CN111049783A - Network attack detection method, device, equipment and storage medium - Google Patents
Network attack detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN111049783A CN111049783A CN201811191806.8A CN201811191806A CN111049783A CN 111049783 A CN111049783 A CN 111049783A CN 201811191806 A CN201811191806 A CN 201811191806A CN 111049783 A CN111049783 A CN 111049783A
- Authority
- CN
- China
- Prior art keywords
- attack
- network
- detecting
- detection
- target host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the specification provides a method, a device, equipment and a storage medium for detecting network attacks. The method comprises the following steps: detecting an attack characteristic of a network request sent to a target host; after the attack characteristics are detected, calling the attack success characteristics of the network response of the detection script detection target host; and outputting a network attack success prompt after detecting the attack success characteristic of the network response. And the detection script is used for detecting the network response and judging whether the network attack is successful, and compared with the traditional detection method, the method has higher flexibility and lower missing report rate.
Description
Technical Field
The embodiment of the specification relates to the technical field of network security, in particular to a method, a device, equipment and a storage medium for detecting network attacks.
Background
With the continuous development of computer technology and the popularization of the internet, the form of network attack is endless, the problem of network security is increasingly prominent, the social influence and economic loss caused by the network attack are larger and larger, and new requirements and challenges are provided for network threat detection and defense. The common mode of network attack is to send a network request carrying malicious commands/abnormal information to a target server to trick the target server into executing corresponding malicious commands/processing abnormal information, thereby achieving the purpose of attack. The network attack can be quickly and accurately found, malicious codes can be timely and accurately captured, analyzed, tracked and monitored, and knowledge support can be provided for network security situation index evaluation and immune decision making, so that the overall response capability of a network security emergency organization is improved.
The traditional network attack detection method mainly detects a network request, and if an abnormal request is detected, a regular expression is further used for detecting a corresponding network response to judge whether the attack is successful or not. The traditional network attack detection method can accurately detect the known network attack, but the method relies on the writing of regular expression rules, so the flexibility is poor, and the missing report rate is high.
Disclosure of Invention
The embodiment of the specification provides a network attack detection method, a network attack detection device and a network attack detection storage medium, so that the flexibility of network attack detection is improved, and the missing report rate is reduced.
In a first aspect, an embodiment of the present specification provides a method for detecting a network attack, including:
detecting an attack characteristic of a network request sent to a target host;
after detecting the attack characteristic of the network request, calling a detection script to detect the attack success characteristic of the network response of the target host, wherein the network response is the response of the target host to the network request;
and outputting a network attack success prompt after detecting the attack success characteristic of the network response.
Optionally, the detecting an attack characteristic of the network request sent to the target host includes: detecting whether a network request sent to a target host has attack characteristics and the type of the attack characteristics;
after detecting the attack characteristic of the network request, calling a detection script to detect the attack success characteristic of the network response of the target host, wherein the detection script comprises the following steps: and after the attack characteristics of the network request are detected, calling a detection script corresponding to the type of the attack characteristics to detect the attack success characteristics of the network response of the target host.
Optionally, the invoking of the detection script corresponding to the type of the attack feature to detect the attack success feature of the network response of the target host includes:
and calling a detection script in a detection script library corresponding to the type of the attack characteristic to detect the attack success characteristic of the network response of the target host, wherein each detection script in the detection script library is respectively used for detecting different attack success characteristics.
Optionally, the invoking of the detection script in the detection script library corresponding to the type of the attack feature to detect the attack success feature of the network response of the target host includes:
searching identification information of a detection script library corresponding to the type of the attack characteristic;
and calling a detection script containing the identification information to detect the attack success characteristic of the network response of the target host.
Optionally, the invoking of the detection script in the detection script library corresponding to the type of the attack feature to detect the attack success feature of the network response of the target host includes:
and sequentially calling the detection scripts in the detection script library corresponding to the types of the attack features to detect the attack success features of the network response of the target host until the attack success features are detected or the detection scripts in the detection script library are traversed.
Optionally, the invoking of the detection script in the detection script library corresponding to the type of the attack feature to detect the attack success feature of the network response of the target host includes: calling each detection script in a detection script library corresponding to the type of the attack characteristic to detect the attack success characteristic of the network response of the target host, and recording the detected attack success characteristic;
and the output network attack success prompt comprises the recorded information of the attack success characteristics.
Optionally, the type of the attack feature includes at least one of:
SQL injection; a back door execution; webshell connection;
the detection script corresponding to the type of the attack feature comprises at least one of the following:
a detection script for detecting a successful SQL injection;
a detection script for detecting successful back door execution;
and detecting scripts for detecting successful webshell connections.
Optionally, the detecting an attack characteristic of the network request sent to the target host includes:
and detecting the attack characteristics of the network request sent to the target host by using a pre-established attack detection model, wherein the attack detection model is obtained by training by using a known attack characteristic sample.
Optionally, the detecting an attack characteristic of the network request sent to the target host includes:
the attack signature of a network request sent to a target host is detected using a pre-established rule set.
In a second aspect, an embodiment of the present specification provides a network attack detection apparatus, including:
the network request detection module is used for detecting the attack characteristics of the network request sent to the target host;
the network response detection module is used for calling a detection script to detect the attack success characteristic of the network response of the target host after detecting the attack characteristic of the network request, wherein the network response is the response of the target host to the network request;
and the attack success prompt module is used for outputting a network attack success prompt after detecting the attack success characteristic of the network response.
Optionally, the network request detecting module is configured to: detecting whether a network request sent to a target host has attack characteristics and the type of the attack characteristics;
the network response detection module is configured to: and after the attack characteristics of the network request are detected, calling a detection script corresponding to the type of the attack characteristics to detect the attack success characteristics of the network response of the target host.
Optionally, the network response detection module is configured to: and calling a detection script in a detection script library corresponding to the type of the attack characteristic to detect the attack success characteristic of the network response of the target host, wherein each detection script in the detection script library is respectively used for detecting different attack success characteristics.
Optionally, the network response detection module is configured to:
searching identification information of a detection script library corresponding to the type of the attack characteristic;
and calling a detection script containing the identification information to detect the attack success characteristic of the network response of the target host.
Optionally, the network response detection module is configured to:
and sequentially calling the detection scripts in the detection script library corresponding to the types of the attack features to detect the attack success features of the network response of the target host until the attack success features are detected or the detection scripts in the detection script library are traversed.
Optionally, the network response detection module is configured to: calling each detection script in a detection script library corresponding to the type of the attack characteristic to detect the attack success characteristic of the network response of the target host, and recording the detected attack success characteristic;
and the output network attack success prompt comprises the recorded information of the attack success characteristics.
Optionally, the type of the attack feature includes at least one of:
SQL injection; a back door execution; webshell connection;
the detection script corresponding to the type of the attack feature comprises at least one of the following:
a detection script for detecting a successful SQL injection;
a detection script for detecting successful back door execution;
and detecting scripts for detecting successful webshell connections.
Optionally, the network request detecting module is configured to:
and detecting the attack characteristics of the network request sent to the target host by using a pre-established attack detection model, wherein the attack detection model is obtained by training by using a known attack characteristic sample.
Optionally, the network request detecting module is configured to:
the attack signature of a network request sent to a target host is detected using a pre-established rule set.
In a third aspect, an embodiment of the present specification provides a computer device, including: comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method provided by any of the above embodiments when executing the program.
In a fourth aspect, the present specification provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the method provided by any of the above embodiments.
The embodiment of the specification has the following beneficial effects:
after detecting the attack characteristics in the network request, calling the detection script to detect the attack success characteristics in the network response, thereby judging whether the network attack is successful. The script can be dynamically registered, loaded and deleted, so that the detection by utilizing the detection script is more flexible than the traditional rule matching detection. In addition, the attack success characteristics are detected by adopting the detection script, and the false negative rate is lower.
Drawings
Fig. 1 is a schematic view of a scenario provided in an embodiment of the present specification;
FIG. 2 is a flow chart of a method provided by one embodiment of the present description;
fig. 3 is a schematic view of an apparatus provided in an embodiment of the present disclosure.
Detailed Description
In order to better understand the technical solutions, the technical solutions of the embodiments of the present specification are described in detail below with reference to the drawings and specific embodiments, and it should be understood that the specific features of the embodiments and embodiments of the present specification are detailed descriptions of the technical solutions of the embodiments of the present specification, and are not limitations of the technical solutions of the present specification, and the technical features of the embodiments and embodiments of the present specification may be combined with each other without conflict.
An application scenario of the embodiment of the present specification is shown in fig. 1. The terminal device 101 sends a network request to the target host 102, the target host 102 processes the network request and returns a network response, the network request and the network response are collectively referred to as network data, the network data are forwarded via the switching device 103, the security detection device 104 obtains the network data from the switching device 103, detects an attack characteristic of the network request, and after detecting the attack characteristic, further invokes a detection script to detect an attack success characteristic of the network response to judge whether the attack is successful, and after detecting the attack success characteristic, outputs a network attack success prompt.
The target host 102 may be a server providing various services, a personal computer capable of implementing specific functions, or other network devices capable of providing network services. The target host 103 may receive a network request sent by the terminal device 101 and used for initiating a service request to the target host 102, perform corresponding data processing according to the network request data to obtain a network response, that is, the network response is used for the target host to respond to the request service, and feed back the network response to the terminal device 101. The terminal device 101 may be various electronic devices having a display function and supporting an interactive function, including but not limited to a smart phone, a tablet computer, a personal computer, a desktop computer, and the like. In a specific application scenario of the present invention for detecting a network attack, an attacker who initiates the network attack is usually a user who maliciously sends a large amount of data requests. The terminal device 101 utilized by the attacker may be an electronic device having a powerful computing function, and may even be a server.
The switching device 103 may be, but not limited to, a switch or a router. The security detection device 104 may, but is not limited to, acquire network data by using network sniffing, network port mirroring, and the like, and the security detection device 104 may, but is not limited to, be a mirroring device.
For the acquisition of the network data of the target host, the network data can be acquired by adopting a network sniffing mode or a network port mirroring mode. The network sniffing mode is to set the network card of the target host computer to be in a hybrid mode and capture the network data of the target host computer by calling a network packet intercepting tool. The network port mirroring mode is to map the acquisition port of the target host to another port and copy data in real time, so as to obtain the network data of the target host. Of course, the specific implementation manner of collecting the network data of the target host is not limited to the above two manners, and this is not limited in the embodiment of this specification.
In a first aspect, an embodiment of the present disclosure provides a method for detecting a network attack, please refer to fig. 2, including:
The attack characteristics refer to whether the network request can reflect the existence of the attack content.
If the attack characteristics are detected, the network attack may exist, and the network request carries attack contents.
The attack success characteristics refer to characteristics capable of reflecting attack success in network response.
If the attack success characteristic is detected, the network attack is successful.
And step 205, outputting a network attack success prompt after detecting the attack success characteristic of the network response.
The output form of the network attack success prompt can be an image prompt or a sound prompt, and the network attack success prompt can be output through a display or audio equipment of the equipment for realizing the method, and can also be output to a target host.
The method provided by the embodiments of the present specification can be applied to, but is not limited to, the security detection device 104 shown in fig. 1.
In the method provided by the embodiment of the present description, after the attack feature in the network request is detected, the detection script is called to detect the attack success feature in the network response, so as to determine whether the network attack is successful. The script can be dynamically registered, loaded and deleted, so that the detection by utilizing the detection script is more flexible than the traditional rule matching detection. In addition, the attack success characteristics are detected by adopting the detection script, and the false negative rate is lower.
In the embodiment of the present specification, the type of the attack feature may include, but is not limited to, at least one of the following: SQL injection; a back door execution; webshell connection; XSS dynamic attacks, etc.
Correspondingly, if the type of the attack characteristic comprises SQL injection, the corresponding detection script comprises a detection script for detecting the successful SQL injection; if the type of the attack characteristic comprises backdoor execution, the corresponding detection script comprises a detection script used for detecting successful backdoor execution; if the type of the attack characteristics comprises the webshell connection, the corresponding detection script comprises a detection script used for detecting the successful webshell connection; and if the type of the attack characteristics comprises XSS dynamic attack, the corresponding detection script comprises a detection script for detecting successful XSS dynamic attack.
Specifically, in step 201, only whether an attack feature exists may be detected, and the type of the attack feature does not need to be detected; in order to improve the detection accuracy and detection efficiency, the attack features can be detected and classified.
Accordingly, if only detecting whether there is an attack feature, since the type of the attack feature is not determined, the attack success feature cannot be determined, in step 203, one detection script may be invoked to detect multiple possible attack success features, or multiple detection scripts may be invoked to detect multiple possible attack success features (each detection script is used to detect one attack success feature).
Correspondingly, if the attack feature is detected to exist or not, and the type of the attack feature is determined, in step 203, a detection script corresponding to the type of the attack feature is called to detect the attack success feature of the network response of the target host. Because the type of the attack characteristic is determined, only the detection script corresponding to the type can be called for detection, all detection scripts do not need to be called, and the detection efficiency is improved.
Whether the type of the attack feature is detected or not, in the embodiment of the present specification, the detection means of the attack feature is not limited, but in one implementation, a pre-established attack detection model is used to detect the attack feature of the network request sent to the target host, and the attack detection model is obtained by training a known attack feature sample; in another implementation, a pre-established rule set is utilized to detect an attack signature of a network request sent to a target host. Where a rule set may be, but is not limited to being, a set of regular expressions.
The attack detection model belongs to an artificial intelligence model, and can be a machine learning classification model, such as a naive Bayes classification model, and can also be a deep learning classification model. If the model of the attack characteristics is detected, classifying the attack characteristics by using the attack detection model, and if the classification result is that the characteristics to be detected are classified as the attack types which do not belong to any pre-established known network attack, determining that the target host is not attacked by the network attack; and if the classification result is that the characteristics to be detected are classified as an attack type belonging to a certain pre-established known network attack, determining that the target host is subjected to the network attack of the attack type.
Taking a pre-established attack type of the known network attack comprising an SQL injection attack and an XSS dynamic attack as an example, if the feature to be detected is classified as not belonging to any one of the SQL injection attack and the XSS dynamic attack, the classification result is that the target host is not attacked by the network attack; if the to-be-detected features are classified as belonging to SQL injection attack, the classification result is that the target host is attacked by the network attack, and the attack type of the network attack is SQL injection attack.
