CN110740144B - Method, device, equipment and storage medium for determining attack target - Google Patents

Method, device, equipment and storage medium for determining attack target Download PDF

Info

Publication number
CN110740144B
CN110740144B CN201911181577.6A CN201911181577A CN110740144B CN 110740144 B CN110740144 B CN 110740144B CN 201911181577 A CN201911181577 A CN 201911181577A CN 110740144 B CN110740144 B CN 110740144B
Authority
CN
China
Prior art keywords
message
attack
port number
header data
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911181577.6A
Other languages
Chinese (zh)
Other versions
CN110740144A (en
Inventor
李丹
董志强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201911181577.6A priority Critical patent/CN110740144B/en
Publication of CN110740144A publication Critical patent/CN110740144A/en
Application granted granted Critical
Publication of CN110740144B publication Critical patent/CN110740144B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The application discloses a method, a device, equipment and a storage medium for determining an attack target, and belongs to the technical field of network security. The method comprises the following steps: and receiving a request message, and detecting the request message according to one or more items of information in the message header data of the request message to obtain a detection result. And if the detection result indicates that the request message does not conform to the white list condition, determining that the attack target is the home terminal when the source port number in the message header data belongs to the source port number set corresponding to the known attack type. Otherwise, when the effective load data in the request message belongs to the effective load data set corresponding to the known attack type, determining the node corresponding to the source internet protocol IP address in the message header data as the attack target. Therefore, the normal communication between the nodes can be prevented from being mistaken for the network attack, the detection is not required to be carried out after a plurality of request messages are received, the efficiency of detecting the network attack is improved, and the efficiency of determining the attack target is further improved.

