CN111163095B - Network attack analysis method, network attack analysis device, computing device, and medium - Google Patents

Network attack analysis method, network attack analysis device, computing device, and medium Download PDF

Info

Publication number
CN111163095B
CN111163095B CN201911406914.7A CN201911406914A CN111163095B CN 111163095 B CN111163095 B CN 111163095B CN 201911406914 A CN201911406914 A CN 201911406914A CN 111163095 B CN111163095 B CN 111163095B
Authority
CN
China
Prior art keywords
file
network data
network
data stream
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911406914.7A
Other languages
Chinese (zh)
Other versions
CN111163095A (en
Inventor
向祖庭
刘洪亮
索海东
谈文彬
陈超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Secworld Information Technology Beijing Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN201911406914.7A priority Critical patent/CN111163095B/en
Publication of CN111163095A publication Critical patent/CN111163095A/en
Application granted granted Critical
Publication of CN111163095B publication Critical patent/CN111163095B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Abstract

The present disclosure provides a network attack analysis method, a network attack analysis apparatus, a computing device, and a medium. The method comprises the following steps: in response to receiving the first network data flow, detecting the first network data flow to determine whether a network attack file exists in the first network data flow; if the first network data stream is determined to have the network attack file, obtaining path information of the network attack file; and in response to receiving the request, performing attack analysis on the request to determine whether the electronic device corresponding to the path information is under network attack, wherein the request comprises the path information of the network attack file, the request belongs to a second network data stream, and the receiving time of the second network data stream is later than that of the first network data stream.

