CN111131174A - Malicious attack prevention system based on big data analysis - Google Patents

Malicious attack prevention system based on big data analysis Download PDF

Info

Publication number
CN111131174A
CN111131174A CN201911222213.8A CN201911222213A CN111131174A CN 111131174 A CN111131174 A CN 111131174A CN 201911222213 A CN201911222213 A CN 201911222213A CN 111131174 A CN111131174 A CN 111131174A
Authority
CN
China
Prior art keywords
website
attack
data
processing module
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201911222213.8A
Other languages
Chinese (zh)
Inventor
高静峰
王秒郎
唐鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xiamen Yitongling Information Technology Co ltd
Original Assignee
Xiamen Yitongling Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xiamen Yitongling Information Technology Co ltd filed Critical Xiamen Yitongling Information Technology Co ltd
Priority to CN201911222213.8A priority Critical patent/CN111131174A/en
Publication of CN111131174A publication Critical patent/CN111131174A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • G06F17/18Complex mathematical operations for evaluating statistical data, e.g. average values, frequency distributions, probability functions, regression analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention provides a malicious attack prevention system based on big data analysis, which comprises: the system comprises an information recording and acquiring module, a model processing module and an information processing module; compared with the prior art, the anti-attack system has the following beneficial effects that: the anti-attack system is built by building the model, so that the parameter legalization verification can be carried out without directly entering the back-end server, the load pressure of the back-end service server can be reduced, and malicious attack is prevented.

Description

Malicious attack prevention system based on big data analysis
Technical Field
The invention discloses a malicious attack prevention system based on big data analysis, and belongs to the field of website protection methods.
Background
Whether the small and medium-sized enterprise websites or the large enterprise websites face the danger of being attacked, if no professional programmer maintains the websites, a plurality of problems often occur on the websites, and the webpages are opened slowly, delayed, cannot be opened and even are halted, so that a plurality of clients are lost. However, when a website attack is not prohibited, the website is attacked to indicate that the website has a security vulnerability, and the normal operation of the website can be maintained as long as the website is checked, repaired and prevented. The reason why the website has bugs is that the computer system or the website program is continuously discovered with new bugs, which is not easy to be prevented by a professional programmer, and brings a possible opportunity to some lawbreakers.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a malicious attack prevention system based on big data analysis to solve the problems in the background technology.
In order to achieve the purpose, the invention is realized by the following technical scheme: a system for preventing malicious attacks based on big data analysis,
the method comprises the following steps: the system comprises an information recording and acquiring module, a model processing module and an information processing module;
the information recording module is used for collecting information, the model processing module is used for processing the collected information, and the information processing module is used for building an anti-attack system according to the result of the model processing module.
Furthermore, the information record acquisition module acquires attacked historical information records through a plurality of small databases, wherein the attacked historical information records comprise website pages hung with horses, a large number of black links appearing in the website pages, a large number of implanted web pages appearing in a website root directory, automatic jump to other website pages when the website pages are opened, new contents implanted in the website databases, very slow opening of the websites when the websites are not opened due to attack, tampering of passwords of the websites and servers, loss or damage of the website databases, Domain Name Server (DNS) hijacking of the websites, slow operation of the website servers and implantation of viruses.
Furthermore, the model processing module imports the information acquired by a plurality of small databases into a centralized large distributed database or a distributed storage cluster, and can perform cleaning and preprocessing work on the basis of importation, prune the analyzed data to obtain the data to be recorded and stored, convert the basic data into the preprocessed data through one or more operations of data cleaning, data conversion, data integration and data loading, analyze the preprocessed data, extract the corresponding relation between attack operation and website, construct an attack behavior model training sample according to the attacked historical information record, and construct a regression model of the website and the attack behavior according to the attack behavior model training sample to serve as an attack behavior model.
Furthermore, the information processing module builds an anti-attack system according to the attack behavior model through a centralized large distributed database or a distributed storage cluster, and meanwhile, a user performs operations of website data periodic backup, website log periodic viewing, website program system updating, website virus periodic checking and killing, website file authority setting and management password periodic updating through the information processing module.
The invention has the beneficial effects that: according to the malicious attack prevention system based on big data analysis, the anti-attack system is built through the building model, the parameter legalization verification can be performed without directly entering the back-end server, the load pressure of the back-end service server can be reduced, and malicious attack is prevented.
Detailed Description
In order to make the technical means, the creation characteristics, the achievement purposes and the effects of the invention easy to understand, the invention is further described with the specific embodiments.
The invention provides a technical scheme that: a system for preventing malicious attacks based on big data analysis,
the method comprises the following steps: the system comprises an information recording and acquiring module, a model processing module and an information processing module;
the information recording module is used for collecting information, the model processing module is used for processing the collected information, and the information processing module is used for building an anti-attack system according to the result of the model processing module.
The information record acquisition module acquires attacked historical information records through a plurality of small databases, wherein the attacked historical information comprises website web page hung horses, a large number of black chains in website web pages, a large number of implanted web pages in a website root directory, automatic jump to other website web pages when the website web pages are opened, new content implanted in the website database, slow opening of the website when the website is not opened by attack, tampering of passwords of the website and a server, loss or damage of the website database, domain name Domain (DNS) hijacking, slow operation of the website server and implantation of viruses.
As an embodiment of the present invention: the attacked historical information comprises: website web page hung horse: when a webpage of a website is opened, the webpage is prompted by a browser or computer security management software, the website has a risk and reports that the website is hung with a horse and the like because js is implanted into the webpage and a root directory file, and when the webpage is opened, a command of js is triggered to automatically execute a script or a php file containing the trojan, so that privacy data of a user are stolen. The attacked websites are often some websites that involve virtual currency or are transactional in nature.
(II) a large number of black chains appear in web pages of the website: the web page of the website generally has no abnormality when viewed by the user, but in the source code of the website, usually at the bottom, a large number of anchor text links appear, and the links are usually hidden, and the font size is 0 or the extreme offset position. The purpose of the attack is that some hackers illegally implant links to improve the weight and the traffic of some low-weight websites to obtain benefits, and websites of an attacked party are often penalized by weight reduction. The attacked websites are websites with certain search engine weight and flow.
(III) a large number of embedded web pages appear in the website root directory: if the website is not maintained timely, sudden increase of website recording can be found, recorded contents are contents of non-self websites, most of the recorded contents are illegal advertisement pages, and a large number of embedded static pages can be found by checking server website data. The attacked websites are wide, and particularly, some websites with high traffic are favored by hackers.
And (IV) opening the web page of the website and automatically jumping to other web pages: this form we often call illegal bridge pages, forced js embedded in web pages, or intrusion servers, make 301 redirect jumps in is aimed at hackers to gain from some illegal advertising or website weight transfers. The attacked objects are often weighted and traffic websites.
And (V) implanting new content into the website database. The website data is embedded with some newly added contents, the content form and other data of the website look normal, but the contents are often found to be concentrated rather than the contents added by editors when the time and the date are seen. Such websites are often certificate-enabled websites such as professional qualifications, graduations, and the like. Hackers gain high benefits from implanting false professional information in regular official networks for some illegal clients. The attacked website is often a college official website, an education department website or a qualified website.
(six) websites are not opened by attacks or are opened very slowly: the web pages of the website can not be opened frequently, or the server can not be connected remotely, which is often the case that the website or the server can not operate normally due to the fact that enterprises are in fierce competition, illegal competitors hire network hackers to maliciously attack own website programs and servers, such as a large amount of DDoS attacks, CC attacks, direct damage or deletion of website data. Some hackers have the ability to make malicious attacks by psychologically distorting and dazzling themselves. The attacked website is often an enterprise website or some website with a low maintenance level and a large amount of security holes.
(seventh) website and server passwords are tampered: sometimes, the passwords of the website and the server are found to be incorrect and tampered. The reason is that hackers crack websites and servers with bugs and tamper passwords. The purpose of the method is to dazzle the technical capability of hackers and carry out malicious and illegal technical operations of the hackers. The attacked websites are all websites.
(eight) loss or corruption of the website database: sometimes, it is found that the own website can be normally opened, but the program updating and the content adding cannot be continued. This is often the case for some deputy programmers or hackers with a lack of professional ethics to maliciously attack the web site. The attacked websites are various websites.
(nine) website domain name DNS hijacking: when a website is opened, the content is not the content of the website, the checking server and the website program are normal, and in the situation, the user does not ping the domain name of the website, and the domain name DNS hijacking usually exists. Which aims at malicious attack to dazzle or advertise benefits. The attacked websites are all websites.
(ten) the website server runs slowly and is implanted with viruses such as worms: sometimes, a web master finds that a website runs and updates or operates abnormally slowly on a server, and a process management of the server finds that a process which occupies a high CPU and a high memory runs. At this time, the Trojan horse is killed, and viruses such as worms are often detected. The method aims to occupy website resources or the server is attacked and invaded, and is used as a platform for attacking other people by 'broiler chicken'. The attacked website is often a high-performance and high-bandwidth server.
The model processing module imports the information collected by a plurality of small databases into a centralized large distributed database or a distributed storage cluster, can perform cleaning and preprocessing work on the basis of import, prunes the analyzed data to obtain the data to be recorded and stored, converts the basic data into the preprocessed data through one or more operations of data cleaning, data conversion, data integration and data loading, analyzes the preprocessed data, extracts the corresponding relation between attack operation and a website, constructs an attack behavior model training sample according to the attacked historical information record, and builds a regression model of the website and the attack behavior according to the attack behavior model training sample to serve as an attack behavior model.
The information processing module builds an anti-attack system according to the attack behavior model through a centralized large distributed database or a distributed storage cluster, and meanwhile, a user performs operations of website data regular backup, website log regular viewing, website program system updating, website virus regular checking and killing, website file authority setting and regular updating management passwords through the information processing module.
The method comprises the following steps of (A) periodically backing up website data: the website data can be periodically backed up to restore the attacked website, and even if the website is attacked or the website is mistakenly operated to delete some website information, the website information can be restored at any time.
(II) updating the website program system: the website program and the server system regularly update the used version and patch, which can eliminate some existing security holes to prevent hackers from being provided with opportunity.
(III) regularly checking and killing website viruses: the regular killing of the website viruses can prevent hackers from further destroying or stealing website data and can delete the invaded website backdoor vulnerability files in time.
And (IV) setting website file authority: the reasonable setting of the authority for the website server file, such as that the writing or execution authority of the important file of a part of the executed program should be cancelled, can avoid the hacker from tampering the website data.
And (V) starting the https data security transmission protocol and cdn acceleration of the website domain name, and starting https and cdn, so that the website can be operated more quickly and safely, the real ip of the website can be hidden, and potential safety hazards such as DDoS attack, CC attack, domain name hijack and the like can be prevented to a certain extent.
(VI) a high-imitation server can be used: the high-emulation server has the characteristics of high performance, high bandwidth and high defense, has a certain maintenance foundation in terms of safety and operation, and brings convenience for later maintenance.
And (seventhly), periodically updating the management password: the website password can be recorded by a departure programmer or obtained by brute force of hacker invasion, and the data loss can be effectively prevented by regularly updating the website background password and the remote server login password.
(eighth) periodically viewing the website log: the records of the website operation data are recorded in the website logs, the website logs are started and checked regularly, the operation tracks of the websites are clearly known, and the method is one of important modes of website maintenance.
While there have been shown and described what are at present considered the fundamental principles and essential features of the invention and its advantages, it will be apparent to those skilled in the art that the invention is not limited to the details of the foregoing exemplary embodiments, but is capable of other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
Furthermore, it should be understood that although the present description refers to embodiments, not every embodiment may contain only a single embodiment, and such description is for clarity only, and those skilled in the art should integrate the description, and the embodiments may be combined as appropriate to form other embodiments understood by those skilled in the art.

Claims (4)

1. A malicious attack prevention system based on big data analysis is characterized in that:
the method comprises the following steps: the system comprises an information recording and acquiring module, a model processing module and an information processing module;
the information recording module is used for collecting information, the model processing module is used for processing the collected information, and the information processing module is used for building an anti-attack system according to the result of the model processing module.
2. The big data analysis-based malicious attack prevention system according to claim 1, wherein: the information record acquisition module acquires attacked historical information records through a plurality of small databases, wherein the attacked historical information comprises website web page hung horses, a large number of black chains in website web pages, a large number of implanted web pages in a website root directory, automatic jump to other website web pages when the website web pages are opened, new content implanted in the website database, slow opening of the website when the website is not opened by attack, tampering of passwords of the website and a server, loss or damage of the website database, domain name Domain (DNS) hijacking, slow operation of the website server and implantation of viruses.
3. The big data analysis-based malicious attack prevention system according to claim 1, wherein: the model processing module imports the information collected by a plurality of small databases into a centralized large distributed database or a distributed storage cluster, can perform cleaning and preprocessing work on the basis of importation, prunes the analyzed data to obtain the data to be recorded and stored, converts the basic data into the preprocessed data through one or more operations of data cleaning, data conversion, data integration and data loading, analyzes the preprocessed data, extracts the corresponding relation between attack operation and a website, constructs an attack behavior model training sample according to the attacked historical information record, and builds a regression model of the website and the attack behavior according to the attack behavior model training sample to serve as an attack behavior model.
4. The big data analysis-based malicious attack prevention system according to claim 1, wherein: the information processing module builds an anti-attack system according to the attack behavior model through a centralized large distributed database or a distributed storage cluster, and meanwhile, a user performs operations of website data regular backup, website log regular viewing, website program system updating, website virus regular checking and killing, website file authority setting and regular updating management passwords through the information processing module.
CN201911222213.8A 2019-12-03 2019-12-03 Malicious attack prevention system based on big data analysis Withdrawn CN111131174A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911222213.8A CN111131174A (en) 2019-12-03 2019-12-03 Malicious attack prevention system based on big data analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911222213.8A CN111131174A (en) 2019-12-03 2019-12-03 Malicious attack prevention system based on big data analysis

Publications (1)

Publication Number Publication Date
CN111131174A true CN111131174A (en) 2020-05-08

Family

ID=70497398

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911222213.8A Withdrawn CN111131174A (en) 2019-12-03 2019-12-03 Malicious attack prevention system based on big data analysis

Country Status (1)

Country Link
CN (1) CN111131174A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104767757A (en) * 2015-04-17 2015-07-08 国家电网公司 Multiple-dimension security monitoring method and system based on WEB services
US20150215331A1 (en) * 2012-02-27 2015-07-30 Amazon Technologies, Inc. Detecting network attacks
CN108234462A (en) * 2017-12-22 2018-06-29 杭州安恒信息技术有限公司 A kind of method that intelligent intercept based on cloud protection threatens IP
CN108712453A (en) * 2018-08-30 2018-10-26 杭州安恒信息技术股份有限公司 Detection method for injection attack, device and the server of logic-based regression algorithm
CN110011999A (en) * 2019-03-29 2019-07-12 东北大学 IPv6 network ddos attack detection system and method based on deep learning

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150215331A1 (en) * 2012-02-27 2015-07-30 Amazon Technologies, Inc. Detecting network attacks
CN104767757A (en) * 2015-04-17 2015-07-08 国家电网公司 Multiple-dimension security monitoring method and system based on WEB services
CN108234462A (en) * 2017-12-22 2018-06-29 杭州安恒信息技术有限公司 A kind of method that intelligent intercept based on cloud protection threatens IP
CN108712453A (en) * 2018-08-30 2018-10-26 杭州安恒信息技术股份有限公司 Detection method for injection attack, device and the server of logic-based regression algorithm
CN110011999A (en) * 2019-03-29 2019-07-12 东北大学 IPv6 network ddos attack detection system and method based on deep learning

Similar Documents

Publication Publication Date Title
Yuan et al. Architecture-based self-protecting software systems
Moustafa et al. Data analytics-enabled intrusion detection: Evaluations of ToN_IoT linux datasets
Erbschloe Trojans, worms, and spyware: a computer security professional's guide to malicious code
CN104283889A (en) Electric power system interior APT attack detection and pre-warning system based on network architecture
CN103473501B (en) A kind of Malware method for tracing based on cloud security
CN104392176A (en) Mobile terminal and method for intercepting device manager authority thereof
CN104683394A (en) Cloud computing platform database benchmark test system for new technology and method thereof
KR101080953B1 (en) System and method for detecting and protecting webshell in real-time
CN112653654A (en) Security monitoring method and device, computer equipment and storage medium
Ussath et al. Identifying suspicious user behavior with neural networks
Dalai et al. Neutralizing SQL injection attack using server side code modification in web applications
KR101223594B1 (en) A realtime operational information backup method by dectecting LKM rootkit and the recording medium thereof
CN103428212A (en) Malicious code detection and defense method
CN101719846A (en) Security monitoring method, device and system
CN113901450A (en) Industrial host terminal safety protection system
Deng et al. Lexical analysis for the webshell attacks
CN110807187B (en) Block chain-based network market illegal information evidence storing method and platform terminal
CN104683382A (en) Benchmark testing system for cloud computing platform database of novel innovative algorithm
Naderi-Afooshteh et al. Joza: Hybrid taint inference for defeating web application sql injection attacks
Yermalovich Ontology-based model for security assessment: Predicting cyberattacks through threat activity analysis
CN108038380A (en) Inoculator and antibody for computer security
CN111131174A (en) Malicious attack prevention system based on big data analysis
CN107196960A (en) A kind of net horse detecting system and its detection method based on sandbox technology
CN104143064A (en) Website data security system based on association analysis of database activity and web access
Lin et al. Ransomware Detection and Prevention through Strategically Hidden Decoy File

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20200508

WW01 Invention patent application withdrawn after publication