Description

Method, device, equipment and storage medium for determining attack target
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for determining an attack target.
Background
In the process of the reflection type network attack, an attack node firstly sends scanning messages to all nodes of the whole network so as to scan all the nodes, and therefore available nodes in all the nodes are determined according to whether feedback of each node is received or not. Then, the attacking node forges a source IP (Internet Protocol) address of the attacking node as an IP address of the attacked node, and sends an attack packet to the available node, so that the available node sends a feedback packet to the attacked node to use the attacked node as an attack target, thereby generating a network attack on the attack target. Such network attacks may cause the attack target to fail to operate properly, and may even cause the whole network to be paralyzed, and in order to reduce the occurrence of such situations, it is necessary to detect the network attacks and determine the attack target in time.
In the related art, after receiving a request message, an available node sends a feedback message to a node corresponding to a source IP address of the request message, and in addition, the available node analyzes the received request message within a period of time, judges whether payload data of each received request message belongs to a reference payload data set, and if so, determines that the corresponding request message is an attack message, wherein the reference payload data set comprises payload data of the attack message. When more than a specified number of threshold request messages belong to attack messages in the request messages received within the period of time, the network attack is determined to be detected, and all nodes corresponding to the source IP addresses of the request messages can be determined as attack targets by utilizing the nodes.
However, in the above method, it is necessary to detect the payload data of the request packet after receiving a plurality of request packets, and then determine the attack target, which takes a long time, so that when a network attack is detected, the transmitted feedback packet may have a great negative effect on the attack target.
Disclosure of Invention
The application provides a method, a device, equipment and a storage medium for determining an attack target, which can solve the problem that the determination of the attack target in the related art takes longer time. The technical scheme is as follows:
in one aspect, a method for determining an attack target is provided, where the method includes:
receiving a request message;
detecting the request message according to one or more items of information in the message header data of the request message to obtain a detection result;
if the detection result indicates that the request message does not conform to the white list condition, determining that the attack target is the home terminal when the source port number in the message header data belongs to a source port number set corresponding to a known attack type, wherein the white list condition comprises a condition corresponding to a non-attack message;
and if the source port number in the message header data does not belong to the source port number set corresponding to the known attack type, determining the node corresponding to the source Internet Protocol (IP) address in the message header data as the attack target when the effective load data in the request message belongs to the effective load data set corresponding to the known attack type.
In another aspect, an apparatus for determining an attack target is provided, the apparatus comprising:
the receiving module is used for receiving the request message;
the detection module is used for detecting the request message according to one or more items of information in the message header data of the request message to obtain a detection result;
a first determining module, configured to determine that an attack target is a home terminal when a source port number in header data of the packet belongs to a source port number set corresponding to a known attack type if the detection result indicates that the request packet does not conform to a white list condition, where the white list condition includes a condition corresponding to a non-attack packet;
a second determining module, configured to determine, if the source port number in the header data does not belong to the source port number set corresponding to the known attack type, the node corresponding to the source internet protocol IP address in the header data as the attack target when the payload data in the request message belongs to the payload data set corresponding to the known attack type.
In another aspect, an apparatus is provided, which includes a processor and a memory, where at least one instruction, at least one program, a set of codes, or a set of instructions is stored in the memory, and the at least one instruction, the at least one program, the set of codes, or the set of instructions is loaded and executed by the processor to implement the method for determining an attack target described above.
In another aspect, a computer-readable storage medium is provided, in which at least one instruction, at least one program, a set of codes, or a set of instructions is stored, which is loaded and executed by a processor to implement the method for determining an attack target described above.
In another aspect, a computer program product containing instructions is provided, which when run on a computer, causes the computer to perform the method of determining an attack target as described above.
The technical scheme provided by the application can at least bring the following beneficial effects:
after receiving the request message, detecting the request message according to one or more items of information in message header data of the request message to obtain a detection result, and if the detection result indicates that the request message does not conform to the white list condition, indicating that the request message is not a non-attack message received by normal data transmission between nodes, and possibly an attack message. Then, when the source port number in the header data belongs to the set of source port numbers corresponding to the known attack types, it may be determined that the attack target is the local terminal. When the source port number in the header data of the message does not belong to the source port number set corresponding to the known attack type, further judgment is needed, when the payload data in the request message belongs to the payload data set corresponding to the known attack type, the network attack is determined to be detected, and the attack target can be determined to be the node corresponding to the source IP address in the header data of the message. Therefore, after the request message is received, the request message is judged according to the white list condition, the source port number and the effective load data, normal communication between the nodes can be prevented from being mistaken for network attack, detection is carried out without waiting for receiving a plurality of request messages, the detection speed is high, the efficiency of detecting the network attack is improved, and the efficiency of determining an attack target is further improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram illustrating a scanning process in accordance with an exemplary embodiment;
FIG. 2 is a schematic diagram illustrating an attack process in accordance with an exemplary embodiment;
FIG. 3 is a flow diagram illustrating a method of determining an attack target in accordance with an exemplary embodiment;
FIG. 4 is a schematic diagram illustrating an attack process according to another exemplary embodiment;
FIG. 5 is a schematic diagram of a scanning process shown in accordance with another exemplary embodiment;
FIG. 6 is a flowchart illustrating a method of determining a target of an attack in accordance with another exemplary embodiment;
FIG. 7 is a block diagram illustrating an apparatus for determining an attack target in accordance with an exemplary embodiment;
FIG. 8 is a schematic diagram illustrating the structure of an apparatus according to an exemplary embodiment.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, the following detailed description of the embodiments of the present application will be made with reference to the accompanying drawings.
Before explaining the method for determining the attack target provided by the embodiment of the present application in detail, an application scenario and an implementation environment provided by the embodiment of the present application are introduced.
First, an application scenario provided in the embodiment of the present application is introduced.
When an attack node uses a reflection method to attack a network, firstly, a scanning message is sent to all nodes of the whole network, and whether a feedback message is received or not is determined. The attack node knows whether the scanning message sent by the attack node is the scanning message of the known attack type or not and the feedback message corresponding to each known attack type. Therefore, if a feedback message is received, the attack node can determine whether the feedback message is a feedback message corresponding to a known attack type, and if so, the node sending the feedback message is recorded. In general, the payload data of the feedback packet corresponding to the known attack type is fixed. When the received feedback message is not the feedback message corresponding to the known attack type, judging whether the length of the effective load data of the feedback message is larger than a length threshold value, if so, recording the nodes sending the feedback message, wherein the recorded nodes are available nodes which can be utilized when network attack is carried out. This process is commonly referred to as the scanning process and the implementation can be seen in fig. 1.
The length threshold may be set by a user according to actual needs, or may be set by a node default, which is not limited in the embodiment of the present application. Illustratively, the length threshold may be 1400 bytes.
When an attack is initiated, the attack node changes the source IP address of the attack message into the IP address of the attacked node, sends the attack message to the available node, and after the available node receives the attack message, sends a feedback message to the node corresponding to the source IP address of the attack message, namely sends the feedback message to the attacked node, so that the attacked node is used as an attack target, and thus, the reflection type network attack is formed. This process is commonly referred to as an attack process and the implementation process can be seen in fig. 2.
The method for determining the attack target provided by the embodiment of the application can be applied to scenes of DDOS (Distributed Denial of Service) attack detection, attack flow cleaning, threat information perception and the like, and is used for detecting network attacks and determining the attack target so as to take corresponding measures in advance.
Next, an implementation environment provided by the embodiment of the present application is described.
The implementation environment provided by the embodiment of the present application includes a plurality of nodes, where the plurality of nodes all belong to the internet, and any two nodes in the plurality of nodes may be in communication connection, where the communication connection may be a wired connection or a wireless connection, and the embodiment of the present application does not limit this.
Some nodes in the plurality of nodes may become attack nodes, some nodes may become attacked nodes, some nodes may become available nodes, and the rest nodes are common nodes. The plurality of nodes may be a plurality of servers in a network, and nodes other than the attack node among the plurality of nodes may be configured to receive the request packet and send the feedback packet according to the received request packet.
Those skilled in the art will appreciate that the above described nodes are by way of example only and that other existing or future nodes, as may be suitable for use in the present application, are also encompassed within the scope of the present application and are hereby incorporated by reference.
After the application scenario and the implementation environment provided by the embodiment of the present application are introduced, a detailed explanation is next given to the method for determining an attack target provided by the embodiment of the present application.
Fig. 3 is a flowchart of a method for determining an attack target according to an embodiment of the present application, where the method is applied to the above implementation environment. Referring to fig. 3, the method may include the following steps:
step 301: and receiving a request message.
As an example, the request message may include five-tuple information, payload data length, physical address and tag information, and the like. The five-tuple information may include a source IP address, a source port number, a destination IP address, a destination port number, and a transport layer protocol number. Wherein, the label information is used for numbering the request message.
It should be noted that, in an actual implementation, the five-tuple information may also include other information. For example, the five-tuple information may include a source IP address, a source port number, a destination IP address, a destination port number, and payload data. That is to say, the quintuple information in the embodiment of the present application may be customized by a user, and is a set of customized information.
As another example, the request message may include heptad information, payload data length, physical address and tag information, and the like. The seven-tuple information may include a source IP address, a source port number, a destination IP address, a destination port number, a transport layer protocol number, a service type, and an interface index.
As yet another example, the request message may include quad information, payload data length, physical address and tag information, and the like. The quadruplet information may include a source IP address, a source port number, a destination IP address, and a destination port number.
Step 302: and detecting the request message according to one or more items of information in the message header data of the request message to obtain a detection result.
The header data of the request message may at least include quintuple information; or, the header data of the request message may include at least seven-tuple information; alternatively, the header data of the request message may include at least quadruple information.
As an example, the request packet may be detected according to one or more information of a source IP address, a source port number, a destination IP address, and a destination port number in header data of the request packet, so as to obtain a detection result.
Further, after receiving the request message, the transmission layer protocol used by the request message may also be determined according to the transmission layer protocol number in the message header data, so that it is possible to subsequently determine what kind of transmission layer protocol is used for the network attack.
For example, it may be determined whether the transport layer protocol indicated by the transport layer protocol number of the header data is a UDP (User Datagram protocol), and when it is determined that the transport layer protocol is the UDP protocol, it is determined that a network attack using the UDP protocol is to be detected, and then the step 302 is performed. Further, if the transport layer protocol is not the UDP protocol, the request message may be stored but not processed
Step 302 and subsequent operations.
It should be noted that, when it is determined that the transport layer protocol is the UDP protocol, the request message also needs to be stored, and then 302 and subsequent steps are performed. In practical implementation, the request message may be stored in the form of log information.
Step 303: and if the detection result indicates that the request message does not conform to the white list condition, determining that the attack target is the home terminal when the source port number in the message header data belongs to the source port number set corresponding to the known attack type, wherein the white list condition comprises a condition corresponding to the non-attack message.
The white list condition is used for filtering non-attack messages received when normal data communication is carried out between the nodes. As an example, the white list condition can be any one or more of a specified source IP address, a specified destination IP address, a specified source port number, and a specified destination port number, and the specified source IP address, the specified destination IP address, the specified source port number, and the specified destination port number can be one or more. Illustratively, the format of the white list may be set using the form SRC: IP: PORT/DST: IP: PORT.
In some embodiments, whether the request packet meets the white list condition may be detected according to one or more items in the header data of the request packet, so as to obtain a detection result.
Exemplarily, assuming that the white list condition is a plurality of specified source IP addresses, when detecting whether the request packet meets the white list condition, and when the plurality of specified source IP addresses include the source IP address of the request packet, it may be considered that the request packet is not an attack packet, and no subsequent operation is performed on the attack packet; when the source IP addresses of the request packet are not included in the plurality of designated source IP addresses, it may be considered that the request packet may be an attack packet, and subsequent operations are required to make further determination.
Or, assuming that the white list condition is a plurality of specified source IP addresses and a plurality of specified source port numbers, when detecting whether the request message meets the white list condition, and when the plurality of specified source IP addresses include the source IP address of the request message and the plurality of specified source port numbers include the source port number of the request message, it may be determined that the request message is not an attack message, and no subsequent operation is performed on the request message; when the source IP addresses of the request packet are not included in the plurality of designated source IP addresses and/or the source port numbers of the request packet are not included in the plurality of designated source port numbers, it may be considered that the request packet may be an attack packet, and a subsequent operation is required to make a further determination.
That is, when the detection result indicates that the request packet does not meet the white list condition, it may be considered that the request packet may be an attack packet, and the request packet needs to be further detected; when the detection result indicates that the request message meets the white list condition, the request message can be considered as not an attack message but a non-attack message received by normal data communication between nodes.
It should be noted that the white list condition is actually a filtering rule, and may be set by a user according to actual needs, or may be set by a node default, which is not limited in this embodiment of the present application.
In some embodiments, if the detection result indicates that the request packet does not meet the white list condition, when the source port number in the packet header data belongs to a set of source port numbers corresponding to known attack types, it is determined that the attack target is the home terminal.
The known attack types are analyzed network attack types, the number of the known attack types can be multiple, each known attack type can correspond to at least one source port number, and the source port number sets are formed by the source port numbers of the multiple known attack types.
That is to say, when the detection result indicates that the request packet does not meet the white list condition, it may be determined that the request packet may be an attack packet, and the determination may be continued according to the source port number of the header data of the request packet.
As an example, it is assumed that a source port number set corresponding to a known attack type includes a source port 1, a source port 3, a source port 4, and a source port 6, and a source port number in the header data is the source port 6, and it may be considered that the source port number set includes the source port number of the header data, the request packet is an attack packet, and an attack target is a local terminal.
In other embodiments, if the detection result indicates that the request packet does not meet the white list condition, when the number of the request packets received by the home terminal at one time is far more than several tens of thousands, the source port number does not need to be determined, and it can be directly determined that the network attack is detected and the attack target is the home terminal.
It should be noted that this step describes an implementation method when the source port number in the header data belongs to a set of source port numbers corresponding to known attack types. Next, an implementation method when the source port number in the header data does not belong to the set of source port numbers corresponding to the known attack types is described. There is no precedence between step 303 and step 304.
Step 304: and if the source port number in the message header data does not belong to the source port number set corresponding to the known attack type, determining the node corresponding to the source IP address in the message header data as an attack target when the effective load data in the request message belongs to the effective load data set corresponding to the known attack type.
The number of the known attack types can be multiple, each known attack type can correspond to at least one piece of payload data, and the plurality of pieces of payload data of the multiple known attack types form a payload data set.
That is to say, when the source port number in the header data of the packet does not belong to the source port number set corresponding to the known attack type, it is described that the request packet may not be an attack packet, and it is necessary to further detect whether the payload data of the request packet belongs to the payload data set corresponding to the known attack type, and further determine according to the detection result.
As an example, it is assumed that a source port number set corresponding to a known attack type includes a source port 1, a source port 3, a source port 4, and a source port 6, and a source port number in the header data is a source port 9, it may be considered that the source port number set does not include the source port number of the header data, the request packet may not be an attack packet, and it is necessary to further detect a payload of the request packet to determine the payload.
As an example, when the payload data of the request packet belongs to the payload data set corresponding to the known attack type, it may be determined that the request packet is an attack packet, which indicates that a network attack is detected, and the attacking node regards the home terminal as an available node, and when the request packet is sent to the home terminal, the source IP address in the packet header data is disguised as the IP address of the attacked node, so that it may be determined that the node corresponding to the source IP address in the packet header data is an attack target, which may be specifically referred to fig. 4.
Exemplarily, it is assumed that a payload data set corresponding to a known attack type includes payload data a, payload data B, payload data D, and payload data F, and the payload data of the request packet is payload data a, it can be considered that the payload data set includes the payload data of the request packet, the request packet is an attack packet, and an attack target is a node corresponding to a source IP address in packet header data.
It should be noted that, this step describes an implementation method when the payload data of the request packet belongs to a payload data set corresponding to a known attack type. Next, an implementation method when the payload data of the request packet does not belong to the payload data set corresponding to the known attack type is described. There is no precedence between step 304 and step 305.
Step 305: and when the effective load data in the request message does not belong to the effective load data corresponding to the known attack type, determining the request message as a scanning message.
That is to say, when the payload data in the request message does not belong to the payload data corresponding to the known attack type, it is indicated that the request message is not an attack message, and the request message is a scan message sent by the attack node in the scanning process.
In the scanning process, after the scanning data of the attack node is received, since the attack node determines whether the node is available according to whether the feedback message is received and the length of the payload data of the feedback message, in order to make the attack node consider the local terminal as an available node and further send the attack message to the local terminal, the feedback message needs to be sent to the attack node according to the requirement of the attack node.
In some embodiments, after determining that the request packet is a scan packet, a feedback packet corresponding to the scan packet may be determined according to a destination port number in the header data of the packet, and the feedback packet is sent to a node corresponding to a source IP address in the header data of the packet.
As an example, after determining that the request packet is a scan packet, according to a destination port number in packet header data, determining a specific implementation of a feedback packet corresponding to the scan packet may include: and when the destination port number in the message header data belongs to the destination port number set corresponding to the known attack type, acquiring a message corresponding to the known attack type, and taking the acquired message as a feedback message. And when the destination port number in the message header data does not belong to the destination port number set corresponding to the known attack type, constructing a message with the length larger than the length threshold value, and taking the constructed message as a feedback message.
The length threshold may be set by a user according to actual needs, or may be set by default by a node, and may be adjusted according to actual conditions, which is not limited in the embodiment of the present application.
The number of the known attack types can be multiple, each known attack type can correspond to at least one destination port number, and the destination port numbers of the multiple known attack types form a destination port number set.
That is, when determining the feedback packet corresponding to the scan packet, the feedback packet needs to be determined according to the destination port number in the header data of the packet. When the destination port number in the message header data belongs to the destination port number set corresponding to the known attack type, for the request message of the known attack type, a corresponding message which is analyzed in advance already exists, and the node only needs to acquire the message corresponding to the known attack type and take the acquired message as a feedback message. When the destination port number in the message header data does not belong to the destination port number set corresponding to the known attack type, in order to enable the attack node to confirm the segment as the available node, the judgment condition of the available node can be determined according to the attack node, a message with the length larger than the length threshold value is constructed, and the constructed message is used as a feedback message.
As another example, after determining that the request packet is a scan packet, the feedback packet may not be determined according to the destination port number. Since the attack node only concerns whether to send the feedback message and the length of the payload data of the feedback message in the scanning stage, but does not concern the specific characteristics of the feedback message, the attack node can directly construct a message with the length greater than the length threshold value, and the constructed message is used as the feedback message. That is, as long as it is determined that the request packet is a scan packet, no matter whether the destination port number in the header data of the packet belongs to the destination port number set corresponding to the known attack type, the constructed packet with the length greater than the length threshold is used as the feedback packet.
As an example, after determining the feedback packet, the node may directly send the feedback packet to the node corresponding to the source IP address in the header data of the packet, which may be specifically shown in fig. 5.
As another example, referring to fig. 6, before sending the feedback packet to the node corresponding to the source IP address in the header data, check information may be obtained, one or more items in the header data of the request packet may be checked based on the check information, and when the one or more items in the header data of the request packet are checked to pass, the step of sending the feedback packet to the node corresponding to the source IP address in the header data is performed.
The check information may be determined according to a request packet received by the node before. The check information may include one or more items of header data, and may also be a check code obtained by performing MD5(Message-digest Algorithm5, fifth version of information-digest Algorithm) calculation based on a source IP address, a destination port, and a timestamp.
Illustratively, when the verification information includes at least one source IP address, the source IP address in the header data of the request message may be compared with the at least one source IP address of the verification information, and when the at least one source IP address of the verification information includes the source IP address in the header data of the message, it may be considered that the local terminal has already sent a feedback message to the node corresponding to the source IP address in the header data of the message, that is, it is determined that the verification fails, and the feedback message is not sent again. When at least one source IP address of the verification information does not include the source IP address in the header data, it may be considered that the home terminal has not sent the feedback message to the node corresponding to the source IP address in the header data, that is, the verification is passed, and sends the feedback message to the node corresponding to the source IP address in the header data.
In a possible implementation manner, when the check information is a plurality of check codes, performing MD5 calculation according to the source IP address, the destination port, and the timestamp of the request message to obtain the check code of the request message, and when the plurality of check codes include the check code of the request message, determining that the check fails; when the plurality of check codes do not include the check code of the request message, it can be determined that the check is passed, and a feedback message is sent to the node corresponding to the source IP address in the message header data.
Illustratively, the check code of the UDP scan packet may be obtained by performing MD5 calculation according to the timestamp, the source IP address, the destination IP address, and the destination port. The check code of the TCP scan packet may be obtained by performing MD5 calculation according to the timestamp, the source IP address, the destination IP address, and the destination port.
It should be noted that when sending the feedback packet to the node corresponding to the source IP address in the packet header data, only a small amount of feedback packets may be sent, so as to prevent the local end from being actually utilized.
It should be noted that, when the number of available nodes is very large, the attack node may only need to send one attack packet to each available node in the attack phase, and in the scan phase, the attack node may also only send one scan packet to each node, and at this time, the scan packet may be the same as the attack packet. Therefore, the scan message can also be analyzed.
In some embodiments, after determining that the request packet is a scan packet, the scan packet may be further reported, and an analysis result fed back by the scan packet is received. And when the analysis result indicates that the scanning message is the attack message, acquiring the attack type in the analysis result, determining the attack type as a known attack type, and correspondingly storing the determined known attack type and the source port number of the scanning message, or correspondingly storing the determined known attack type and the payload data of the scanning message.
As an example, after determining that the request message is a scan message, the scan message may be reported to a device corresponding to the product side, the scan message is analyzed by a manual worker through the device, an analysis result fed back by the scan message is received, an attack type in the analysis result is obtained, and the attack type is determined as a known attack type, that is, an unknown attack type may be found in time according to the analysis result.
As an example, when the attack target of the known attack type is determined to be the local terminal according to the analysis result, the determined known attack type is stored in correspondence with the source port number of the scan packet, or when the attack target of the known attack type is determined not to be the local terminal according to the analysis result, the determined known attack type is stored in correspondence with the payload data of the scan packet. That is, the unknown attack type may also be changed to be known, so that when the network attack is detected next time, the request packet may be determined by using the relevant information of the known attack type.
Furthermore, the attack data and the scanning data can be reported, and are synchronous with the product side, the network attack detection, the network attack cleaning product or other threat information products are linked, the attack node is further identified, and important information is provided for the subsequent network attack detection.
Further, referring to fig. 6, when the node receives the request packet, it may also monitor the traffic of the received request packet, and when the traffic of the received request packet is large, detect the request packet to determine the attack target.
In the embodiment of the application, after receiving a request message, according to one or more items of information in header data of the request message, the request message is detected to obtain a detection result, and if the detection result indicates that the request message does not conform to a white list condition, it indicates that the request message is not a non-attack message received by normal data transmission between nodes, and may be an attack message. Then, when the source port number in the header data belongs to the set of source port numbers corresponding to the known attack types, it may be determined that the attack target is the local terminal. When the source port number in the header data of the message does not belong to the source port number set corresponding to the known attack type, further judgment is needed, when the payload data in the request message belongs to the payload data set corresponding to the known attack type, the network attack is determined to be detected, and the attack target can be determined to be the node corresponding to the source IP address in the header data of the message. Therefore, after the request message is received, the request message is judged according to the white list condition, the source port number and the effective load data, normal communication between the nodes can be prevented from being mistaken for network attack, detection is carried out without waiting for receiving a plurality of request messages, the detection speed is high, the efficiency of detecting the network attack is improved, and the efficiency of determining an attack target is further improved.
Fig. 7 is a schematic structural diagram illustrating an apparatus for determining an attack target according to an exemplary embodiment, where the apparatus may be implemented as part or all of a device by software, hardware or a combination of the two. Referring to fig. 7, the apparatus may include: a receiving module 701, a detecting module 702, a first determining module 703 and a second determining module 704.
A receiving module 701, configured to receive a request packet;
a detection module 702, configured to detect the request packet according to one or more items of information in packet header data of the request packet, to obtain a detection result;
a first determining module 703, configured to determine that the attack target is the home terminal when the source port number in the header data of the packet belongs to a source port number set corresponding to a known attack type if the detection result indicates that the request packet does not conform to the white list condition, where the white list condition includes a condition corresponding to a non-attack packet;
a second determining module 704, configured to determine, if the source port number in the header data does not belong to the source port number set corresponding to the known attack type, a node corresponding to the source internet protocol IP address in the header data as an attack target when the payload data in the request message belongs to the payload data set corresponding to the known attack type.
In one possible implementation manner of the present application, the second determining module 704 is further configured to:
when the effective load data in the request message does not belong to the effective load data set corresponding to the known attack type, determining the request message as a scanning message;
determining a feedback message corresponding to the scanning message according to a destination port number in the message header data;
and sending a feedback message to a node corresponding to the source IP address in the message header data.
In one possible implementation manner of the present application, the second determining module 704 is configured to:
when the destination port number in the message header data belongs to a destination port number set corresponding to a known attack type, acquiring a message corresponding to the known attack type, and taking the acquired message as a feedback message;
and when the destination port number in the message header data does not belong to the destination port number set corresponding to the known attack type, constructing a message with the length larger than the length threshold value, and taking the constructed message as a feedback message.
In one possible implementation manner of the present application, the second determining module 704 is further configured to:
acquiring verification information;
checking one or more items in the message header data of the request message based on the checking information;
and when one or more items in the message header data of the request message pass the verification, executing the step of sending a feedback message to the node corresponding to the source IP address in the message header data.
In one possible implementation manner of the present application, the second determining module 704 is further configured to:
reporting a scanning message;
receiving an analysis result fed back by aiming at the scanning message;
when the analysis result indicates that the scanning message is an attack message, acquiring an attack type in the analysis result, and determining the attack type as a known attack type;
and correspondingly storing the determined known attack type and the source port number of the scanning message, or correspondingly storing the determined known attack type and the payload data of the scanning message.
In the embodiment of the application, after receiving a request message, according to one or more items of information in header data of the request message, the request message is detected to obtain a detection result, and if the detection result indicates that the request message does not conform to a white list condition, it indicates that the request message is not a non-attack message received by normal data transmission between nodes, and may be an attack message. Then, when the source port number in the header data belongs to the set of source port numbers corresponding to the known attack types, it may be determined that the attack target is the local terminal. When the source port number in the header data of the message does not belong to the source port number set corresponding to the known attack type, further judgment is needed, when the payload data in the request message belongs to the payload data set corresponding to the known attack type, the network attack is determined to be detected, and the attack target can be determined to be the node corresponding to the source IP address in the header data of the message. Therefore, after the request message is received, the request message is judged according to the white list condition, the source port number and the effective load data, normal communication between the nodes can be prevented from being mistaken for network attack, detection is carried out without waiting for receiving a plurality of request messages, the detection speed is high, the efficiency of detecting the network attack is improved, and the efficiency of determining an attack target is further improved.
It should be noted that: in the device for determining an attack target provided in the above embodiment, when determining an attack target, only the division of each functional module is illustrated, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the apparatus for determining an attack target and the method for determining an attack target provided by the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.
FIG. 8 is a schematic diagram illustrating the structure of an apparatus according to an exemplary embodiment. The device may be a server. The device 800 includes a central Processing unit (cpu) 801, a system Memory 804 including a Random Access Memory (RAM) 802 and a Read-Only Memory (ROM) 803, and a system bus 805 connecting the system Memory 804 and the central Processing unit 801. The device 800 also includes a basic Input/Output system (I/O system) 806 for facilitating information transfer between devices within the computer, and a mass storage device 807 for storing an operating system 813, application programs 814, and other program modules 815.
The basic input/output system 806 includes a display 808 for displaying information and an input device 809 such as a mouse, keyboard, etc. for user input of information. Wherein a display 808 and an input device 809 are connected to the central processing unit 801 through an input output controller 810 connected to the system bus 805. The basic input/output system 806 may also include an input/output controller 810 for receiving and processing input from a number of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, input-output controller 810 also provides output to a display screen, a printer, or other type of output device.
The mass storage device 807 is connected to the central processing unit 801 through a mass storage controller (not shown) connected to the system bus 805. The mass storage device 807 and its associated computer-readable media provide non-volatile storage for the device 800. That is, the mass storage device 807 may include a computer-readable medium (not shown) such as a hard disk or CD-ROM (Compact disk Read-Only Memory) drive.
Without loss of generality, computer readable media may comprise computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes RAM, ROM, EPROM (Erasable Programmable Read Only Memory), EEPROM (electrically Erasable Programmable Read Only Memory), flash Memory or other solid state Memory technology, CD-ROM, DVD (Digital Video Disc) or other optical, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices. Of course, those skilled in the art will appreciate that computer storage media is not limited to the foregoing. The system memory 804 and mass storage 807 described above may be collectively referred to as memory.
According to various embodiments of the present application, device 800 may also operate as a remote computer connected to a network through a network, such as the Internet. That is, the device 800 may be connected to the network 812 through a network interface unit 811 coupled to the system bus 805, or the network interface unit 811 may be used to connect to other types of networks or remote computer systems (not shown).
The memory also includes one or more programs, which are stored in the memory and configured to be executed by the CPU.
In some embodiments, there is also provided a computer readable storage medium having stored therein at least one instruction, at least one program, set of codes, or set of instructions, which is loaded and executed by a processor to implement the method of determining an attack objective in the above embodiments. For example, the computer readable storage medium may be a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
It is noted that the computer-readable storage medium referred to herein can be a non-volatile storage medium, in other words, a non-transitory storage medium.
It should be understood that all or part of the steps for implementing the above embodiments may be implemented by software, hardware, firmware or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The computer instructions may be stored in the computer-readable storage medium described above.
That is, in some embodiments, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the method of determining an attack target described above.
The above-mentioned embodiments are provided not to limit the present application, and any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (8)

1. A method for determining an attack target, which is applied to any node in the Internet, comprises the following steps:
receiving a request message, wherein message header data of the request message at least comprises quintuple information or seven-tuple information; judging whether a transport layer protocol indicated by a transport layer protocol number included in the quintuple information or the heptatuple information is a UDP (user Datagram protocol) or not; if the transmission layer protocol is UDP protocol, storing the request message, and detecting the request message according to one or more items of information in the message header data of the request message to obtain a detection result;
if the detection result indicates that the request message does not conform to the white list condition, determining that the attack target is the home terminal when the source port number in the message header data belongs to a source port number set corresponding to a known attack type, wherein the white list condition comprises a condition corresponding to a non-attack message;
if the source port number in the message header data does not belong to the source port number set corresponding to the known attack type, determining a node corresponding to a source Internet Protocol (IP) address in the message header data as the attack target when the effective load data in the request message belongs to the effective load data set corresponding to the known attack type;
when the effective load data in the request message does not belong to the effective load data set corresponding to the known attack type, determining the request message as a scanning message; determining a feedback message corresponding to the scanning message according to the destination port number in the message header data, or constructing a message with the length greater than a length threshold value as the feedback message; sending the feedback message to a node corresponding to a source IP address in the message header data;
the method further comprises the following steps:
and if the detection result indicates that the request message does not accord with the white list condition, and when the quantity of the request messages received by the local terminal at one time exceeds a preset threshold value, determining that the network attack is detected and the attack target is the local terminal.
2. The method of claim 1, wherein the determining the feedback packet corresponding to the scan packet according to the destination port number in the header data comprises:
when the destination port number in the message header data belongs to a destination port number set corresponding to a known attack type, acquiring a message corresponding to the known attack type, and taking the acquired message as the feedback message;
and when the destination port number in the message header data does not belong to the destination port number set corresponding to the known attack type, constructing a message with the length larger than the length threshold value, and taking the constructed message as the feedback message.
3. The method of claim 1, wherein before sending the feedback packet to the node corresponding to the source IP address in the header data, the method further comprises:
acquiring verification information;
checking one or more items in the message header data of the request message based on the checking information;
and when one or more items in the message header data of the request message pass the verification, executing the step of sending the feedback message to the node corresponding to the source IP address in the message header data.
4. The method of claim 1, wherein after determining that the request message is a scan message, further comprising:
reporting the scanning message;
receiving an analysis result fed back by aiming at the scanning message;
when the analysis result indicates that the scanning message is an attack message, acquiring an attack type in the analysis result, and determining the attack type as a known attack type;
and correspondingly storing the determined known attack type and the source port number of the scanning message, or correspondingly storing the determined known attack type and the payload data of the scanning message.
5. An apparatus for determining an attack target, the apparatus comprising:
a receiving module, configured to receive a request packet, where header data of the request packet at least includes quintuple information or heptatuple information;
the detection module is used for judging whether a transport layer protocol indicated by a transport layer protocol number included in the quintuple information or the heptatuple information is a UDP (user Datagram protocol) or not; if the transport layer protocol is a UDP protocol, storing the request message, and detecting the request message according to one or more items of information in message header data of the request message to obtain a detection result;
a first determining module, configured to determine that an attack target is a home terminal when a source port number in header data of the packet belongs to a source port number set corresponding to a known attack type if the detection result indicates that the request packet does not conform to a white list condition, where the white list condition includes a condition corresponding to a non-attack packet;
a second determining module, configured to determine, if the source port number in the header data does not belong to a source port number set corresponding to a known attack type, a node corresponding to a source internet protocol IP address in the header data as the attack target when the payload data in the request message belongs to a payload data set corresponding to a known attack type;
the second determination module is further to:
when the effective load data in the request message does not belong to the effective load data set corresponding to the known attack type, determining the request message as a scanning message; determining a feedback message corresponding to the scanning message according to the destination port number in the message header data, or constructing a message with the length greater than a length threshold value as the feedback message; sending the feedback message to a node corresponding to a source IP address in the message header data;
the apparatus also includes means for:
and if the detection result indicates that the request message does not accord with the white list condition, and when the quantity of the request messages received by the home terminal at one time exceeds a preset threshold value, determining that the network attack is detected and the attack target is the home terminal.
6. The apparatus of claim 5, wherein the second determination module is to:
when the destination port number in the message header data belongs to a destination port number set corresponding to a known attack type, acquiring a message corresponding to the known attack type, and taking the acquired message as the feedback message;
and when the destination port number in the message header data does not belong to the destination port number set corresponding to the known attack type, constructing a message with the length larger than the length threshold value, and taking the constructed message as the feedback message.
7. A computer device, characterized in that the device comprises a processor and a memory, in which at least one instruction, at least one program, a set of codes, or a set of instructions is stored, which is loaded and executed by the processor to implement the method of determining an attack target according to any one of claims 1 to 4.
8. A computer readable storage medium, having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, which is loaded and executed by a processor to implement a method of determining an attack target according to any one of claims 1 to 4.
CN201911181577.6A 2019-11-27 2019-11-27 Method, device, equipment and storage medium for determining attack target Active CN110740144B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911181577.6A CN110740144B (en) 2019-11-27 2019-11-27 Method, device, equipment and storage medium for determining attack target

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911181577.6A CN110740144B (en) 2019-11-27 2019-11-27 Method, device, equipment and storage medium for determining attack target

Publications (2)

Publication Number Publication Date
CN110740144A CN110740144A (en) 2020-01-31
CN110740144B true CN110740144B (en) 2022-09-16

Family

ID=69273872

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911181577.6A Active CN110740144B (en) 2019-11-27 2019-11-27 Method, device, equipment and storage medium for determining attack target

Country Status (1)

Country Link
CN (1) CN110740144B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112351002B (en) * 2020-10-21 2022-04-26 新华三信息安全技术有限公司 Message detection method, device and equipment
CN112953895B (en) * 2021-01-26 2022-11-22 深信服科技股份有限公司 Attack behavior detection method, device and equipment and readable storage medium
CN114095274B (en) * 2021-12-10 2023-11-10 北京天融信网络安全技术有限公司 Attack studying and judging method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103997489A (en) * 2014-05-09 2014-08-20 北京神州绿盟信息安全科技股份有限公司 Method and device for recognizing DDoS bot network communication protocol
CN106506486A (en) * 2016-11-03 2017-03-15 上海三零卫士信息安全有限公司 A kind of intelligent industrial-control network information security monitoring method based on white list matrix
CN109802937A (en) * 2018-11-30 2019-05-24 浙江远望信息股份有限公司 A method of IP spoofing under intelligent terminal TCP is attacked in discovery

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070289013A1 (en) * 2006-06-08 2007-12-13 Keng Leng Albert Lim Method and system for anomaly detection using a collective set of unsupervised machine-learning algorithms
CN100579003C (en) * 2007-11-08 2010-01-06 华为技术有限公司 Method and system for preventing TCP attack by utilizing network stream technology
CN106534100A (en) * 2016-11-07 2017-03-22 深圳市楠菲微电子有限公司 Distributed attack detection method and device based on custom field for use in switch chip
CN108737344B (en) * 2017-04-20 2021-08-24 腾讯科技(深圳)有限公司 Network attack protection method and device
CN108881294B (en) * 2018-07-23 2021-05-25 杭州安恒信息技术股份有限公司 Attack source IP portrait generation method and device based on network attack behaviors
CN108924163A (en) * 2018-08-14 2018-11-30 成都信息工程大学 Attacker's portrait method and system based on unsupervised learning
CN109587117B (en) * 2018-11-09 2021-03-30 杭州安恒信息技术股份有限公司 Replay attack prevention method for whole network UDP port scanning

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103997489A (en) * 2014-05-09 2014-08-20 北京神州绿盟信息安全科技股份有限公司 Method and device for recognizing DDoS bot network communication protocol
CN106506486A (en) * 2016-11-03 2017-03-15 上海三零卫士信息安全有限公司 A kind of intelligent industrial-control network information security monitoring method based on white list matrix
CN109802937A (en) * 2018-11-30 2019-05-24 浙江远望信息股份有限公司 A method of IP spoofing under intelligent terminal TCP is attacked in discovery

Also Published As

Publication number Publication date
CN110740144A (en) 2020-01-31

Similar Documents

Publication Publication Date Title
US10284594B2 (en) Detecting and preventing flooding attacks in a network environment
CN109829310B (en) Similar attack defense method, device, system, storage medium and electronic device
CN109194680B (en) Network attack identification method, device and equipment
CN110740144B (en) Method, device, equipment and storage medium for determining attack target
US9762546B2 (en) Multi-connection system and method for service using internet protocol
US8166547B2 (en) Method, apparatus, signals, and medium for managing a transfer of data in a data network
US10135865B2 (en) Identifying a potential DDOS attack using statistical analysis
CN110266650B (en) Identification method of Conpot industrial control honeypot
US7333430B2 (en) Systems and methods for passing network traffic data
CN111277602A (en) Network data packet identification processing method and device, electronic equipment and storage medium
CN111147524B (en) Message sending end identification method and device and computer readable storage medium
CN110619022B (en) Node detection method, device, equipment and storage medium based on block chain network
US20160140345A1 (en) Information processing device, filtering system, and filtering method
WO2019043804A1 (en) Log analysis device, log analysis method, and computer-readable recording medium
JP5531064B2 (en) COMMUNICATION DEVICE, COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND COMMUNICATION PROGRAM
US11546356B2 (en) Threat information extraction apparatus and threat information extraction system
US11895146B2 (en) Infection-spreading attack detection system and method, and program
CN111010362B (en) Monitoring method and device for abnormal host
US11595419B2 (en) Communication monitoring system, communication monitoring apparatus, and communication monitoring method
CN115484110A (en) DDOS processing method and device, electronic equipment and storage medium
CN115314319A (en) Network asset identification method and device, electronic equipment and storage medium
CN114338189B (en) Situation awareness defense method, device and system based on node topology relation chain
US20230156035A1 (en) METHOD AND APPARATUS FOR DETECTING DDoS ATTACKS
CN114615170B (en) Message processing method, device and computer storage medium
CN115643079A (en) Data packet security risk detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40020852

Country of ref document: HK

SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant