-11-23 杭州安恒信息技术股份有限公司 Attack source IP portrait generation method and device based on attack
CN108924163A (en) * 2018-08-14 2018-11-30 成都信息工程大学 Attacker's portrait method and system based on unsupervised learning
CN109587117A (en) * 2018-11-09 2019-04-05 杭州安恒信息技术股份有限公司 A kind of anti-replay-attack method of the whole network udp port scanning
CN109802937A (en) * 2018-11-30 2019-05-24 浙江远望信息股份有限公司 A method of IP spoofing under intelligent terminal TCP is attacked in discovery

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070289013A1 (en) * 2006-06-08 2007-12-13 Keng Leng Albert Lim Method and system for anomaly detection using a collective set of unsupervised machine-learning algorithms
CN101170402A (en) * 2007-11-08 2008-04-30 华为技术有限公司 A method and system for preventing from TCP attack based on network stream technology
CN103997489A (en) * 2014-05-09 2014-08-20 北京神州绿盟信息安全科技股份有限公司 Method and device for recognizing DDoS bot network communication protocol
CN106506486A (en) * 2016-11-03 2017-03-15 上海三零卫士信息安全有限公司 A kind of intelligent industrial-control network information security monitoring method based on white list matrix
CN106534100A (en) * 2016-11-07 2017-03-22 深圳市楠菲微电子有限公司 Distributed attack detection method and device based on custom field for use in switch chip
CN108737344A (en) * 2017-04-20 2018-11-02 腾讯科技(深圳)有限公司 A kind of network attack protection method and device
CN108881294A (en) * 2018-07-23 2018-11-23 杭州安恒信息技术股份有限公司 Attack source IP portrait generation method and device based on attack
CN108924163A (en) * 2018-08-14 2018-11-30 成都信息工程大学 Attacker's portrait method and system based on unsupervised learning
CN109587117A (en) * 2018-11-09 2019-04-05 杭州安恒信息技术股份有限公司 A kind of anti-replay-attack method of the whole network udp port scanning
CN109802937A (en) * 2018-11-30 2019-05-24 浙江远望信息股份有限公司 A method of IP spoofing under intelligent terminal TCP is attacked in discovery

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112351002A (en) * 2020-10-21 2021-02-09 新华三信息安全技术有限公司 Message detection method, device and equipment
CN112351002B (en) * 2020-10-21 2022-04-26 新华三信息安全技术有限公司 Message detection method, device and equipment
CN112953895A (en) * 2021-01-26 2021-06-11 深信服科技股份有限公司 Attack behavior detection method, device, equipment and readable storage medium
CN114095274A (en) * 2021-12-10 2022-02-25 北京天融信网络安全技术有限公司 Attack studying and judging method and device
CN114095274B (en) * 2021-12-10 2023-11-10 北京天融信网络安全技术有限公司 Attack studying and judging method and device
CN115150187B (en) * 2022-07-28 2024-04-26 中汽创智科技有限公司 Vehicle-mounted bus message security detection method and device, vehicle-mounted terminal and storage medium

Also Published As

Publication number Publication date
CN110740144B (en) 2022-09-16

Similar Documents

Publication Publication Date Title
CN110740144B (en) Method, device, equipment and storage medium for determining attack target
US10284594B2 (en) Detecting and preventing flooding attacks in a network environment
US9762546B2 (en) Multi-connection system and method for service using internet protocol
CN109194680B (en) Network attack identification method, device and equipment
US20200244676A1 (en) Detecting outlier pairs of scanned ports
US10218733B1 (en) System and method for detecting a malicious activity in a computing environment
US11770397B2 (en) Malicious port scan detection using source profiles
US20220046042A1 (en) Scanner probe detection
CN110266650B (en) Identification method of Conpot industrial control honeypot
US11770396B2 (en) Port scan detection using destination profiles
CN106656966B (en) Method and device for intercepting service processing request
CN111147524B (en) Message sending end identification method and device and computer readable storage medium
CN110619022B (en) Node detection method, device, equipment and storage medium based on block chain network
WO2020157561A1 (en) Port scan detection
US10015179B2 (en) Interrogating malware
KR102607050B1 (en) Processing Method for security of Compressed packet and supporting device using the same
CN114338189B (en) Situation awareness defense method, device and system based on node topology relation chain
US8995271B2 (en) Communications flow analysis
US20240022583A1 (en) Data Collection Management
CN115643079A (en) Data packet security risk detection method and device, electronic equipment and storage medium
CN118041648A (en) Industrial control vulnerability scanning method and system based on self-adaptive detection
CN116318849A (en) Asset identification method, device and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40020852

Country of ref document: HK

SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant