CN111163094A - Network attack detection method, network attack detection device, electronic device, and medium - Google Patents

Network attack detection method, network attack detection device, electronic device, and medium Download PDF

Info

Publication number
CN111163094A
CN111163094A CN201911402244.1A CN201911402244A CN111163094A CN 111163094 A CN111163094 A CN 111163094A CN 201911402244 A CN201911402244 A CN 201911402244A CN 111163094 A CN111163094 A CN 111163094A
Authority
CN
China
Prior art keywords
file
function
specified
network data
data stream
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911402244.1A
Other languages
Chinese (zh)
Other versions
CN111163094B (en
Inventor
向祖庭
姚翼雄
谈文彬
索海东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Secworld Information Technology Beijing Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN201911402244.1A priority Critical patent/CN111163094B/en
Publication of CN111163094A publication Critical patent/CN111163094A/en
Application granted granted Critical
Publication of CN111163094B publication Critical patent/CN111163094B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present disclosure provides a network attack detection method, a network attack detection apparatus, an electronic device, and a medium. The method comprises the following steps: performing file type identification on the network data stream in response to receiving the network data stream to determine whether a file of a specified file type is included in the network data stream; if the network data stream is determined to comprise the file of the specified file type, compiling the file of the specified file type to obtain an operation code; obtaining the association information of the designated function in the operation code; and performing network attack detection on the network data stream based on the specified function correlation information.

Description

Network attack detection method, network attack detection device, electronic device, and medium
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to a network attack detection method, a network attack detection apparatus, an electronic device, and a medium.
Background
With the rapid development of communication and computer technologies, internet information security becomes a focus of increasing attention. webshell is a scripting attack tool for network (web) intrusion. Briefly, webshells are trojan backdoors, and hackers often mix with normal web page files after hacking a web site by placing these trojan backdoor files in the web directory of the web site server. The hacker can then control the web server in a web-based manner by trojan backdoor, including uploading and downloading files, viewing databases, executing any program commands, etc.
In the webshell attack detection method in the related art, whether a commandable executive function such as 'eval' or 'system' exists in a network data stream is detected based on webshell characteristics, so that whether a network attack behavior exists in the network data stream is determined.
In implementing the disclosed concept, the inventors found that there are at least the following problems in the related art: hackers can hide executable command functions like "eval", "system" and the like by customizing encryption and decryption functions, utilizing exclusive or (xor), string inversion, compression, truncation recombination and the like, so as to avoid the webshell attack detection method of the related art.
Disclosure of Invention
In view of this, the present disclosure provides a network attack detection method, a network attack detection apparatus, an electronic device, and a medium for improving a network attack detection effect.
One aspect of the present disclosure provides a network attack detection method performed by a server, including: performing file type identification on the network data stream in response to receiving the network data stream to determine whether a file of a specified file type is included in the network data stream; if the network data stream is determined to comprise the file of the specified file type, compiling the file of the specified file type to obtain an operation code; obtaining the association information of the designated function in the operation code; and performing network attack detection on the network data stream based on the specified function correlation information.
According to the embodiment of the disclosure, the file of the specified file type is compiled to generate the corresponding operation code through virtual execution, and whether the network data stream includes the network attack behavior or not is comprehensively judged according to the specified function correlation information in the operation code. Since the operation code generated by compiling is a machine execution language, hackers can restore the hidden executable command functions in the operation code obtained by compiling by self-defining encryption and decryption functions and utilizing executable command functions like 'eval' and 'system' hidden by hidden operations such as exclusive or (xor), character string inversion, compression, truncation, recombination and the like, thereby effectively preventing hackers from evading detection through the hidden operations.
According to the embodiment of the disclosure, obtaining the specified function association information in the operation code comprises the following operations: obtaining at least one of the following information in the opcode: a key function and key parameters of the key function; and a calling function and parameters of the calling function.
According to the embodiment of the disclosure, the network attack detection of the network data stream based on the specified function correlation information comprises the following steps: determining whether at least one of the key function and the calling function includes a sensitive function, and determining whether at least one of the key parameter and a parameter of the calling function includes a sensitive parameter; and performing network attack detection on the network data flow based on at least one of the sensitive function and the sensitive parameter if it is determined that at least one of the key function and the calling function includes a sensitive function and/or if it is determined that at least one of the key parameter and the parameter of the calling function includes a sensitive parameter.
According to an embodiment of the present disclosure, the method further includes: after determining that at least one of the key function and the calling function comprises a sensitive function and/or determining that at least one of the key parameter and the parameter of the calling function comprises sensitivity, analyzing text information of a file of a specified file type to determine whether a matching result of the specified text information exists in the text information, wherein the specified text information represents that the file of the specified file type comprises the sensitive information; and if the matching result is determined to be null, determining that the network data stream comprises the network attack file.
According to an embodiment of the present disclosure, the method further includes: after determining that at least one of the key function and the calling function includes a sensitive function, adding a hook function to the sensitive function.
According to an embodiment of the present disclosure, identifying a file type of a network data stream includes: extracting the characteristics of the network data stream to obtain flow characteristics; matching the flow characteristics with the characteristics of the specified file; and if the matching result is determined to exist, determining that the file of the specified file type exists in the network data stream.
According to an embodiment of the present disclosure, the method further includes: after the flow characteristics are matched with the specified file characteristics, if the matching result is determined to be null, file suffixes of files included in the network data stream are obtained; matching the file suffix of each file with the specified file suffix; and if the matching result is determined to exist, determining that the file of the specified file type exists in the network data stream.
According to an embodiment of the present disclosure, compiling a file of a specified file type to obtain an opcode includes: and processing the file with the specified file type by using the specified file script engine to compile the operation codes for generating the file with the specified file type.
Another aspect of the present disclosure provides a network attack detecting apparatus, including: the device comprises a file type identification module, a compiling module, a specified function information obtaining module and an attack detection module. The file type identification module is used for identifying the file type of the network data stream in response to receiving the network data stream so as to determine whether the network data stream comprises a file of a specified file type; the compiling module is used for compiling the file with the specified file type to obtain an operation code if the network data stream is determined to comprise the file with the specified file type; the appointed function information obtaining module is used for obtaining appointed function associated information in the operation codes; and the attack detection module is used for carrying out network attack detection on the network data stream based on the specified function correlation information.
According to the embodiment of the disclosure, the specified function information obtaining module is specifically configured to obtain at least one of the following information in the operation code: a key function and key parameters of the key function; and a calling function and parameters of the calling function.
According to an embodiment of the present disclosure, an attack detection module includes: the device comprises a sensitive information determining unit and a detecting unit. The sensitive information determining unit is used for determining whether the key function and/or the calling function comprises a sensitive function or not, and determining whether the key parameter and/or the parameter of the calling function comprises a sensitive parameter or not; and the detection unit is used for carrying out network attack detection on the network data flow based on the sensitive function and/or the sensitive parameter if the sensitive function and/or the sensitive parameter are determined to be included.
According to an embodiment of the present disclosure, the apparatus further includes: the system comprises a text analysis module and a network attack file determination module. The text analysis module is used for analyzing the text information of the file of the specified file type after determining that at least one of the key function and the calling function comprises a sensitive function and/or determining that at least one of the key parameter and the parameter of the calling function comprises a sensitive function so as to determine whether a matching result of the specified text information exists in the text information, wherein the specified text information represents that the file of the specified file type comprises the sensitive information; and the network attack file determining module is used for determining that the network data stream comprises the network attack file if the matching result is determined to be null.
According to an embodiment of the present disclosure, the apparatus further includes: a hook adding module to add a hook function to a sensitive function after determining that at least one of the key function and the calling function includes a sensitive function.
According to an embodiment of the present disclosure, a file type identification module includes: the device comprises a feature extraction unit, a feature matching unit and a specified file type file determination unit. The system comprises a characteristic extraction unit, a traffic characteristic acquisition unit and a traffic characteristic extraction unit, wherein the characteristic extraction unit is used for extracting the characteristics of a network data stream to obtain the traffic characteristics; the characteristic matching unit is used for matching the flow characteristic with the specified file characteristic; and the specified file type file determining unit is used for determining that the file of the specified file type exists in the network data stream if the matching result is determined to exist.
According to an embodiment of the present disclosure, the apparatus further includes: the system comprises a suffix obtaining module, a suffix matching module and a specified file type file determining module. The suffix obtaining module is used for obtaining file suffixes of files included in the network data stream if the matching result is determined to be null after the flow characteristics are matched with the specified file characteristics; the suffix matching module is used for matching the file suffix of each file with the specified file suffix; and the specified file type file determining module is used for determining that the file of the specified file type exists in the network data stream if the matching result is determined to exist.
According to an embodiment of the present disclosure, the compiling module is specifically configured to process a file of a specified file type using a specified file scripting engine to compile an operation code that generates the file of the specified file type.
Another aspect of the present disclosure provides an electronic device comprising one or more processors and a storage, wherein the storage is configured to store executable instructions that, when executed by the processors, implement the method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as described above when executed.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an application scenario of a network attack detection method, a network attack detection apparatus, an electronic device, and a medium according to an embodiment of the present disclosure;
FIG. 2 schematically shows an architecture diagram suitable for a cyber attack detection method, a cyber attack detection apparatus, an electronic device, and a medium according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart of a network attack detection method according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a diagram of compiling files of a specified type according to an embodiment of the disclosure;
FIG. 5 schematically illustrates a flow chart of a method of determining a network attack file according to an embodiment of the present disclosure;
FIG. 6 schematically shows a block diagram of a cyber attack detection apparatus according to an embodiment of the present disclosure; and
fig. 7 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). The terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, features defined as "first", "second", may explicitly or implicitly include one or more of the described features.
The embodiment of the disclosure provides a network attack detection method, a network attack detection device, an electronic device and a medium. The method comprises a compiling process and an attack detection process. In the compiling process, in response to receiving the network data stream, performing file type identification on the network data stream to determine whether a file of a specified file type is included in the network data stream, and then compiling the file of the specified file type to obtain the operation code if it is determined that the file of the specified file type is included in the network data stream. After the compiling process is completed, an attack detection process is carried out, and the specified function correlation information in the operation code is obtained, so that the embodiment of the disclosure can carry out network attack detection on the network data stream based on the specified function correlation information.
Fig. 1 schematically illustrates an application scenario of a network attack detection method, a network attack detection apparatus, an electronic device, and a medium according to an embodiment of the present disclosure.
As shown in fig. 1, a hacker may implant a script attack tool into an attacker's electronic device through a network, and the attacker's electronic device may be various types of servers, such as an entry level server, a workgroup level server, a department level server, an enterprise level server, and the like. The script attack tool can pass through at least one gateway, such as gateway 1 … … gateway n, in the process of being transmitted, wherein n is a positive integer larger than 1. The existing protection software is extremely sensitive to functions capable of executing command and code, and in order to resist various antivirus software detected by static analysis, the webshell code is changed continuously, for example, by methods such as confusion and encryption. However, for obfuscated and encrypted webshells, none of the relevant static analysis detection devices can detect well.
The embodiment of the disclosure can perform virtual execution on the network data stream by means of the gateway or a server connected with the gateway to realize network attack detection so as to reduce the loss of a hacker to a user. For example, the php script file can be determined by methods such as feature analysis, the extracted php script file is sent to the php script engine, the corresponding bytecode and the operation code are generated by compiling, and whether the current network data stream includes an attack behavior or not is comprehensively judged by taking a sensitive function, a sensitive parameter and the like as bases.
Fig. 2 schematically shows an architecture diagram suitable for a network attack detection method, a network attack detection apparatus, an electronic device, and a medium according to an embodiment of the present disclosure.
It should be noted that fig. 2 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 2, the system architecture 200 according to this embodiment may include terminal devices 201, 202, 203, a network 204, a server 205, and a gateway 206. The network 204 serves as a medium for providing communication links between the terminal devices 201, 202, 203, the server 205 and the gateway 206. Network 204 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 201, 202, 203 to interact with the server 205, via the network 204 and the gateway 206, to receive or send messages or the like. The terminal devices 201, 202, 203 may have various communication client applications installed thereon, such as firewall-type applications, virus-checking/killing-type applications, shopping-type applications, web browser applications, search-type applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only). The server 205 and the gateway 206 may have firewall-like applications installed thereon.
The terminal devices 201, 202, 203 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 205 may be a server providing various services, such as a background management server (for example only) providing support for websites browsed by users using the terminal devices 201, 202, 203. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the terminal device.
The gateway 206 may route the information sent by the terminal devices 201, 202, 203 and the server 205 to the correct address. In addition, the gateway 206 may perform a network attack analysis on the received network data stream.
It should be noted that the network attack detection method provided by the embodiment of the present disclosure may be generally executed by the gateway 206. Accordingly, the network attack detection apparatus provided by the embodiments of the present disclosure may be generally disposed in the gateway 206. The network attack detection method provided by the embodiment of the present disclosure may also be executed by a server or a server cluster that is different from the gateway 206 and can communicate with the gateway 206 and the server 205. Accordingly, the network attack detecting device provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster that is different from the gateway 206 and can communicate with the gateway 206 and the server 205.
It should be understood that the number of terminal devices, networks, and servers are merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Fig. 3 schematically shows a flow chart of a network attack detection method according to an embodiment of the present disclosure.
As shown in fig. 3, the method includes operations S301 to S307.
In operation S301, in response to receiving a network data stream, file type identification is performed on the network data stream to determine whether a file of a specified file type is included in the network data stream.
In this embodiment, the file types include, but are not limited to: text file type, video file format type, audio file format type, picture format file type, executable file format type, and the like. Each file type may be divided into a plurality of sub-types, for example, the executable files include but are not limited to: types of. exe,. sys,. com, etc.
Traffic protocols for network data flows include, but are not limited to: server message block (smb for short), file transfer Protocol (ftp) for short, hypertext transfer Protocol (http for short), network file system (nfs for short), simple file transfer Protocol (tftp for short), and the like.
Specifying the file type means: file types that may be used to conduct a network attack include, but are not limited to: script files such as hypertext preprocessor (php), java server pages (jsp), dynamic server pages (asp) and the like.
For example, the script files such as php, jsp, and asp can be analyzed to extract the file features of the script files such as php, jsp, and asp, respectively, and the file features are written into a regular expression, so that the identified files are matched with the file features in the files identified by decoding based on the traffic protocol, so as to identify the corresponding file types. Further, there may be a case where the file type cannot be determined using the file characteristics, and at this time, the file type identification may be performed again on the unidentified file based on the file suffix name.
The following is an exemplary explanation of the php script file. The file characteristics of the php file can be summarized as follows.
^[\x0d\x0a\x09\x20]*((<\?php)|(<\?(\x20)?php)|(<\?\x0a)|(<\?\x0d)|(\#!\x20/usr/local/bin/php)|(\#!\x20/usr/bin/php))
In operation S303, if it is determined that the file of the specified file type is included in the network data stream, the file of the specified file type is compiled to obtain an operation code (opcode).
For example, files of a specified file type, such as script files php, jsp, asp, etc., may be compiled to obtain the operation codes of the respective files.
In one embodiment, identifying a file type for a network data stream may include the following operations.
Firstly, feature extraction is carried out on the network data flow to obtain the traffic features.
The flow characteristics are then matched with the specified file characteristics. The specified file characteristics may be obtained from a database, for example, the file characteristics of files of multiple file types are stored in the database. Each file feature may be extracted from a file of one file type.
Then, if it is determined that there is a matching result, it is determined that a file of the specified file type exists in the network data stream.
In one embodiment, compiling a file of a specified file type to obtain an opcode comprises: and processing the file with the specified file type by using the specified file script engine to compile the operation codes for generating the file with the specified file type. For example, the php script file may be sent to the php script engine, compiled to generate corresponding bytecode, and compiled to generate corresponding opcode.
In another embodiment, in order to increase the accuracy of file type identification, the method may further include the following operation after matching the traffic characteristics with the specified file characteristics.
First, if it is determined that the matching result is null, a file suffix of each file included in the network data stream is obtained.
Then, the file suffix of each file is matched with the specified file suffix.
Then, if it is determined that there is a matching result, it is determined that a file of the specified file type exists in the network data stream. Therefore, the method and the device can realize the purpose of carrying out the file type recognition again on the unidentified files based on the file suffix names, and improve the accuracy of the file type recognition.
In operation S305, specified function association information in the operation code is obtained.
In this embodiment, obtaining the specified function association information in the operation code includes: obtaining at least one of the following information in the opcode: key functions and key parameters of key functions, call functions and parameters of call functions.
Specifically, the corresponding key function and key parameters can be searched through the opcode specified command.
In operation S307, network attack detection is performed on the network data stream based on the specified function association information.
Specifically, performing network attack detection on the network data stream based on the specified function association information may include the following operations.
First, it is determined whether at least one of the key function and the calling function includes a sensitive function, and it is determined whether at least one of the key parameter and a parameter of the calling function includes a sensitive parameter.
Then, if it is determined that at least one of the key function and the calling function includes a sensitive function, and/or if it is determined that at least one of the key parameter and the parameter of the calling function includes a sensitive parameter, performing network attack detection on the network data stream based on at least one of the sensitive function and the sensitive parameter.
For example, whether the designated function association information includes a sensitive function, a sensitive parameter, and the like may be determined by a database matching method, so as to determine whether the network data stream includes an attack behavior. If the sensitive function, the sensitive parameter and the like are taken as the basis, whether the network data flow comprises the attack behavior or not is comprehensively judged. The database may be a pre-constructed database, and functions, parameters and the like related to the network attack behavior may be stored in the database. Such as "eval", "system", "alert", etc. may command the execution of a function, whose corresponding key parameters include, but are not limited to: an executable command such as "rm" (delete command), which may delete, query, or acquire information for the attacked object to cause damage to the attacked object. In addition, since the functions can be mutually called, the key parameter can also be a called key function.
In a specific embodiment, taking http protocol and php script files as examples, the php file is characterized by the file "<? php "is initially identified, among the files identified by decoding, based on this feature, php files are identified, and if there is no result of successful identification, they can be identified again based on the file suffix". php ". If the php script file is identified, the php script file is sent to a zend engine (an open source script engine, specifically a virtual machine), a corresponding opcode is generated through compilation, a corresponding key function (such as eval, system, cmd _ shell, assert and the like in php) and key parameters are searched through an opcode specified command, and whether the current attack behavior belongs to is comprehensively judged by taking a sensitive function (such as eval, system or assert and the like), the sensitive parameters and the like as bases.
According to the network attack detection method provided by the embodiment of the disclosure, extracted features are sent to the script engine by analyzing files of designated file types such as php, jsp and asp, and corresponding byte codes and operation codes are generated by compiling, so that the possibility that a hacker performs customized encryption and decryption functions on network attack files such as webshell and the like, and bypasses network attack detection by using methods such as xor, character string inversion, compression, truncation and recombination is effectively reduced, and the network security is effectively improved.
FIG. 4 schematically illustrates a diagram of compiling files of a specified type according to an embodiment of the disclosure.
As shown in fig. 4, based on the network data stream transmitted by the http protocol, after receiving the network data stream, the server may parse out the file included in the network data stream based on the http protocol. As shown in the upper diagram of fig. 4, the http protocol-based file includes the following segments: return "ass". "ert". The fragment is processed by a hacker, and when the fragment is detected by the related art through static rule matching, the fragment is difficult to detect to comprise an alert function, and the alert function belongs to a sensitive function in network attack detection. After compiling the file analyzed and obtained based on the http protocol, the function shown in the lower graph of fig. 4 can be obtained, and since the compiled operation code is the code to be executed by the machine, a hacker cannot hide the function in the code to be executed, so that the risk that the hacker bypasses detection by customizing the encryption and decryption function, and using methods such as xor, character string inversion, compression, truncation, recombination and the like can be effectively reduced.
Fig. 5 schematically shows a flowchart of a method of determining a network attack file according to an embodiment of the present disclosure.
As shown in fig. 5, the method may further include operations S503 to S505 after performing operation S501 to determine that at least one of the key function and the called function includes a sensitive function and/or at least one of the key parameter and the parameter of the called function includes a sensitive function.
In operation S503, the text information of the file of the specified file type is analyzed to determine whether there is a matching result of the specified text information in the text information, and the specified text information indicates that the file of the specified file type includes sensitive information.
The files of different specified file types correspond to different specified text information, for example, the specified text information corresponding to the php script file includes but is not limited to: the function name of the sensitive function, the parameter name of the sensitive parameter, and the like, wherein the function name of the sensitive function includes but is not limited to: eval, system, _ post, return, and assert, etc.
As shown in the upper diagram of fig. 4, the sensitive information alert is not included in the pre-compilation file.
In operation S505, if it is determined that the matching result is null, it is determined that the network data stream includes a network attack file.
Referring to the lower graph of fig. 4, if the compiled function includes the sensitive information alert, it indicates that the file before compiling is intentionally hidden by the sensitive information alert, and there is a suspicion of intentionally avoiding the detection of the network attack. Accordingly, it may be determined that the network data stream includes a network attack file.
By further performing plaintext analysis on the text containing the sensitive function and the like, if the uncompiled bytecode does not contain sensitive information and the compiled operation code contains sensitive information, it can be determined that the script file is processed by obfuscation or encryption, and the file has a higher possibility of containing malicious code.
In addition, in order to facilitate the analysis of the network attack file, the method may further include the following operations.
After determining that at least one of the key function and the calling function includes a sensitive function, adding a hook function to the sensitive function. Therefore, the corresponding sensitive function and other information can be acquired through the hook function when needed.
Taking the network data flow transmitted by the http protocol as an example, the network attack detection may include the following operations.
Firstly, files are restored from network data streams based on an http protocol.
And then, matching in the file by using the file characteristics of the php script file to determine whether the php file exists, and if the matching result is empty, further judging according to the suffix of the file.
And then, if the network data stream is determined to comprise the php file, processing the php file by using the php script engine to generate a corresponding opcode. According to the generated opcode, a key function or a system call function in the opcode is searched through an opcode specified command, and then whether the opcode contains some sensitive functions (such as eval, system, cmd _ shell, assert and the like) is determined through sensitive function matching, sensitive parameter matching and the like. And, it is checked whether the parameters required by the sensitive function are sensitive information. Thus, whether the network data flow comprises the attack behavior or not is determined through comprehensive judgment.
For example, obfuscated php malicious code:
Figure BDA0002347779050000131
in a general static rule matching mode, it is difficult to determine that the php file comprises malicious code. However, the opcode obtained after compiling can determine that the php file includes the following function FETCH _ FUNC _ ARG and the parameter is '_ POST' from the opcode. The php file also includes an opcode of RETUR and a value of "assert". These are all sensitive functions and sensitive parameters that may be used for network attacks.
Then, according to the database with the built-in sensitive information, whether the opcode compiled by the script engine has sensitive information (such as sensitive functions and sensitive parameters) is judged. Therefore, the php file is judged to contain the sensitive function alert, and the php file does not contain the sensitive function before being compiled by the engine, so that the possibility that the php file comprises malicious codes is increased.
According to the network attack method provided by the embodiment of the disclosure, malicious codes which are subjected to hiding processing by using methods such as self-defined encryption and decryption functions, xor, character string inversion, compression, truncation, recombination and the like can be effectively detected in the manner shown above. And further, malicious code interception and other processing can be performed, and the network security and the information security of the user are improved.
Fig. 6 schematically shows a block diagram of a network attack detection apparatus according to an embodiment of the present disclosure.
As shown in fig. 6, the network attack detecting apparatus 600 may include: a file type identification module 610, a compiling module 630, a specified function information obtaining module 650 and an attack detection module 670.
The file type identification module 610 is configured to perform file type identification on the network data stream in response to receiving the network data stream, so as to determine whether a file of a specified file type is included in the network data stream.
The compiling module 630 is configured to compile the file of the specified file type to obtain the operation code if it is determined that the file of the specified file type is included in the network data stream.
The specified function information obtaining module 650 is configured to obtain the specified function associated information in the operation code.
The attack detection module 670 is configured to perform network attack detection on the network data stream based on the specified function association information.
The specific function information obtaining module 650 may be specifically configured to obtain at least one of the following information in the operation code: key functions and key parameters of key functions, and calling functions and parameters of calling functions.
In one embodiment, attack detection module 670 may include: the device comprises a sensitive information determining unit and a detecting unit.
The sensitive information determining unit is used for determining whether at least one of the key function and the calling function comprises a sensitive function or not, and determining whether at least one of the key parameter and the parameter of the calling function comprises a sensitive parameter or not.
The detection unit is used for carrying out network attack detection on the network data flow based on at least one of the sensitive function and the sensitive parameter if at least one of the key function and the calling function is determined to comprise a sensitive function and/or at least one of the key parameter and the parameter of the calling function is determined to comprise a sensitive parameter.
In another embodiment, the apparatus 600 may further include: the system comprises a text analysis module and a network attack file determination module.
The text analysis module is used for analyzing the text information of the file of the specified file type after determining that at least one of the key function and the calling function comprises a sensitive function and/or determining that at least one of the key parameter and the parameter of the calling function comprises a sensitive function so as to determine whether a matching result of the specified text information exists in the text information, wherein the specified text information represents that the file of the specified file type comprises the sensitive information.
And the network attack file determining module is used for determining that the network data stream comprises the network attack file if the matching result is determined to be null.
Furthermore, the apparatus 600 may further include: a hook adding module.
The hook adding module is used for adding a hook function to the sensitive function after determining that at least one of the key function and the calling function comprises the sensitive function.
In one embodiment, the file type identification module 610 may include: the device comprises a feature extraction unit, a feature matching unit and a specified file type file determination unit.
The characteristic extraction unit is used for extracting the characteristics of the network data flow to obtain the flow characteristics.
The characteristic matching unit is used for matching the flow characteristic with the specified file characteristic.
The specified file type file determining unit is used for determining that the file of the specified file type exists in the network data stream if the matching result is determined to exist.
In order to further increase the accuracy of the file type determination, the apparatus 600 may further include: the system comprises a suffix obtaining module, a suffix matching module and a specified file type file determining module.
The suffix obtaining module is used for obtaining file suffixes of the files included in the network data stream if the matching result is determined to be null after the flow characteristics are matched with the specified file characteristics.
And the suffix matching module is used for matching the file suffix of each file with the specified file suffix.
And the specified file type file determining module is used for determining that the file of the specified file type exists in the network data stream if the matching result is determined to exist.
In one embodiment, the compiling module 630 is specifically configured to process a file of a specified file type using a specified file scripting engine to compile an operation code that generates the file of the specified file type.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any plurality of the file type identifying module 610, the compiling module 630, the specified function information obtaining module 650, and the attack detecting module 670 may be combined into one module to be implemented, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the file type identification module 610, the compiling module 630, the specified function information obtaining module 650, and the attack detection module 670 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or may be implemented by any one of three implementations of software, hardware, and firmware, or any suitable combination of any of them. Alternatively, at least one of the file type identifying module 610, the compiling module 630, the specified function information obtaining module 650 and the attack detecting module 670 may be at least partially implemented as a computer program module, which may perform a corresponding function when executed.
Fig. 7 schematically shows a block diagram of an electronic device according to an embodiment of the disclosure. The electronic device shown in fig. 7 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 7, an electronic device 700 according to an embodiment of the present disclosure includes a processor 701, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)702 or a program loaded from a storage section 708 into a Random Access Memory (RAM) 703. The processor 701 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 701 may also include on-board memory for caching purposes. The processor 701 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 703, various programs and data necessary for the operation of the system 700 are stored. The processor 701, the ROM 702, and the RAM 703 are connected to each other by a bus 704. The processor 701 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 702 and/or the RAM 703. It is noted that the programs may also be stored in one or more memories other than the ROM 702 and RAM 703. The processor 701 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, the system 700 may also include an input/output (I/O) interface 705, the input/output (I/O) interface 705 also being connected to the bus 704. The system 700 may also include one or more of the following components connected to the I/O interface 705: an input portion 706 including a keyboard, a mouse, and the like; an output section 707 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 708 including a hard disk and the like; and a communication section 709 including a network interface card such as a LAN card, a modem, or the like. The communication section 709 performs communication processing via a network such as the internet. A drive 710 is also connected to the I/O interface 705 as needed. A removable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 710 as necessary, so that a computer program read out therefrom is mounted into the storage section 708 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program can be downloaded and installed from a network through the communication section 709, and/or installed from the removable medium 711. The computer program, when executed by the processor 701, performs the above-described functions defined in the system of the embodiment of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 702 and/or the RAM 703 and/or one or more memories other than the ROM 702 and the RAM 703 described above.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (12)

1. A network attack detection method executed by a server side comprises the following steps:
in response to receiving a network data stream, performing file type identification on the network data stream to determine whether a file of a specified file type is included in the network data stream;
if the network data stream is determined to comprise the file of the specified file type, compiling the file of the specified file type to obtain an operation code;
obtaining the association information of the designated function in the operation code; and
and performing network attack detection on the network data stream based on the specified function correlation information.
2. The method of claim 1, wherein the obtaining specified function association information in the opcode comprises:
obtaining at least one of the following information in the operation code:
a key function and key parameters of the key function; and
a calling function and parameters of the calling function.
3. The method of claim 2, wherein the performing network attack detection on the network data flow based on the specified function association information comprises:
determining whether at least one of the key function and the calling function includes a sensitive function, and determining whether at least one of the key parameter and a parameter of the calling function includes a sensitive parameter; and
and if at least one of the key function and the calling function is determined to comprise a sensitive function, and/or if at least one of the key parameter and the parameter of the calling function is determined to comprise a sensitive parameter, performing network attack detection on the network data flow based on at least one of the sensitive function and the sensitive parameter.
4. The method of claim 3, further comprising: upon determining that at least one of the critical function and the calling function includes a sensitive function, and/or determining that at least one of the critical parameter and a parameter of the calling function includes a sensitive,
analyzing text information of the file of the specified file type to determine whether a matching result of the specified text information exists in the text information, wherein the specified text information represents that the file of the specified file type comprises sensitive information; and
and if the matching result is determined to be null, determining that the network data stream comprises a network attack file.
5. The method of claim 3, further comprising: after determining that at least one of the critical function and the calling function includes a sensitive function,
a hook function is added to the sensitive function.
6. The method of claim 1, wherein the identifying the network data flow for a file type comprises:
extracting the characteristics of the network data stream to obtain flow characteristics;
matching the flow characteristics with the characteristics of a specified file; and
and if the matching result is determined to exist, determining that the file of the specified file type exists in the network data stream.
7. The method of claim 6, further comprising: after matching the flow characteristics with the specified file characteristics,
if the matching result is determined to be null, obtaining a file suffix of each file included in the network data stream;
matching the file suffixes of the files with the specified file suffixes; and
and if the matching result is determined to exist, determining that the file of the specified file type exists in the network data stream.
8. The method of claim 1, wherein said compiling the file of the specified file type to obtain the opcode comprises:
and processing the file of the specified file type by using a specified file script engine so as to compile operation codes for generating the file of the specified file type.
9. A cyber attack detecting apparatus comprising:
the file type identification module is used for identifying the file type of the network data stream in response to receiving the network data stream so as to determine whether the network data stream comprises a file of a specified file type;
the compiling module is used for compiling the file of the specified file type to obtain an operation code if the network data stream is determined to comprise the file of the specified file type;
the appointed function information obtaining module is used for obtaining appointed function associated information in the operation codes; and
and the attack detection module is used for carrying out network attack detection on the network data stream based on the specified function correlation information.
10. An electronic device, comprising:
one or more processors;
a storage device for storing executable instructions which, when executed by the processor, implement the method of any one of claims 1 to 8.
11. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, implement a method according to any one of claims 1 to 8.
12. A computer program comprising computer executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 8.
CN201911402244.1A 2019-12-31 2019-12-31 Network attack detection method, network attack detection device, electronic device, and medium Active CN111163094B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911402244.1A CN111163094B (en) 2019-12-31 2019-12-31 Network attack detection method, network attack detection device, electronic device, and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911402244.1A CN111163094B (en) 2019-12-31 2019-12-31 Network attack detection method, network attack detection device, electronic device, and medium

Publications (2)

Publication Number Publication Date
CN111163094A true CN111163094A (en) 2020-05-15
CN111163094B CN111163094B (en) 2022-04-19

Family

ID=70559436

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911402244.1A Active CN111163094B (en) 2019-12-31 2019-12-31 Network attack detection method, network attack detection device, electronic device, and medium

Country Status (1)

Country Link
CN (1) CN111163094B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112099846A (en) * 2020-08-24 2020-12-18 广州锦行网络科技有限公司 Webshell killing-free method based on random character XOR operation
CN113507439A (en) * 2021-06-07 2021-10-15 广发银行股份有限公司 JSP file security monitoring method and system
CN113761534A (en) * 2021-09-08 2021-12-07 广东电网有限责任公司江门供电局 Webshell file detection method and system
CN113810342A (en) * 2020-06-15 2021-12-17 深信服科技股份有限公司 Intrusion detection method, device, equipment and medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100235913A1 (en) * 2009-03-12 2010-09-16 Microsoft Corporation Proactive Exploit Detection
CN105069355A (en) * 2015-08-26 2015-11-18 厦门市美亚柏科信息股份有限公司 Static detection method and apparatus for webshell deformation
US20170339165A1 (en) * 2013-04-22 2017-11-23 Imperva, Inc. Automatic generation of attribute values for rules of a web application layer attack detector
CN108664791A (en) * 2017-03-29 2018-10-16 腾讯科技(深圳)有限公司 A kind of webpage back door detection method in HyperText Preprocessor code and device
CN109905385A (en) * 2019-02-19 2019-06-18 中国银行股份有限公司 A kind of webshell detection method, apparatus and system
CN110096872A (en) * 2018-01-30 2019-08-06 中国移动通信有限公司研究院 The detection method and server of homepage invasion script attack tool
CN110427755A (en) * 2018-10-16 2019-11-08 新华三信息安全技术有限公司 A kind of method and device identifying script file

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100235913A1 (en) * 2009-03-12 2010-09-16 Microsoft Corporation Proactive Exploit Detection
US20170339165A1 (en) * 2013-04-22 2017-11-23 Imperva, Inc. Automatic generation of attribute values for rules of a web application layer attack detector
CN105069355A (en) * 2015-08-26 2015-11-18 厦门市美亚柏科信息股份有限公司 Static detection method and apparatus for webshell deformation
CN108664791A (en) * 2017-03-29 2018-10-16 腾讯科技(深圳)有限公司 A kind of webpage back door detection method in HyperText Preprocessor code and device
CN110096872A (en) * 2018-01-30 2019-08-06 中国移动通信有限公司研究院 The detection method and server of homepage invasion script attack tool
CN110427755A (en) * 2018-10-16 2019-11-08 新华三信息安全技术有限公司 A kind of method and device identifying script file
CN109905385A (en) * 2019-02-19 2019-06-18 中国银行股份有限公司 A kind of webshell detection method, apparatus and system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113810342A (en) * 2020-06-15 2021-12-17 深信服科技股份有限公司 Intrusion detection method, device, equipment and medium
CN113810342B (en) * 2020-06-15 2023-03-21 深信服科技股份有限公司 Intrusion detection method, device, equipment and medium
CN112099846A (en) * 2020-08-24 2020-12-18 广州锦行网络科技有限公司 Webshell killing-free method based on random character XOR operation
CN113507439A (en) * 2021-06-07 2021-10-15 广发银行股份有限公司 JSP file security monitoring method and system
CN113761534A (en) * 2021-09-08 2021-12-07 广东电网有限责任公司江门供电局 Webshell file detection method and system

Also Published As

Publication number Publication date
CN111163094B (en) 2022-04-19

Similar Documents

Publication Publication Date Title
CN111163095B (en) Network attack analysis method, network attack analysis device, computing device, and medium
CN111163094B (en) Network attack detection method, network attack detection device, electronic device, and medium
US9582668B2 (en) Quantifying the risks of applications for mobile devices
US11281777B2 (en) Proactive browser content analysis
US9438631B2 (en) Off-device anti-malware protection for mobile devices
EP2839406B1 (en) Detection and prevention of installation of malicious mobile applications
Zimba et al. Crypto mining attacks in information systems: An emerging threat to cyber security
WO2017101865A1 (en) Data processing method and device
US9607145B2 (en) Automated vulnerability and error scanner for mobile applications
US8578174B2 (en) Event log authentication using secure components
Suarez-Tangil et al. Stegomalware: Playing hide and seek with malicious components in smartphone apps
US8256000B1 (en) Method and system for identifying icons
US11431751B2 (en) Live forensic browsing of URLs
Haigh et al. If i had a million cryptos: Cryptowallet application analysis and a trojan proof-of-concept
CN113886825A (en) Code detection method, device, system, equipment and storage medium
KR101557455B1 (en) Application Code Analysis Apparatus and Method For Code Analysis Using The Same
JP2015132942A (en) Connection destination information determination device, connection destination information determination method and program
Sharif Web Attacks Analysis and Mitigation Techniques
US11463463B1 (en) Systems and methods for identifying security risks posed by application bundles
US20160335232A1 (en) Remote script execution for secure and private browsing
US20210084055A1 (en) Restricted web browser mode for suspicious websites
Sharma et al. A study of Android malware detection using static analysis
JP7013297B2 (en) Fraud detection device, fraud detection network system, and fraud detection method
Perez Analysis and Detection of the Silent Thieves
US11132447B1 (en) Determining security vulnerabilities of Internet of Things devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Patentee after: Qianxin Technology Group Co.,Ltd.

Patentee after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Patentee before: Qianxin Technology Group Co.,Ltd.

Patentee before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

CP01 Change in the name or title of a patent holder