In the network attack detection method based on artificial intelligence provided by this embodiment, the features to be detected are imported into a pre-established artificial intelligence model, and the artificial intelligence model automatically classifies the features to be detected, so as to detect whether the target host is under network attack and the attack type of the target host under network attack. Because the artificial intelligence model is a classification model utilizing an artificial intelligence technology and has the capabilities of self-learning, self-organization, self-adaptation and the like, the novel or variant network attack can be effectively discovered, the defect that the traditional network attack detection method cannot detect unknown network attacks is effectively overcome, the whole network attack detection capability is improved, and the missing report rate can be reduced.
The known attack characteristics required by model training comprise one or more combinations of attack data disclosed by the Internet, vulnerability data disclosed by the Internet, attack data collected by the target host and vulnerability data collected by the target host. The attack data is extracted from the existing network attack case, and the vulnerability data is extracted from the existing vulnerability case. The attack data and the vulnerability data can be disclosed by the Internet, or can be analyzed and refined by the target host according to the network attack events suffered in the past.
After the model training data are obtained, extracting the characteristics of the known network attacks from the model training data to obtain attack characteristic data. Further, the extracted attack characteristic data may include one or more of request time, IP information, port information, protocol type, packet sending frequency, mail address, file name, and target URL address. It should be noted that the attack characteristic data can be flexibly set according to actual situations, and this embodiment does not limit this. After the attack characteristic data is obtained, classifying according to the attack type of the network attack to which the attack characteristic data belongs to form a training sample, wherein the attack type of the network attack comprises but is not limited to SQL injection attack and XSS attack.
And performing model training according to the training samples, namely calculating the occurrence frequency of the network attacks of each attack type in the training samples and the conditional probability estimation of each attack characteristic data division on the network attacks of each attack type, and recording the calculation result to obtain the attack detection model. In this embodiment, the algorithm used for model training is a naive bayes algorithm. The naive Bayes algorithm has good performance on small-scale data, is suitable for multi-classification tasks and is suitable for incremental training. Of course, other machine learning classification algorithms or deep learning classification algorithms may also be used for model training, for example, a decision tree algorithm may also be used for model training, which is not limited in this embodiment.
No matter what kind of method is adopted to monitor the attack characteristics, in order to improve the detection precision and reduce the omission factor, a plurality of scripts can be registered, each detection script is respectively used for detecting different attack success characteristics, and the plurality of detection scripts form a script library. Taking the type of the attack detection feature as an example, in step 203, the detection script in the detection script library corresponding to the type of the attack feature is called to detect the attack success feature of the network response of the target host. By taking SQL injection as an example, there are a plurality of features reflecting the success of SQL injection, and correspondingly, there are a plurality of attack success features corresponding to SQL injection, so a plurality of detection scripts can be registered, and each detection script detects one kind of SQL injection attack success feature.
The method comprises the steps that identification information can be distributed to a detection script library corresponding to each attack characteristic type in advance, the same identification information is configured for detection scripts belonging to the same detection script library, and then the identification information of the detection script library corresponding to the attack characteristic type is searched when the detection scripts are called; and calling a detection script containing the identification information to detect the attack success characteristic of the network response of the target host.
It should be noted that different attack profiles may have the same attack success profile, and thus, one detection script may belong to different detection script libraries, and thus may be configured with different identification information.
According to the technical scheme provided by the embodiment of the specification, if only whether the attack is successful or not needs to be judged, specific attack success characteristics do not need to be obtained, or all attack success characteristics do not need to be obtained, the detection scripts in the detection script library corresponding to the types of the attack characteristics can be sequentially called to detect the attack success characteristics of the network response of the target host until the attack success characteristics are detected or the detection scripts in the detection script library are traversed. That is, once the attack success feature is detected, the network attack success prompt can be output without calling other detection scripts in the script library for detection.
If not only is the attack success judged, but also all attack success characteristics are expected to be obtained, each detection script in the detection script library corresponding to the type of the attack characteristics can be called to detect the attack success characteristics of the network response of the target host, and the detected attack success characteristics are recorded. Correspondingly, the output network attack success prompt comprises the recorded information of the attack success characteristics.
As described above, the network request and the network response in the embodiments of the present specification are collectively referred to as network data, and after the network data is acquired, the device implementing the method provided by the above embodiments needs to extract the network request and the network response from the network data, or extract the features to be detected in the network request and the network response from the network request and the network response. The feature to be detected may be extracted by directly extracting the feature of the network request from the network data to obtain the feature to be detected, or may be extracted from the network data first and then extracted from the network request, which is not limited in this embodiment.
According to the difference of the transmission protocols adopted between the target host and the terminal device, for example, but not limited to, hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), the structures of the network requests are different. Taking an HTTP-type network request as an example, the request data includes the following three parts: a request line, which is composed of three parts of a method (e.g. POST), a Uniform Resource Identifier (URI), and a protocol version (e.g. HTTP 1.1); a request header for informing the target host of information requested by the terminal device, including but not limited to the browser type from which the request was made, a list of content types that the terminal device can identify, and the name of the requested host; a request body. After the network data is collected, analyzing each field in the HTTP request head, searching the field content needing to be detected, namely extracting the characteristics to be detected.
Each successful network attack is unique, which is manifested primarily by the attacked host's response to a successful attack request. Therefore, the extraction of the feature to be detected in the network response is to extract the feature of the network response.
Taking an HTTP-type network response as an example, the network response includes the following three parts: a status line consisting of three parts, a protocol version (e.g., HTTP 1.1), a status code, and a status code description; a response header including, but not limited to, the name of the application, the version of the application, the response body type, the response body length, and the encoding used for the response body; a response body. After the network data is collected, analyzing each field in the HTTP response head, searching the field content needing to be compared, and extracting the characteristics to be detected.
Further, whether a network attack is successful or not can be judged, reverse derivation can be carried out from the perspective of an attacker, and the accuracy of identifying whether the network attack is successful or not is improved by responding to the characteristics of the content reverse-derivation attack request. Thus, the extraction of the feature to be detected may also be a joint extraction from the network response and the network request. Specifically, the network request data and the network response data may be extracted from the network data, and then the feature to be detected may be extracted from the request data and the network response data. Still taking the HTTP type network request and the HTTP type network response as examples, after the network data is collected, analyzing each field in the HTTP request header and the HTTP response header, and finding out the field content to be detected, that is, extracting the feature to be detected.
In a second aspect, based on the same inventive concept, an embodiment of the present specification provides a network attack detection apparatus, as shown in fig. 3, including:
a network request detection module 301, configured to detect an attack characteristic of a network request sent to a target host;
a network response detection module 302, configured to, after detecting the attack characteristic of the network request, invoke a detection script to detect an attack success characteristic of a network response of the target host, where the network response is a response of the target host to the network request;
and the attack success prompting module 303 is configured to output a network attack success prompt after detecting the attack success characteristic of the network response.
The device provided by the embodiment of the present description calls the detection script to detect the attack success feature in the network response after detecting the attack feature in the network request, so as to determine whether the network attack is successful. The script can be dynamically registered, loaded and deleted, so that the detection by utilizing the detection script is more flexible than the traditional rule matching detection. In addition, the attack success characteristics are detected by adopting the detection script, and the false negative rate is lower.
Optionally, the network request detecting module is configured to: detecting whether a network request sent to a target host has attack characteristics and the type of the attack characteristics;
the network response detection module is configured to: and after the attack characteristics of the network request are detected, calling a detection script corresponding to the type of the attack characteristics to detect the attack success characteristics of the network response of the target host.
Optionally, the network response detection module is configured to: and calling a detection script in a detection script library corresponding to the type of the attack characteristic to detect the attack success characteristic of the network response of the target host, wherein each detection script in the detection script library is respectively used for detecting different attack success characteristics.
Optionally, the network response detection module is configured to:
searching identification information of a detection script library corresponding to the type of the attack characteristic;
and calling a detection script containing the identification information to detect the attack success characteristic of the network response of the target host.
Optionally, the network response detection module is configured to:
and sequentially calling the detection scripts in the detection script library corresponding to the types of the attack features to detect the attack success features of the network response of the target host until the attack success features are detected or the detection scripts in the detection script library are traversed.
Optionally, the network response detection module is configured to: calling each detection script in a detection script library corresponding to the type of the attack characteristic to detect the attack success characteristic of the network response of the target host, and recording the detected attack success characteristic;
and the output network attack success prompt comprises the recorded information of the attack success characteristics.
Optionally, the type of the attack feature includes at least one of:
SQL injection; a back door execution; webshell connection;
the detection script corresponding to the type of the attack feature comprises at least one of the following:
a detection script for detecting a successful SQL injection;
a detection script for detecting successful back door execution;
and detecting scripts for detecting successful webshell connections.
Optionally, the network request detecting module is configured to:
and detecting the attack characteristics of the network request sent to the target host by using a pre-established attack detection model, wherein the attack detection model is obtained by training by using a known attack characteristic sample.
Optionally, the network request detecting module is configured to:
the attack signature of a network request sent to a target host is detected using a pre-established rule set.
In a third aspect, an embodiment of the present specification provides a computer device, including: comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method provided by any of the above embodiments when executing the program.
In a fourth aspect, the present specification provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the method provided by any of the above embodiments.
The description has been presented with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the description. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present specification have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all changes and modifications that fall within the scope of the specification.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present specification without departing from the spirit and scope of the specification. Thus, if such modifications and variations of the present specification fall within the scope of the claims of the present specification and their equivalents, the specification is intended to include such modifications and variations.
The invention discloses: a1, a method for detecting network attacks, comprising:
detecting an attack characteristic of a network request sent to a target host;
after detecting the attack characteristic of the network request, calling a detection script to detect the attack success characteristic of the network response of the target host, wherein the network response is the response of the target host to the network request;
and outputting a network attack success prompt after detecting the attack success characteristic of the network response.
A2, the method according to A1, wherein the detecting the attack features of the network request sent to the target host comprises: detecting whether a network request sent to a target host has attack characteristics and the type of the attack characteristics;
after detecting the attack characteristic of the network request, calling a detection script to detect the attack success characteristic of the network response of the target host, wherein the detection script comprises the following steps: and after the attack characteristics of the network request are detected, calling a detection script corresponding to the type of the attack characteristics to detect the attack success characteristics of the network response of the target host.
A3, the method according to A2, wherein the detecting script corresponding to the type of the attack feature is called to detect the attack success feature of the network response of the target host, and the method comprises the following steps:
and calling a detection script in a detection script library corresponding to the type of the attack characteristic to detect the attack success characteristic of the network response of the target host, wherein each detection script in the detection script library is respectively used for detecting different attack success characteristics.
A4, the method according to A3, wherein the detecting script in the detecting script library corresponding to the type of the attack feature is called to detect the attack success feature of the network response of the target host, and the method comprises the following steps:
searching identification information of a detection script library corresponding to the type of the attack characteristic;
and calling a detection script containing the identification information to detect the attack success characteristic of the network response of the target host.
A5, the method according to A3, wherein the detecting script in the detecting script library corresponding to the type of the attack feature is called to detect the attack success feature of the network response of the target host, and the method comprises the following steps:
and sequentially calling the detection scripts in the detection script library corresponding to the types of the attack features to detect the attack success features of the network response of the target host until the attack success features are detected or the detection scripts in the detection script library are traversed.
A6, the method according to A3, wherein the detecting script in the detecting script library corresponding to the type of the attack feature is called to detect the attack success feature of the network response of the target host, and the method comprises the following steps: calling each detection script in a detection script library corresponding to the type of the attack characteristic to detect the attack success characteristic of the network response of the target host, and recording the detected attack success characteristic;
and the output network attack success prompt comprises the recorded information of the attack success characteristics.
A7, the method according to any one of A2 to A6, wherein the attack signature types include at least one of:
SQL injection; a back door execution; webshell connection;
the detection script corresponding to the type of the attack feature comprises at least one of the following:
a detection script for detecting a successful SQL injection;
a detection script for detecting successful back door execution;
and detecting scripts for detecting successful webshell connections.
A8, the method according to any one of A1 to A6, wherein the detecting the attack features of the network request sent to the target host comprises:
and detecting the attack characteristics of the network request sent to the target host by using a pre-established attack detection model, wherein the attack detection model is obtained by training by using a known attack characteristic sample.
A9, the method according to any one of A1 to A6, wherein the detecting the attack features of the network request sent to the target host comprises:
the attack signature of a network request sent to a target host is detected using a pre-established rule set.
B10, a network attack detection apparatus, comprising:
the network request detection module is used for detecting the attack characteristics of the network request sent to the target host;
the network response detection module is used for calling a detection script to detect the attack success characteristic of the network response of the target host after detecting the attack characteristic of the network request, wherein the network response is the response of the target host to the network request;
and the attack success prompt module is used for outputting a network attack success prompt after detecting the attack success characteristic of the network response.
B11, the apparatus according to B10, wherein the network request detection module is configured to: detecting whether a network request sent to a target host has attack characteristics and the type of the attack characteristics;
the network response detection module is configured to: and after the attack characteristics of the network request are detected, calling a detection script corresponding to the type of the attack characteristics to detect the attack success characteristics of the network response of the target host.
B12, the apparatus according to B11, wherein the network response detection module is configured to: and calling a detection script in a detection script library corresponding to the type of the attack characteristic to detect the attack success characteristic of the network response of the target host, wherein each detection script in the detection script library is respectively used for detecting different attack success characteristics.
B13, the apparatus according to B12, wherein the network response detection module is configured to:
searching identification information of a detection script library corresponding to the type of the attack characteristic;
and calling a detection script containing the identification information to detect the attack success characteristic of the network response of the target host.
B14, the apparatus according to B12, wherein the network response detection module is configured to:
and sequentially calling the detection scripts in the detection script library corresponding to the types of the attack features to detect the attack success features of the network response of the target host until the attack success features are detected or the detection scripts in the detection script library are traversed.
B15, the apparatus according to B12, wherein the network response detection module is configured to: calling each detection script in a detection script library corresponding to the type of the attack characteristic to detect the attack success characteristic of the network response of the target host, and recording the detected attack success characteristic;
and the output network attack success prompt comprises the recorded information of the attack success characteristics.
B16, the device according to any one of B11-B15, characterized in that the attack signature type includes at least one of the following:
SQL injection; a back door execution; webshell connection;
the detection script corresponding to the type of the attack feature comprises at least one of the following:
a detection script for detecting a successful SQL injection;
a detection script for detecting successful back door execution;
and detecting scripts for detecting successful webshell connections.
B17, the device according to any one of B10-B15, wherein the network request detecting module is configured to:
and detecting the attack characteristics of the network request sent to the target host by using a pre-established attack detection model, wherein the attack detection model is obtained by training by using a known attack characteristic sample.
B18, the device according to any one of B10-B15, wherein the network request detecting module is configured to:
the attack signature of a network request sent to a target host is detected using a pre-established rule set.
C19, a computer device, comprising: comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of a 1-a 9 when executing the program.
D20, a computer-readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, carries out the method of any one of a1 to a 9.
Claims (10)
1. A method for detecting network attacks is characterized by comprising the following steps:
detecting an attack characteristic of a network request sent to a target host;
after detecting the attack characteristic of the network request, calling a detection script to detect the attack success characteristic of the network response of the target host, wherein the network response is the response of the target host to the network request;
and outputting a network attack success prompt after detecting the attack success characteristic of the network response.
2. The method of claim 1, wherein detecting an attack signature of a network request sent to a target host comprises: detecting whether a network request sent to a target host has attack characteristics and the type of the attack characteristics;
after detecting the attack characteristic of the network request, calling a detection script to detect the attack success characteristic of the network response of the target host, wherein the detection script comprises the following steps: and after the attack characteristics of the network request are detected, calling a detection script corresponding to the type of the attack characteristics to detect the attack success characteristics of the network response of the target host.
3. The method according to claim 2, wherein the detecting script corresponding to the type of invoking the attack feature detects an attack success feature of the network response of the target host, and includes:
and calling a detection script in a detection script library corresponding to the type of the attack characteristic to detect the attack success characteristic of the network response of the target host, wherein each detection script in the detection script library is respectively used for detecting different attack success characteristics.
4. The method according to claim 3, wherein the detecting script in the detecting script library corresponding to the type of the calling the attack feature detects an attack success feature of the network response of the target host, and the method includes:
searching identification information of a detection script library corresponding to the type of the attack characteristic;
and calling a detection script containing the identification information to detect the attack success characteristic of the network response of the target host.
5. The method according to claim 3, wherein the detecting script in the detecting script library corresponding to the type of the calling the attack feature detects an attack success feature of the network response of the target host, and the method includes:
and sequentially calling the detection scripts in the detection script library corresponding to the types of the attack features to detect the attack success features of the network response of the target host until the attack success features are detected or the detection scripts in the detection script library are traversed.
6. The method according to claim 3, wherein the detecting script in the detecting script library corresponding to the type of the calling the attack feature detects an attack success feature of the network response of the target host, and the method includes: calling each detection script in a detection script library corresponding to the type of the attack characteristic to detect the attack success characteristic of the network response of the target host, and recording the detected attack success characteristic;
and the output network attack success prompt comprises the recorded information of the attack success characteristics.
7. The method according to any one of claims 2 to 6, wherein the type of attack signature comprises at least one of:
SQL injection; a back door execution; webshell connection;
the detection script corresponding to the type of the attack feature comprises at least one of the following:
a detection script for detecting a successful SQL injection;
a detection script for detecting successful back door execution;
and detecting scripts for detecting successful webshell connections.
8. An apparatus for detecting a cyber attack, comprising:
the network request detection module is used for detecting the attack characteristics of the network request sent to the target host;
the network response detection module is used for calling a detection script to detect the attack success characteristic of the network response of the target host after detecting the attack characteristic of the network request, wherein the network response is the response of the target host to the network request;
and the attack success prompt module is used for outputting a network attack success prompt after detecting the attack success characteristic of the network response.
9. A computer device, comprising: comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 7 when executing the program.
10. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, is adapted to carry out the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811191806.8A CN111049783A (en) | 2018-10-12 | 2018-10-12 | Network attack detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811191806.8A CN111049783A (en) | 2018-10-12 | 2018-10-12 | Network attack detection method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111049783A true CN111049783A (en) | 2020-04-21 |
Family
ID=70229857
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811191806.8A Pending CN111049783A (en) | 2018-10-12 | 2018-10-12 | Network attack detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111049783A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111740946A (en) * | 2020-05-09 | 2020-10-02 | 郑州启明星辰信息安全技术有限公司 | Webshell message detection method and device |
| CN113472772A (en) * | 2021-06-29 | 2021-10-01 | 深信服科技股份有限公司 | Network attack detection method and device, electronic equipment and storage medium |
| CN113518062A (en) * | 2020-12-08 | 2021-10-19 | 腾讯科技(深圳)有限公司 | Attack detection method and device and computer equipment |
| CN113965418A (en) * | 2021-12-22 | 2022-01-21 | 北京微步在线科技有限公司 | Attack success judgment method and device |
| CN114499968A (en) * | 2021-12-27 | 2022-05-13 | 奇安信科技集团股份有限公司 | XSS attack detection method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103605926A (en) * | 2013-11-29 | 2014-02-26 | 北京奇虎科技有限公司 | Webpage tampering detecting method and device |
| CN104200166A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Script-based website vulnerability scanning method and system |
| US8949990B1 (en) * | 2007-12-21 | 2015-02-03 | Trend Micro Inc. | Script-based XSS vulnerability detection |
| CN105871850A (en) * | 2016-04-05 | 2016-08-17 | 携程计算机技术(上海)有限公司 | Crawler detection method and crawler detection system |
| CN106998335A (en) * | 2017-06-13 | 2017-08-01 | 深信服科技股份有限公司 | A kind of leak detection method, gateway device, browser and system |
| CN108471429A (en) * | 2018-06-29 | 2018-08-31 | 北京奇虎科技有限公司 | A kind of network attack alarm method and system |
-
2018
- 2018-10-12 CN CN201811191806.8A patent/CN111049783A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8949990B1 (en) * | 2007-12-21 | 2015-02-03 | Trend Micro Inc. | Script-based XSS vulnerability detection |
| CN103605926A (en) * | 2013-11-29 | 2014-02-26 | 北京奇虎科技有限公司 | Webpage tampering detecting method and device |
| CN104200166A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Script-based website vulnerability scanning method and system |
| CN105871850A (en) * | 2016-04-05 | 2016-08-17 | 携程计算机技术(上海)有限公司 | Crawler detection method and crawler detection system |
| CN106998335A (en) * | 2017-06-13 | 2017-08-01 | 深信服科技股份有限公司 | A kind of leak detection method, gateway device, browser and system |
| CN108471429A (en) * | 2018-06-29 | 2018-08-31 | 北京奇虎科技有限公司 | A kind of network attack alarm method and system |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111740946A (en) * | 2020-05-09 | 2020-10-02 | 郑州启明星辰信息安全技术有限公司 | Webshell message detection method and device |
| CN113518062A (en) * | 2020-12-08 | 2021-10-19 | 腾讯科技(深圳)有限公司 | Attack detection method and device and computer equipment |
| CN113472772A (en) * | 2021-06-29 | 2021-10-01 | 深信服科技股份有限公司 | Network attack detection method and device, electronic equipment and storage medium |
| CN113965418A (en) * | 2021-12-22 | 2022-01-21 | 北京微步在线科技有限公司 | Attack success judgment method and device |
| CN113965418B (en) * | 2021-12-22 | 2022-07-22 | 北京微步在线科技有限公司 | Attack success judgment method and device |
| CN114499968A (en) * | 2021-12-27 | 2022-05-13 | 奇安信科技集团股份有限公司 | XSS attack detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108683687B (en) | Network attack identification method and system | |
| CN108881265B (en) | Network attack detection method and system based on artificial intelligence | |
| CN108833186B (en) | Network attack prediction method and device | |
| CN108881263B (en) | Network attack result detection method and system | |
| CN108471429B (en) | Network attack warning method and system | |
| CN108768943B (en) | Method and device for detecting abnormal account and server | |
| US10218740B1 (en) | Fuzzy hash of behavioral results | |
| Aljawarneh et al. | Anomaly-based intrusion detection system through feature selection analysis and building hybrid efficient model | |
| CN111049783A (en) | Network attack detection method, device, equipment and storage medium | |
| US20230089187A1 (en) | Detecting abnormal packet traffic using fingerprints for plural protocol types | |
| CN111049786A (en) | Network attack detection method, device, equipment and storage medium | |
| CN109586282B (en) | Power grid unknown threat detection system and method | |
| CN111049781B (en) | Method, device, equipment and storage medium for detecting rebound type network attack | |
| CN111049784B (en) | Network attack detection method, device, equipment and storage medium | |
| CN110149318B (en) | Mail metadata processing method and device, storage medium and electronic device | |
| CN103136476A (en) | Mobile intelligent terminal malicious software analysis system | |
| CN108768934A (en) | Rogue program issues detection method, device and medium | |
| CN110784486A (en) | Industrial vulnerability scanning method and system | |
| CN113079157A (en) | Method and device for acquiring network attacker position and electronic equipment | |
| CN113794731B (en) | Method, device, equipment and medium for identifying CDN (content delivery network) -based traffic masquerading attack | |
| CN112788065B (en) | Internet of things zombie network tracking method and device based on honeypots and sandboxes | |
| TW202205116A (en) | Method for detecting malicious attacks and network security management device | |
| Wu et al. | IoT malware analysis and new pattern discovery through sequence analysis using meta-feature information | |
| Baviskar et al. | Design of Machine Learning-Based Malware Detection Methodologies in the Internet of Things Environment | |
| CN111385271A (en) | Network attack detection method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200421 |