Description

Network attack analysis method, network attack analysis device, computing device, and medium
Technical Field
The present disclosure relates to the field of information security technologies, and in particular, to a network attack analysis method, a network attack analysis apparatus, a computing device, and a medium.
Background
With the rapid development of communication and computer technologies, internet information security becomes a focus of increasing attention. webshell is a scripting attack tool for network (web) intrusion. Briefly, webshells are trojan backdoors, and hackers often mix with normal web page files after hacking a web site by placing these trojan backdoor files in the web directory of the web site server. Hackers can then control the web server in a web-based manner by trojan backdoor, including uploading and downloading files, viewing databases, executing arbitrary program commands, etc.
In implementing the disclosed concept, the inventors found that there are at least the following problems in the related art: related webshell detection techniques can detect that a webshell file is uploaded, and if an attacker does not take further action to trigger malicious code in the webshell file, the malicious code will always be stored as normal file code in the device of the attacker. It is therefore unknown when an attacker will trigger the webshell file, causing a real hazard to the system of the attacker.
Disclosure of Invention
In view of this, the present disclosure provides a network attack analysis method, a network attack analysis apparatus, a computing device, and a medium for analyzing the harmfulness of a network attack.
One aspect of the present disclosure provides a network attack analysis method performed by a server side, including: in response to receiving the first network data flow, detecting the first network data flow to determine whether a network attack file exists in the first network data flow; if the first network data stream is determined to have the network attack file, obtaining path information of the network attack file; and performing attack analysis on the request in response to the received request to determine whether the electronic device corresponding to the path information is under network attack, wherein the request comprises the path information of the network attack file, the request belongs to a second network data stream, and the receiving time of the second network data stream is later than that of the first network data stream.
According to the embodiment of the disclosure, after it is determined that the network attack file is included in the first network data stream, path information of the network attack file, such as which file path uploaded to which electronic device, can be obtained, so that analysis on the harmfulness of the network attack file based on the file path is facilitated. Specifically, after the received request includes the path information, the request is subjected to attack analysis to determine whether the electronic device corresponding to the path information is under a network attack.
According to an embodiment of the present disclosure, detecting the first network data stream to determine whether the network attack file exists includes: performing file type identification on the first network data stream in response to receiving the first network data stream to determine whether a file of a specified file type is included in the first network data stream; if the first network data stream is determined to comprise the file of the specified file type, compiling the file of the specified file type to obtain an operation code; and performing sensitive function detection and/or sensitive parameter detection on the operation code to determine whether a network attack file exists in the first network data stream.
According to the embodiment of the disclosure, obtaining the path information of the network attack file comprises: acquiring an uploading path of the network attack file; and determining a path identification parameter corresponding to the uploading path from the operation code.
According to an embodiment of the present disclosure, in response to receiving the request, performing attack analysis on the request to determine whether the electronic device corresponding to the path information is being attacked by the network includes: and if the parameters of the request comprise the path identification parameters, determining that the electronic equipment corresponding to the path information is attacked by the network.
According to the embodiment of the disclosure, the sensitive function detection and/or sensitive parameter detection of the operation code comprises: obtaining the association information of the designated function in the operation code; and performing sensitive function detection and/or sensitive parameter detection on the specified function associated information to determine whether the file of the specified file type comprises the sensitive function and/or the sensitive parameter.
According to an embodiment of the present disclosure, the method further includes: after determining that the file of the specified file type comprises the sensitive function and/or the sensitive parameter, analyzing text information of the file of the specified file type to determine whether a matching result of the specified text information exists in the text information, wherein the specified text information represents that the file of the specified file type comprises the sensitive information; and if the matching result is determined to be null, determining that the first network data stream comprises a network attack file.
According to an embodiment of the present disclosure, the method further includes: after determining that the electronic equipment corresponding to the path information is attacked by the network, acquiring a processing result of the request at the electronic equipment; and if the processing result comprises information return success, determining that the network attack file is a survival network attack file.
According to an embodiment of the present disclosure, the traffic protocol of the first network data flow and/or the second network data flow includes at least one of the following: a server information block, a file transfer protocol, a hypertext transfer protocol, or a network file system.
Another aspect of the present disclosure provides a network attack analysis apparatus, including: the system comprises a network attack file determining module, a path obtaining module and an attack analyzing module. The network attack file determining module is used for responding to the received first network data flow and detecting the first network data flow so as to determine whether the first network data flow has a network attack file or not; the path obtaining module is used for obtaining the path information of the network attack file if the first network data stream is determined to have the network attack file; and the attack analysis module is used for responding to the received request and carrying out attack analysis on the request so as to determine whether the electronic equipment corresponding to the path information is attacked by the network or not, wherein the request comprises the path information of the network attack file, the request belongs to a second network data stream, and the receiving time of the second network data stream is later than that of the first network data stream.
According to the embodiment of the disclosure, the network attack file determination module comprises: the device comprises a file type identification unit, a compiling unit and a detection unit. The file type identification unit is used for identifying the file type of the first network data stream in response to receiving the first network data stream so as to determine whether the first network data stream comprises a file with a specified file type; the compiling unit is used for compiling the file of the specified file type to obtain an operation code if the first network data stream is determined to comprise the file of the specified file type; and the detection unit is used for carrying out sensitive function detection and/or sensitive parameter detection on the operation code so as to determine whether the first network data stream has a network attack file.
According to an embodiment of the present disclosure, the path obtaining module includes: the device comprises an uploading path obtaining unit and a path identification parameter determining unit. The uploading path obtaining unit is used for obtaining an uploading path of the network attack file; and the path identification parameter determining unit is used for determining the path identification parameter corresponding to the uploading path from the operation code.
According to the embodiment of the disclosure, the attack analysis module is specifically configured to determine that the electronic device corresponding to the path information is under network attack if it is determined that the parameter of the request includes the path identification parameter.
According to an embodiment of the present disclosure, the detection unit includes a designated function associated information obtaining subunit and a sensitive information detection subunit. The specified function association information obtaining subunit is used for obtaining specified function association information in the operation codes; and the sensitive information detection subunit is used for carrying out sensitive function detection and/or sensitive parameter detection on the specified function associated information so as to determine whether the file of the specified file type comprises a sensitive function and/or a sensitive parameter.
According to an embodiment of the present disclosure, the detection unit further includes: a text information analysis subunit and a hidden information detection subunit. The text information analysis subunit is used for analyzing the text information of the file of the specified file type after determining that the file of the specified file type comprises the sensitive function and/or the sensitive parameter so as to determine whether a matching result of the specified text information exists in the text information, wherein the specified text information represents that the file of the specified file type comprises the sensitive information; and the hidden information detection subunit is used for determining that the first network data stream comprises the network attack file if the matching result is determined to be null.
According to an embodiment of the present disclosure, the above apparatus further includes: a processing result obtaining module and a survival network attack file determining module. The processing result obtaining module is used for obtaining the processing result of the request at the electronic equipment after determining that the electronic equipment corresponding to the path information is attacked by the network; the live network attack file determination module is used for determining the network attack file as the live network attack file if the processing result comprises information return success.
According to an embodiment of the present disclosure, the traffic protocol of the first network data flow and/or the second network data flow comprises at least one of: a server information block, a file transfer protocol, a hypertext transfer protocol, or a network file system.
Another aspect of the present disclosure provides a computing device comprising one or more processors and storage for storing executable instructions that, when executed by the processors, implement the method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as described above when executed.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an application scenario of a network attack analysis method, a network attack analysis apparatus, a computing device, and a medium according to an embodiment of the present disclosure;
FIG. 2 schematically shows an architecture diagram suitable for a network attack analysis method, a network attack analysis apparatus, a computing device and a medium according to an embodiment of the disclosure;
FIG. 3 schematically illustrates a flow chart of a network attack analysis method according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of a method of determining whether a network attack file exists according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a diagram of compiling files of a specified type according to an embodiment of the disclosure;
FIG. 6 schematically illustrates a flow diagram of a network attack analysis method according to another embodiment of the present disclosure;
fig. 7 schematically shows a block diagram of a cyber attack analysis apparatus according to an embodiment of the present disclosure; and
FIG. 8 schematically shows a block diagram of a computing device according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). The terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, features defined as "first", "second", may explicitly or implicitly include one or more of the described features.
The embodiment of the disclosure provides a network attack analysis method, a network attack analysis device, a computing device and a medium. The method comprises a path information obtaining process and an attack analysis process. In the path information obtaining process, responding to the received first network data flow, and detecting the first network data flow to determine whether the first network data flow has a network attack file or not; and if the first network data stream is determined to have the network attack file, obtaining the path information of the network attack file. And after the path information obtaining process is finished, entering an attack analysis process, responding to a received request, and carrying out attack analysis on the request to determine whether the electronic equipment corresponding to the path information is attacked by the network or not, wherein the request comprises the path information of the network attack file, the request belongs to a second network data stream, and the receiving time of the second network data stream is later than that of the first network data stream.
Fig. 1 schematically illustrates an application scenario of a network attack analysis method, a network attack analysis apparatus, a computing device, and a medium according to an embodiment of the present disclosure.
As shown in fig. 1, a hacker attacker may implant a scripting attack tool into the attacker's computing device through a network, and the attacker's computing device may be a variety of types of servers, such as entry level servers, workgroup level servers, department level servers, enterprise level servers, and the like. The script attack tool can pass through at least one gateway, such as gateway 1 … … gateway n, in the process of being transmitted, wherein n is a positive integer larger than 1. The existing protection software can find the webshell file through static detection and other modes, but after the webshell file is implanted into an attacked computing device, when substantial damage (such as information stealing) occurs, how much damage occurs (such as information stealing, information tampering or important information destroying and the like), and the determination is not convenient. In addition, in order to resist static detection of protection software, the code of the webshell file is changed continuously, for example, by means of confusion, encryption and the like. However, for obfuscated and encrypted webshells, none of the relevant static analysis detection devices can detect well.
Embodiments of the present disclosure may perform network attack analysis with a gateway or a server connected to the gateway. Specifically, after the network attack file is determined to exist in the first network data stream, the path information of the network attack file is obtained, so that when the received request included in the second network data stream contains the path information, the request is subjected to attack analysis to determine whether the electronic device embedded in the webshell file is under attack. In addition, the harm caused by the request can be further determined according to the feedback result obtained by the request.
In addition, the embodiment of the disclosure can perform virtual execution on the network data stream by means of the gateway or a server connected with the gateway to realize network attack detection, so as to reduce the loss of a hacker to a user. For example, the php script file can be determined by methods such as feature analysis, the extracted php script file is sent to the php script engine, the corresponding bytecode and the operation code are generated by compiling, and whether the current network data stream includes an attack behavior or not is comprehensively judged by taking a sensitive function, a sensitive parameter and the like as bases.
Fig. 2 schematically shows an architecture diagram suitable for a network attack analysis method, a network attack analysis apparatus, a computing device, and a medium according to an embodiment of the present disclosure.
It should be noted that fig. 2 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 2, the system architecture 200 according to this embodiment may include terminal devices 201, 202, 203, a network 204, a server 205, and a gateway 206. The network 204 serves as a medium for providing communication links between the terminal devices 201, 202, 203, the server 205 and the gateway 206. Network 204 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 201, 202, 203 to interact with the server 205, via the network 204 and the gateway 206, to receive or send messages or the like. The terminal devices 201, 202, 203 may have various communication client applications installed thereon, such as firewall-type applications, virus-checking/killing-type applications, shopping-type applications, web browser applications, search-type applications, instant messaging tools, mailbox clients, social platform software, etc. (by way of example only). The server 205 and the gateway 206 may have firewall-like applications installed thereon.
The terminal devices 201, 202, 203 may be various computing devices having display screens and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 205 may be a server providing various services, such as a background management server (for example only) providing support for websites browsed by users using the terminal devices 201, 202, 203. The backend management server may analyze and process the received data such as the user request, and feed back a processing result (for example, a web page, information, or data obtained or generated according to the user request) to the terminal device.
The gateway 206 may route the information sent by the terminal devices 201, 202, 203 and the server 205 to the correct address. In addition, the gateway 206 may perform network attack analysis on the received network data stream.
It should be noted that the network attack analysis method provided by the embodiment of the present disclosure may be generally executed by the gateway 206. Accordingly, the network attack analysis apparatus provided by the embodiment of the present disclosure may be generally disposed in the gateway 206. The network attack analysis method provided by the embodiment of the present disclosure may also be executed by a server or a server cluster that is different from the gateway 206 and can communicate with the gateway 206 and the server 205. Accordingly, the network attack analysis apparatus provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster that is different from the gateway 206 and can communicate with the gateway 206 and the server 205.
It should be understood that the number of terminal devices, networks, and servers is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for an implementation.
Fig. 3 schematically shows a flow chart of a network attack analysis method according to an embodiment of the present disclosure.
As shown in fig. 3, the method includes operations S301 to S305.
In operation S301, in response to receiving the first network data stream, the first network data stream is detected to determine whether a network attack file exists in the first network data stream.
In this embodiment, whether a webshell file or another file that allows a hacker to perform a network attack by using the webshell file exists in the first network data stream may be detected. The existing static detection method may be adopted, for example, whether the first network data stream includes sensitive functions and sensitive parameters that are commonly used by hackers is detected. For example, a preset database may be used for matching to determine whether a file of the first network data stream includes an executable command function like "eval", "system", and a corresponding sensitive parameter, and then the sensitive function and the sensitive parameter are comprehensively analyzed to determine whether a network attack file exists in the first network data stream. In addition, other network attack detection methods may be adopted to determine whether the first network data stream has a network attack file, which is not listed here.
The traffic protocol of the first network data stream includes but is not limited to: server message block (smb for short), file transfer Protocol (ftp) for short, hypertext transfer Protocol (http for short), network file system (nfs for short), simple file transfer Protocol (tftp for short), and the like.
In operation S303, if it is determined that the network attack file exists in the first network data stream, path information of the network attack file is obtained.
In this embodiment, obtaining the path information of the network attack file may include the following operations.
First, an upload path of a network attack file is obtained. For example, routing information of the first network traffic may be obtained to determine address information of an object to which the cyber attack file is to be transmitted. In addition, in order to further determine the specific uploading path of the network attack file, the storage path information of the network attack file in the computing device of the attacker can be further determined by means of a hook function (hook) or the like (the hook function can be set at a sensitive function in the network attack file of the first network data stream).
Then, a path identification parameter corresponding to the upload path is determined from the operation code. For example, the operation code included in the network attack file (the operation code to be executed by the machine) may be obtained by a method such as compiling, virtual execution, or the like, and the operation code included in the network attack file is analyzed to determine the path identification parameter corresponding to the upload path in the operation code.
In one embodiment, the device side records this upload path. For example, if the network attack file is uploaded to www.xxx.com host via post/a/b/c.php path, the path of the network attack file is recorded to be www.xxx.com/a/b/c.php, and the parameter name of the path is sz according to the parameters in the operation code (opcode), and an intelligence is formed according to the path and the parameters, so as to analyze the subsequent network data stream.
In operation S305, in response to receiving the request, an attack analysis is performed on the request to determine whether the electronic device corresponding to the path information is being attacked by a network.
The request comprises path information of the network attack file, the request belongs to a second network data stream, and the receiving time of the second network data stream is later than that of the first network data stream. The traffic protocols for the second network data stream include, but are not limited to: smb, ftp, http, nfs, tftp, etc. The traffic protocol of the first network data stream and the traffic protocol of the second network data stream may be the same or different. When the traffic protocol of the first network data stream and the traffic protocol of the second network data stream are different, protocol conversion may be performed by a gateway or the like.
In this embodiment, a hacker may first upload a webshell file and then initiate a request for the webshell file to achieve intrusion into the computing device of the attacker. When a request including the path information of the network attack file is received, the network attack file indicates that the attacker is attacking the computing device of the attacker by using the previously uploaded malicious codes. Further, the range of the damage caused by the network attack file may be determined based on a function, a parameter, or the like used for the request including the path information of the network attack file described above. For example, the hacker may determine which operations have been performed on which objects, etc., and the impact that the request and the network attack file have on the attacked user.
Specifically, in response to receiving the request, performing attack analysis on the request to determine whether the electronic device corresponding to the path information is being attacked by the network may include: and if the parameters of the request comprise the path identification parameters, determining that the electronic equipment corresponding to the path information is attacked by the network. Since the path identification parameter is set or defined in the network attack file uploaded by the hacker, the user other than the hacker does not know the path identification parameter corresponding to the upload path, and therefore, the probability of representing the upload path by using the path identification parameter is very small. This makes it less likely that a user other than a hacker will use the path identification parameter to access the file corresponding to the upload path. However, a hacker may access the cyber attack file using the path identification parameter to implement the cyber attack. Therefore, when the request is for the file of the upload path and includes the corresponding path identification parameter, it indicates that the hacker is using the network attack file to implement the attack.
Fig. 4 schematically shows a flowchart of a method of determining whether a network attack file exists according to an embodiment of the present disclosure.
Since hackers can bypass the static detection mode by customizing encryption and decryption functions, utilizing xor, string inversion, compression, truncation recombination and the like. In order to improve the detection effect, as shown in fig. 4, detecting the first network data stream to determine whether the network attack file exists may include operations S401 to S405.
In operation S401, in response to receiving the first network data stream, file type identification is performed on the first network data stream to determine whether a file of a specified file type is included in the first network data stream.
In this embodiment, the file types include, but are not limited to: text file type, video file format type, audio file format type, picture format file type, executable file format type, and the like. Each file type may be divided into a plurality of sub-types, for example, the executable files include but are not limited to: exe,. sys,. com, etc.
Specifying the file type means: file types that may be used to conduct a network attack include, but are not limited to: script files such as hypertext preprocessor (php), java server pages (jsp), dynamic server pages (asp) and the like.
In one embodiment, identifying a file type for a network data stream may include the following operations.
Firstly, feature extraction is carried out on the network data flow to obtain flow characteristics.
The flow characteristics are then matched with the specified file characteristics. The specified file characteristics may be obtained from a database, for example, the file characteristics of files of multiple file types stored in the database. Each file feature may be extracted from a file of one file type.
Then, if it is determined that there is a matching result, it is determined that a file of the specified file type exists in the network data stream.
In another embodiment, in order to increase the accuracy of file type identification, the method may further include the following operation after matching the traffic characteristics with the specified file characteristics.
First, if it is determined that the matching result is null, a file suffix of each file included in the network data stream is obtained.
Then, the file suffix of each file is matched with the specified file suffix.
Then, if it is determined that there is a matching result, it is determined that a file of the specified file type exists in the network data stream. Therefore, the method and the device can realize the purpose of carrying out the file type recognition again on the unidentified files based on the file suffix names, and improve the accuracy of the file type recognition.
In a specific embodiment, the file characteristics of the script files such as php, jsp, and asp can be respectively extracted by analyzing the script files such as php, jsp, and asp, and the file characteristics are written into a regular expression, so that the identified files are matched by using the file characteristics in the files identified by decoding based on the traffic protocol, and the corresponding file types are identified. Further, there may be a case where the file type cannot be determined using the file characteristics, and at this time, the file type identification may be performed again on the unidentified file based on the file suffix name.
The following is an exemplary explanation of the php script file. The file characteristics of the php file can be summarized as follows.
^[\x0d\x0a\x09\x20]*((<\?php)|(<\?(\x20)?php)|(<\?\x0a)|(<\?\x0d)|(\#!\x20/usr/local/bin/php)|(\#!\x20/usr/bin/php))
In operation S403, if it is determined that the file of the specified file type is included in the first network data stream, the file of the specified file type is compiled to obtain an operation code.
Specifically, files of a specified file type, such as script files php, jsp, asp, etc., may be compiled to obtain operation codes of the respective files.
For example, compiling a file of a specified file type to obtain an opcode includes: and processing the file with the specified file type by using the specified file script engine to compile the operation codes for generating the file with the specified file type. For example, the php script file may be sent to the php script engine, compiled to generate corresponding bytecode, and compiled to generate corresponding opcode.
In operation S405, sensitive function detection and/or sensitive parameter detection is performed on the operation code to determine whether a network attack file exists in the first network data stream.
In one embodiment, the sensitive function detection and/or the sensitive parameter detection of the opcode may include the following operations.
First, specified function association information in the operation code is obtained.
For example, obtaining the specified function association information in the opcode may include: obtaining at least one of the following information in the opcode: key functions and key parameters of key functions, call functions and parameters of call functions. Specifically, the corresponding key function and key parameters can be searched through the opcode specified command.
Then, sensitive function detection and/or sensitive parameter detection is carried out on the specified function association information to determine whether the file of the specified file type comprises the sensitive function and/or the sensitive parameter.
Specifically, first, it is determined whether at least one of the key function and the calling function includes a sensitive function, and it is determined whether at least one of the key parameter and the parameter of the calling function includes a sensitive parameter. Then, if it is determined that at least one of the critical function and the called function includes a sensitive function, and/or if it is determined that at least one of the critical parameter and the parameter of the called function includes a sensitive parameter, network attack detection is performed on the network data flow based on at least one of the sensitive function and the sensitive parameter.
For example, whether the designated function association information includes a sensitive function, a sensitive parameter, and the like may be determined by a database matching method, so as to determine whether the network data stream includes an attack behavior. If the sensitive function, the sensitive parameter and the like are taken as the basis, whether the network data stream comprises the attack behavior or not is comprehensively judged. The database may be a pre-constructed database, and functions, parameters and the like related to the network attack behavior, such as "eval", "system" and other commandable execution functions, may be stored in the database.
In a specific embodiment, taking http protocol and php script files as examples, the php file is characterized by the file "<? php "first, among the files identified by decoding, php files are identified from this feature, and if there is no result of successful identification, they can be identified again based on the file suffix". php ". If the php script file is identified, the php script file is sent to a zend engine (an open source script engine, specifically a virtual machine), a corresponding opcode is generated through compilation, a corresponding key function (such as eval, system, cmd _ shell, alert and the like in php) and key parameters are searched through an opcode specified command, and whether the file of the current specified type is a network attack file or not is comprehensively judged by taking the sensitive function (such as eval, system or alert and the like), the sensitive parameters and the like as bases.
According to the network attack analysis method provided by the embodiment of the disclosure, through analyzing files of designated file types such as php, jsp and asp, the extracted characteristics are sent to the script engine, and the corresponding byte codes and operation codes are generated through compiling, so that the possibility that a hacker performs customized encryption and decryption functions on network attack files such as webshell and the like, and bypasses network attack detection by using methods such as xor, character string inversion, compression, truncation and recombination is effectively reduced, and the detection rate of the network attack files is effectively improved.
FIG. 5 schematically illustrates a diagram of compiling files of a specified type according to an embodiment of the disclosure.
As shown in fig. 5, based on the network data stream transmitted by the http protocol, after receiving the network data stream, the server may parse out the file included in the network data stream based on the http protocol. As shown in the upper diagram of fig. 5, the http protocol-based file includes the following segments: return "ass". "ert". The fragment is processed by a hacker, and when the fragment is detected by the related art through static rule matching, the fragment is difficult to detect to comprise an alert function, and the alert function belongs to a sensitive function in network attack detection. After compiling the file analyzed and obtained based on the http protocol, the function shown in the lower graph of fig. 5 can be obtained, and since the compiled operation code is the code to be executed by the machine, a hacker cannot hide the function in the code to be executed, so that the risk that the hacker bypasses detection by customizing the encryption and decryption function, and using methods such as xor, character string inversion, compression, truncation, recombination and the like can be effectively reduced.
In another embodiment, after determining that the file of the specified file type includes the sensitive function and/or the sensitive parameter, the method may further include the following operation.
Firstly, analyzing the text information of the file of the specified file type to determine whether the matching result of the specified text information exists in the text information, wherein the specified text information represents that the file of the specified file type comprises sensitive information.
The files of different specified file types correspond to different specified text information, for example, the specified text information corresponding to the php script file includes but is not limited to: the function name of the sensitive function, the parameter name of the sensitive parameter, and the like, wherein the function name of the sensitive function includes but is not limited to: eval, system, _ post, return, and assert, etc.
As shown in the upper diagram of fig. 5, the sensitive information alert is not included in the pre-compilation file.
Then, if the matching result is determined to be null, it is determined that the first network data stream includes a network attack file.
Referring to the lower graph of fig. 5, if the compiled function includes the sensitive information alert, it indicates that the file before compiling is intentionally hidden by the sensitive information alert, and there is a suspicion of intentionally avoiding the detection of the network attack. Accordingly, it may be determined that the network data stream includes a network attack file.
By further performing plaintext analysis on the text containing the sensitive function and the like, if the uncompiled bytecode does not contain sensitive information and the compiled operation code contains sensitive information, it can be determined that the script file is processed by obfuscation or encryption, and the file has a higher possibility of containing malicious code.
It should be noted that, in order to facilitate analyzing the network attack file, the method may further include the following operations.
After determining that the sensitive function is included in the key function and/or the calling function, adding a hook function to the sensitive function. Therefore, information required for analyzing loss, influence and the like caused by the network attack file can be acquired through the hook function when needed.
Taking the network data flow transmitted by the http protocol as an example, the network attack detection may include the following operations.
Firstly, files are restored from the network data stream based on the http protocol.
And then, matching in the file by using the file characteristics of the php script file to determine whether the php file exists, and if the matching result is empty, further judging according to the suffix of the file.
And then, if the network data stream is determined to comprise the php file, processing the php file by using the php script engine to generate a corresponding opcode. According to the generated opcode, a key function or a system call function in the opcode is searched through an opcode specified command, and then whether the opcode contains some sensitive functions (such as eval, system, cmd _ shell, assert and the like) is determined through sensitive function matching, sensitive parameter matching and the like. And, it is checked whether the parameters required by the sensitive function are sensitive information. Thus, whether the network data flow comprises the attack behavior or not is determined through comprehensive judgment.
For example, obfuscated php malicious code:
Figure BDA0002348893970000151
Figure BDA0002348893970000161
in a general static rule matching mode, it is difficult to determine that the php file comprises malicious code. However, the opcode obtained after compiling can determine that the php file includes the following function FETCH _ FUNC _ ARG and the parameter is '_ POST' from the opcode. The php file also includes an opcode of RETUR and a value of "assert". These are all sensitive functions and sensitive parameters that may be used for network attacks.
Then, according to the database with the built-in sensitive information, whether the opcode compiled by the script engine has sensitive information (such as sensitive functions and sensitive parameters) is judged. Therefore, the php file is judged to contain the sensitive function alert, and the php file does not contain the sensitive function before being compiled by the engine, so that the possibility that the php file comprises malicious codes is increased.
According to the network attack method provided by the embodiment of the disclosure, malicious codes which are subjected to hiding processing by using methods such as self-defined encryption and decryption functions, xor, character string inversion, compression, truncation, recombination and the like can be effectively detected in the manner shown above. The method is beneficial to improving the detection rate of the network attack file, is convenient for network attack analysis, and improves the network security and the information security of the user.
Fig. 6 schematically shows a flowchart of a network attack analysis method according to another embodiment of the present disclosure. Through a plurality of operations as shown in fig. 4, it is only determined that the webshell file is uploaded, and if the attacker does not generate further actions and does not trigger malicious codes in the file, the malicious codes will be stored in the electronic device of the attacker as a common file all the time. Therefore, when an attacker triggers the webshell, it is still unknown to truly harm the system of the attacker.
In order to solve the above problem, as shown in fig. 6, the method may further include operations S601 to S603 after performing operation S305 to determine that the electronic device corresponding to the path information is under a network attack.
In operation S601, a result of a process requested at the electronic device is acquired.
For example, a processing result sent by the electronic device that uploaded the cyber attack file may be received, the processing result being for the request. The processing result may be sent to the request initiator, or may be sent to a receiving object specified in the request.
In operation S603, if the processing result includes that the information return is successful, it is determined that the cyber attack file is a surviving cyber attack file.
If the request successfully obtains the feedback information corresponding to the request, the network attack file is a live network attack file, can be utilized by hackers, and can cause substantial harm to attackers.
In one embodiment, a server such as a gateway records path information of a network attack file. For example, as described in the above example of obfuscated php malicious code, when the network attack file is uploaded to the www.xxx.com host through the post/a/b/c.php path, the path information of the network attack file is recorded to include www.xxx.com/a/b/c.php, the parameter name of the path information in the parameters in the opcode is sz, and an intelligence is formed according to the path and the parameters, so as to analyze the subsequent network data stream. Once there is a request for the path information in the subsequent network data stream, and parameters in the request include sz, for example, get www.xxx.com/a/b/c.phpsz fputs (xxxxx), etc., it may be determined that the network attack file included in the first network data stream has been successfully uploaded and is being used by an attacker. Once the processing result corresponding to the request returns success and data returned successfully, it indicates that the attacker is utilizing the malicious code uploaded before and has already produced real harm to the attacker.
Fig. 7 schematically shows a block diagram of a network attack analysis apparatus according to an embodiment of the present disclosure.
As shown in fig. 7, the cyber attack analysis apparatus 700 may include: a network attack file determination module 710, a path acquisition module 730, and an attack analysis module 750.
The network attack file determining module 710 is configured to, in response to receiving the first network data flow, detect the first network data flow to determine whether a network attack file exists in the first network data flow.
The path obtaining module 730 is configured to obtain path information of the network attack file if it is determined that the network attack file exists in the first network data stream.
The attack analysis module 750 is configured to perform attack analysis on a request in response to receiving a request to determine whether an electronic device corresponding to path information is being attacked by a network attack, where the request includes the path information of a network attack file, the request belongs to a second network data stream, and a receiving time of the second network data stream is later than a receiving time of the first network data stream.
In one embodiment, the cyber attack file determining module 710 may include: the device comprises a file type identification unit, a compiling unit and a detection unit.
The file type identification unit is used for identifying the file type of the first network data stream in response to receiving the first network data stream so as to determine whether the first network data stream comprises a file with a specified file type.
The compiling unit is used for compiling the file of the specified file type to obtain the operation code if the first network data stream is determined to comprise the file of the specified file type.
The detection unit is used for carrying out sensitive function detection and/or sensitive parameter detection on the operation code so as to determine whether the first network data stream has a network attack file.
For example, the path obtaining module 730 may include: an uploading path obtaining unit and a path identification parameter determining unit.
The uploading path obtaining unit is used for obtaining an uploading path of the network attack file.
The path identification parameter determining unit is used for determining a path identification parameter corresponding to the uploading path from the operation code.
Accordingly, the attack analysis module 750 may be specifically configured to determine that the electronic device corresponding to the path information is under a network attack if it is determined that the parameter of the request includes the path identification parameter.
In one embodiment, the detection unit may include a specified function association information obtaining subunit and a sensitive information detection subunit.
The specified function association information obtaining subunit is used for obtaining the specified function association information in the operation code.
The sensitive information detection subunit is used for performing sensitive function detection and/or sensitive parameter detection on the specified function associated information to determine whether the file of the specified file type includes a sensitive function and/or a sensitive parameter.
In another embodiment, the detection unit further comprises: a text information analysis subunit and a hidden information detection subunit.
The text information analysis subunit is configured to, after determining that the file of the specified file type includes the sensitive function and/or the sensitive parameter, analyze the text information of the file of the specified file type to determine whether a matching result of the specified text information exists in the text information, where the specified text information represents that the file of the specified file type includes the sensitive information.
And the hidden information detection subunit is used for determining that the first network data stream comprises the network attack file if the matching result is determined to be null.
In addition, in order to analyze the harmfulness of the cyber attack file, the apparatus 700 may further include: a processing result obtaining module and a survival network attack file determining module.
The processing result obtaining module is used for obtaining the processing result of the request at the electronic device after determining that the electronic device corresponding to the path information is under network attack.
The live network attack file determination module is used for determining the network attack file as the live network attack file if the processing result comprises information return success.
In a specific embodiment, the traffic protocol of the first network data flow and/or the second network data flow comprises at least one of: a server information block, a file transfer protocol, a hypertext transfer protocol, or a network file system.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any plurality of the network attack file determination module 710, the path obtaining module 730, and the attack analysis module 750 may be combined and implemented in one module, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the network attack files determination module 710, the path obtaining module 730, and the attack analysis module 750 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or in any one of three implementations of software, hardware, and firmware, or in any suitable combination of any of them. Alternatively, at least one of the network attack files determination module 710, the path acquisition module 730 and the attack analysis module 750 may be at least partially implemented as a computer program module that, when executed, may perform corresponding functions.
FIG. 8 schematically shows a block diagram of a computing device according to an embodiment of the disclosure. The computing device illustrated in fig. 8 is only one example and should not impose any limitations on the functionality or scope of use of embodiments of the disclosure.
As shown in fig. 8, a computing device 800 according to an embodiment of the present disclosure includes a processor 801 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. The processor 801 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 801 may also include on-board memory for caching purposes. The processor 801 may include a single processing unit or multiple processing units for performing different actions of the method flows according to embodiments of the present disclosure.
In the RAM 803, various programs and data necessary for the operation of the system 800 are stored. The processor 801, ROM 802, and RAM 803 are connected to each other by a bus 804. The processor 801 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 802 and/or RAM 803. Note that the programs may also be stored in one or more memories other than the ROM 802 and the RAM 803. The processor 801 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
System 800 may also include an input/output (I/O) interface 805, also connected to bus 804, according to an embodiment of the disclosure. The system 800 may also include one or more of the following components connected to the I/O interface 805: an input portion 806 including a keyboard, a mouse, and the like; an output section 807 including a signal such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 808 including a hard disk and the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. A drive 810 is also connected to the I/O interface 805 as needed. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as necessary, so that a computer program read out therefrom is mounted on the storage section 808 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 809 and/or installed from the removable medium 811. The computer program, when executed by the processor 801, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 802 and/or RAM 803 described above and/or one or more memories other than the ROM 802 and RAM 803.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (9)

1. A network attack analysis method executed by a server side comprises the following steps:
in response to receiving a first network data flow, detecting the first network data flow to determine whether a network attack file exists in the first network data flow, including:
in response to receiving a first network data stream, performing file type identification on the first network data stream to determine whether a file of a specified file type is included in the first network data stream, wherein the performing file type identification on the first network data stream comprises:
performing feature extraction on the first network data stream to obtain traffic features,
matching the flow characteristics with specified file characteristics,
determining that a file of a specified file type is present in the first network data stream if it is determined that a match exists,
if the matching result is determined to be null, obtaining the file suffix of each file included in the first network data stream, matching the file suffix of each file with the specified file suffix,
if the matching result is determined to exist, determining that the file of the specified file type exists in the first network data stream;
if the first network data stream is determined to comprise the file of the specified file type, compiling the file of the specified file type to obtain an operation code; and
performing sensitive function detection and/or sensitive parameter detection on the operation code to determine whether a network attack file exists in the first network data stream;
if the first network data stream is determined to have the network attack file, obtaining path information of the network attack file; and
performing attack analysis on a request to determine whether an electronic device corresponding to the path information is being attacked by a network in response to receiving the request,
the request comprises path information of the network attack file, the request belongs to a second network data stream, and the receiving time of the second network data stream is later than that of the first network data stream.
2. The method of claim 1, wherein the obtaining path information of the cyber attack file comprises:
obtaining an uploading path of the network attack file; and
and determining a path identification parameter corresponding to the uploading path from the operation code.
3. The method of claim 2, wherein the responsive to receiving a request, performing an attack analysis on the request to determine whether an electronic device corresponding to the path information is being attacked by a network comprises:
and if the parameters of the request comprise the path identification parameters, determining that the electronic equipment corresponding to the path information is attacked by a network.
4. The method of claim 1, wherein the sensitive function detection and/or sensitive parameter detection of the opcode comprises:
obtaining the association information of the designated function in the operation code; and
and performing sensitive function detection and/or sensitive parameter detection on the specified function association information to determine whether the file of the specified file type comprises a sensitive function and/or a sensitive parameter.
5. The method of claim 4, further comprising: after determining that the file of the specified file type includes sensitive functions and/or sensitive parameters,
analyzing text information of the file of the specified file type to determine whether a matching result of the specified text information exists in the text information, wherein the specified text information represents that the file of the specified file type comprises sensitive information; and
and if the matching result is determined to be null, determining that the first network data stream comprises a network attack file.
6. The method of claim 1, further comprising: after determining that the electronic device corresponding to the path information is under a network attack,
acquiring a processing result of the request on the electronic equipment;
and if the processing result comprises information return success, determining that the network attack file is a survival network attack file.
7. A cyber attack analysis apparatus comprising:
the network attack file determining module is configured to, in response to receiving a first network data flow, detect the first network data flow to determine whether a network attack file exists in the first network data flow, and includes:
in response to receiving a first network data stream, performing file type identification on the first network data stream to determine whether a file of a specified file type is included in the first network data stream, wherein the performing file type identification on the first network data stream comprises:
performing feature extraction on the first network data stream to obtain traffic features,
matching the flow characteristics with specified file characteristics,
determining that a file of a specified file type is present in the first network data stream if it is determined that a match exists,
if the matching result is determined to be null, obtaining the file suffixes of the files included in the first network data stream, matching the file suffixes of the files with the specified file suffixes,
if the matching result is determined to exist, determining that the file of the specified file type exists in the first network data stream;
if the first network data stream comprises the file of the specified file type, compiling the file of the specified file type to obtain an operation code; and
sensitive function detection and/or sensitive parameter detection are carried out on the operation codes so as to determine whether a network attack file exists in the first network data stream;
a path obtaining module, configured to obtain path information of a network attack file if it is determined that the first network data stream has the network attack file; and
and the attack analysis module is used for responding to a received request and carrying out attack analysis on the request so as to determine whether the electronic equipment corresponding to the path information is attacked by the network or not, wherein the request comprises the path information of the network attack file, the request belongs to a second network data stream, and the receiving time of the second network data stream is later than that of the first network data stream.
8. A computing device, comprising:
one or more processors;
storage means for storing executable instructions which, when executed by the processor, implement the method of any one of claims 1 to 6.
9. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, implement a method according to any one of claims 1 to 6.
CN201911406914.7A 2019-12-31 2019-12-31 Network attack analysis method, network attack analysis device, computing device, and medium Active CN111163095B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911406914.7A CN111163095B (en) 2019-12-31 2019-12-31 Network attack analysis method, network attack analysis device, computing device, and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911406914.7A CN111163095B (en) 2019-12-31 2019-12-31 Network attack analysis method, network attack analysis device, computing device, and medium

Publications (2)

Publication Number Publication Date
CN111163095A CN111163095A (en) 2020-05-15
CN111163095B true CN111163095B (en) 2022-08-30

Family

ID=70559723

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911406914.7A Active CN111163095B (en) 2019-12-31 2019-12-31 Network attack analysis method, network attack analysis device, computing device, and medium

Country Status (1)

Country Link
CN (1) CN111163095B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113329032B (en) * 2021-06-23 2023-02-03 深信服科技股份有限公司 Attack detection method, device, equipment and medium
CN113542402B (en) * 2021-07-13 2024-03-15 奇安信科技集团股份有限公司 File transmission method, device, system, electronic equipment and storage medium
CN113761533A (en) * 2021-09-08 2021-12-07 广东电网有限责任公司江门供电局 Webshell detection method and system
CN113992409A (en) * 2021-10-28 2022-01-28 上海钧正网络科技有限公司 WebShell interception method, system, medium and computer equipment
CN114143074B (en) * 2021-11-29 2023-09-22 杭州迪普科技股份有限公司 webshell attack recognition device and method
CN114430339A (en) * 2021-12-25 2022-05-03 深圳太极云软技术有限公司 Method, device, terminal and readable storage medium for filtering network requests

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103905422A (en) * 2013-12-17 2014-07-02 哈尔滨安天科技股份有限公司 Method and system for searching for webshell with assistance of local simulation request
CN105933268A (en) * 2015-11-27 2016-09-07 中国银联股份有限公司 Webshell detection method and apparatus based on total access log analysis
CN107231364A (en) * 2017-06-13 2017-10-03 深信服科技股份有限公司 A kind of website vulnerability detection method and device, computer installation and storage medium
CN107659570A (en) * 2017-09-29 2018-02-02 杭州安恒信息技术有限公司 Webshell detection methods and system based on machine learning and static and dynamic analysis
CN108206802A (en) * 2016-12-16 2018-06-26 华为技术有限公司 The method and apparatus for detecting webpage back door
CN108337269A (en) * 2018-03-28 2018-07-27 杭州安恒信息技术股份有限公司 A kind of WebShell detection methods
CN109167797A (en) * 2018-10-12 2019-01-08 北京百度网讯科技有限公司 Analysis of Network Attack method and apparatus

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103905422A (en) * 2013-12-17 2014-07-02 哈尔滨安天科技股份有限公司 Method and system for searching for webshell with assistance of local simulation request
CN105933268A (en) * 2015-11-27 2016-09-07 中国银联股份有限公司 Webshell detection method and apparatus based on total access log analysis
CN108206802A (en) * 2016-12-16 2018-06-26 华为技术有限公司 The method and apparatus for detecting webpage back door
EP3547635A1 (en) * 2016-12-16 2019-10-02 Huawei Technologies Co., Ltd. Method and device for detecting webshell
CN107231364A (en) * 2017-06-13 2017-10-03 深信服科技股份有限公司 A kind of website vulnerability detection method and device, computer installation and storage medium
CN107659570A (en) * 2017-09-29 2018-02-02 杭州安恒信息技术有限公司 Webshell detection methods and system based on machine learning and static and dynamic analysis
CN108337269A (en) * 2018-03-28 2018-07-27 杭州安恒信息技术股份有限公司 A kind of WebShell detection methods
CN109167797A (en) * 2018-10-12 2019-01-08 北京百度网讯科技有限公司 Analysis of Network Attack method and apparatus

Also Published As

Publication number Publication date
CN111163095A (en) 2020-05-15

Similar Documents

Publication Publication Date Title
CN111163095B (en) Network attack analysis method, network attack analysis device, computing device, and medium
US9582668B2 (en) Quantifying the risks of applications for mobile devices
US10482260B1 (en) In-line filtering of insecure or unwanted mobile device software components or communications
CN111163094B (en) Network attack detection method, network attack detection device, electronic device, and medium
US9294442B1 (en) System and method for threat-driven security policy controls
US9619649B1 (en) Systems and methods for detecting potentially malicious applications
WO2017101865A1 (en) Data processing method and device
Jiang et al. Android malware
US20160070911A1 (en) Rapid malware inspection of mobile applications
US9607145B2 (en) Automated vulnerability and error scanner for mobile applications
TW201642135A (en) Detecting malicious files
Suarez-Tangil et al. Stegomalware: Playing hide and seek with malicious components in smartphone apps
US20190222587A1 (en) System and method for detection of attacks in a computer network using deception elements
US11792221B2 (en) Rest API scanning for security testing
US20160142423A1 (en) Endpoint traffic profiling for early detection of malware spread
US20170149777A1 (en) Systems and method for cross-channel device binding
US11003746B1 (en) Systems and methods for preventing electronic form data from being electronically transmitted to untrusted domains
JP2015132942A (en) Connection destination information determination device, connection destination information determination method and program
Sharif Web Attacks Analysis and Mitigation Techniques
US11463463B1 (en) Systems and methods for identifying security risks posed by application bundles
Perez Analysis and Detection of the Silent Thieves
RU2757330C1 (en) Method for identifying inconsistent use of the resources of a user computing apparatus
US20230394151A1 (en) Protected qr code scanner using operational system override
JP7013297B2 (en) Fraud detection device, fraud detection network system, and fraud detection method
Abdul Kadir et al. iPhone Operating System (iOS)

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Xiang Zuting

Inventor after: Liu Hongliang

Inventor after: Suo Haidong

Inventor after: Tan Wenbin

Inventor after: Chen Chao

Inventor before: Xiang Zuting

Inventor before: Liu Hongliang

Inventor before: Suo Haidong

Inventor before: Tan Wenbin

CB03 Change of inventor or designer information
CB02 Change of applicant information

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant after: Qianxin Technology Group Co.,Ltd.

Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant before: Qianxin Technology Group Co.,Ltd.

Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant