CN111510446A - Attack detection method and device, electronic equipment and storage medium - Google Patents
Attack detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN111510446A CN111510446A CN202010278746.4A CN202010278746A CN111510446A CN 111510446 A CN111510446 A CN 111510446A CN 202010278746 A CN202010278746 A CN 202010278746A CN 111510446 A CN111510446 A CN 111510446A
- Authority
- CN
- China
- Prior art keywords
- target
- detection rule
- tcp
- attack
- data stream
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses an attack detection method, an attack detection device, an electronic device and a computer readable storage medium, wherein the method comprises the following steps: determining a detection rule corresponding to each TCP flow in the target attack behavior, acquiring a basic data flow, and determining a detection rule corresponding to a first TCP flow in the target attack behavior as a target detection rule; matching a target data stream which accords with a target detection rule from the basic data streams so that a first subscriber subscribes the target data stream through the message broker and publishes the target data stream to the message broker as an updated basic data stream; determining a detection rule corresponding to the next TCP stream as a target detection rule, and re-entering a step of matching a target data stream which accords with the target detection rule from the basic data stream; and if the target data stream which accords with the target detection rule corresponding to the last TCP stream in the target attack behaviors is matched, judging that the target attack behaviors exist, and realizing the cross-TCP-stream attack detection.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to an attack detection method and apparatus, an electronic device, and a computer-readable storage medium.
Background
NIDS (chinese full name: Network Intrusion detection system, english full name: Network Intrusion detection system) is used to detect specific patterns in Network traffic and to alarm. The NIPS (Network Intrusion Prevention System, chinese) is used to detect Network traffic and respond to and control specific Network traffic, such as resetting or blocking connections.
To achieve effective detection of known attacks, taking the conventional signature-based NIDS/NIPS as an example, it is often necessary to develop rules for detecting known attack patterns, i.e., signatures. Thus, in order to protect vulnerabilities of a certain type of application and defend against attack patterns of a corresponding series of exploits, a certain number of detection rules corresponding to the attack patterns are often developed. Rules are compiled into a multi-mode matching state machine through a rule parsing engine, so that real-time monitoring and response are carried out on an attack mode in network traffic.
In the above scheme, the tracking of the attack flow is only limited to the same TCP (Transmission Control Protocol ), when the attack flow of an attacker spans a plurality of different TCP flows, the attack flow cannot be accurately described through a series of rules, and if only rule extraction is performed on the characteristics of each sub TCP flow of the attack flow, each rule is incomplete, which easily causes a large amount of misjudgments, so that the rule availability and value are greatly reduced.
Therefore, how to implement attack detection across TCP flows is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide an attack detection method, an attack detection device, electronic equipment and a computer readable storage medium, so that cross-TCP stream attack detection is realized, rule expression accuracy and usability are improved, and further, attack detection accuracy is improved.
In order to achieve the above object, the present application provides an attack detection method applied to a detection engine, including:
determining a detection rule corresponding to each TCP flow in a target attack behavior, acquiring a basic data flow, and determining a detection rule corresponding to a first TCP flow in the target attack behavior as a target detection rule;
matching a target data stream which accords with the target detection rule from the basic data streams so that a first subscriber subscribes the target data stream through a message broker and publishes the target data stream to the message broker as an updated basic data stream;
determining a detection rule corresponding to the next TCP stream as a target detection rule, and re-entering a step of matching a target data stream which accords with the target detection rule from the basic data stream;
and if the target data stream which accords with the target detection rule corresponding to the last TCP stream in the target attack behavior is matched, judging that the target attack behavior exists.
Before determining the detection rule corresponding to each TCP flow in the target attack behavior, the method further includes:
creating an application fingerprint based on the protocol characteristics between the two target attack behavior interaction parties;
correspondingly, the acquiring the basic data stream includes:
and receiving a data stream, and matching a basic data stream which is in accordance with the application fingerprint from the data stream.
Wherein, still include:
if the target data stream which accords with the target detection rule corresponding to the target TCP stream is matched, judging whether target tracking exists or not; wherein the target TCP flow is a TCP flow other than the first TCP flow in the target attack behavior, and the target trace is a trace corresponding to the target attack behavior registered in the message broker by the second subscriber when the detection engine matches a target data flow conforming to a target detection rule corresponding to the first TCP flow;
and if so, executing the step of determining the detection rule corresponding to the next TCP stream as the target detection rule.
Wherein the judging whether the target tracking exists comprises:
judging whether the communication information of the target TCP stream is consistent with that of the first TCP stream;
and if so, judging that the target tracking exists.
Wherein, after the tracking corresponding to the target attack behavior registered in the message broker, further comprising:
calculating a tracking identifier of the target tracking according to a preset calculation rule based on the communication information of the first TCP stream;
correspondingly, the judging whether target tracking exists includes:
calculating a target tracking identifier of the target tracking according to the preset calculation rule based on the communication information of the target TCP stream;
judging whether the target tracking identification exists or not;
and if so, judging that the target tracking exists.
Wherein the communication information comprises a source IP address, a destination IP address, a source port and a destination port.
In order to achieve the above object, the present application provides an attack detection apparatus, including:
the first determining module is used for determining a detection rule corresponding to each TCP flow in the target attack behavior, acquiring a basic data flow and determining the detection rule corresponding to the first TCP flow in the target attack behavior as a target detection rule;
the matching module is used for matching a target data stream which accords with the target detection rule from the basic data streams so that a first subscriber subscribes the target data stream through a message broker and publishes the target data stream to the message broker as an updated basic data stream;
the second determining module is used for determining the detection rule corresponding to the next TCP stream as a target detection rule and restarting the working process of the matching module;
and the judging module is used for judging that the target attack behavior exists when the target data stream which accords with the target detection rule corresponding to the last TCP stream in the target attack behavior is matched.
Wherein, still include:
the creating module is used for creating application fingerprints based on the protocol characteristics between the two target attack behavior interaction parties;
accordingly, the first determining module comprises:
the first determining unit is used for determining a detection rule corresponding to each TCP flow in the target attack behavior;
the acquisition unit is used for receiving data streams and matching basic data streams which accord with the application fingerprints from the data streams;
and the second determining unit is used for determining the detection rule corresponding to the first TCP flow in the target attack behavior as the target detection rule.
To achieve the above object, the present application provides an electronic device including:
a memory for storing a computer program;
a processor for implementing the steps of the attack detection method as described above when executing the computer program.
To achieve the above object, the present application provides a computer-readable storage medium having stored thereon a computer program, which when executed by a processor, implements the steps of the attack detection method as described above.
According to the scheme, the attack detection method comprises the following steps: determining a detection rule corresponding to each TCP flow in a target attack behavior, acquiring a basic data flow, and determining a detection rule corresponding to a first TCP flow in the target attack behavior as a target detection rule; matching a target data stream which accords with the target detection rule from the basic data streams so that a first subscriber subscribes the target data stream through a message broker and publishes the target data stream to the message broker as an updated basic data stream; determining a detection rule corresponding to the next TCP stream as a target detection rule, and re-entering a step of matching a target data stream which accords with the target detection rule from the basic data stream; and if the target data stream which accords with the target detection rule corresponding to the last TCP stream in the target attack behavior is matched, judging that the target attack behavior exists.
According to the attack detection method, detection rules are respectively formulated for each TCP stream in the target attack behavior, the detection rules are matched with the received data streams according to the detection rules, and when all the detection rules are matched, the target attack behavior is judged to exist. Therefore, the attack detection method provided by the application realizes a mode that a plurality of detection rules across TCP are buckled with each other, so that the attack flow across a plurality of TCP streams is accurately expressed, the rule expression accuracy and usability are effectively improved, and the attack detection accuracy is further improved. The application also discloses an attack detection device, an electronic device and a computer readable storage medium, which can also realize the technical effects.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:
FIG. 1 is a flow diagram illustrating a method of attack detection in accordance with an exemplary embodiment;
FIG. 2 is a flow diagram illustrating another attack detection method in accordance with an illustrative embodiment;
FIG. 3 is a block diagram illustrating an attack detection system in accordance with an exemplary embodiment;
FIG. 4 is a block diagram illustrating an attack detection device according to an exemplary embodiment;
FIG. 5 is a block diagram illustrating an electronic device in accordance with an exemplary embodiment.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application discloses an attack detection method, which realizes cross-TCP stream attack detection, improves rule expression accuracy and usability, and further improves attack detection accuracy.
Referring to fig. 1, a flowchart of an attack detection method according to an exemplary embodiment is shown, as shown in fig. 1, including:
s101: determining a detection rule corresponding to each TCP flow in a target attack behavior, acquiring a basic data flow, and determining a detection rule corresponding to a first TCP flow in the target attack behavior as a target detection rule;
the execution subject of this embodiment is a detection engine, aiming to detect attacks across TCP flows. It will be appreciated that there is no abnormal behavior for a single TCP flow, but multiple normal TCP flows may be combined into a target attack behavior. In the step, a detection rule is respectively formulated for each TCP flow in the target attack behavior, and the subsequent steps respectively detect the attack mode of each TCP flow based on each detection rule.
When the data packet is received, the data packet is decoded, IP layer sub-packaged and TCP stream reconstruction operation is carried out to obtain a basic data stream. The present embodiments provide an event-driven publish/subscribe model, where a sender of a message (called a publisher) does not send the message directly to a particular recipient (called a subscriber), but rather separates the published messages into different categories without knowing which subscribers may be present. Likewise, a subscriber may express interest in one or more categories, receiving only interesting messages, without knowing which publishers are present. Here, the data of each publisher is not actually published, the engine actually publishes the access right to the data to the message broker, and the message broker usually performs a store-and-forward function to send the message from the publisher to the subscriber, i.e. the subscriber can access the data before and after normalization as required. Normalization may include the above-mentioned including IP layer packetization, TCP stream reassembly, HTTP protocol percentile coding, and the like.
In specific implementation, a detection rule corresponding to a first TCP flow in a target attack behavior is determined as a target detection rule, and in subsequent steps, the target detection rule is matched in a basic data flow.
S102: matching a target data stream which accords with the target detection rule from the basic data streams so that a first subscriber subscribes the target data stream through a message broker and publishes the target data stream to the message broker as an updated basic data stream;
in this step, the detection engine issues the access right of the basic data stream to the message broker, and matches the target data stream that meets the target detection rule from the basic data stream, the first subscriber may obtain the access right of the target data stream from the message broker, and immediately issues the access right as the updated basic data stream to the message broker after subscribing to the target data stream, and the detection engine may continue matching the subsequent detection rule.
In the publish/subscribe model, subscribers typically receive a subset of all published messages. The process of selecting messages for acceptance and processing is referred to as filtering and typically takes the form of topic-based and content-based filtering. In a topic-based system, where messages are published on a topic or named channel, subscribers will receive all messages on the topic to which they subscribe, and all subscribers subscribing to the same topic will receive the same message, the publisher is responsible for defining the categories of messages to which the subscribers subscribe. In a content-based system, a subscriber defines the conditions for messages that the subscriber is interested in, and messages are only delivered to the subscriber if their attributes or content meet the subscriber-defined conditions, and the subscriber needs to be responsible for classifying the messages. Of course some publish/subscribe models also support a mix of the two, i.e., publishers publish messages on topics, while subscribers register content-based subscriptions on one or more topics.
S103: determining the detection rule corresponding to the next TCP stream as a target detection rule, and re-entering the step S102:
in this step, the detection rule corresponding to the next TCP flow is determined as the target detection rule, the target data flow meeting the target detection rule is matched again from the updated basic data flow, and the above steps are repeated until the target data flow meeting the target detection rule corresponding to the last TCP flow in the target attack behavior is matched, that is, the target detection rules corresponding to all TCP flows in the target attack behavior are matched. In this process, if any target detection rule is not matched with the target data stream, the target detection rule corresponding to the first TCP stream needs to be re-matched.
S104: and if the target data stream which accords with the target detection rule corresponding to the last TCP stream in the target attack behavior is matched, judging that the target attack behavior exists.
In this step, if a target data flow that meets the target detection rule corresponding to the last TCP flow in the target attack behavior is matched, that is, the target detection rules for all TCP flows in the target attack behavior are matched, it is determined that the target attack behavior exists.
The attack detection method provided by the embodiment of the application respectively establishes a detection rule for each TCP stream in the target attack behavior, matches the detection rule with the received data stream according to the detection rule, and judges that the target attack behavior exists when all the detection rules are matched. Therefore, the attack detection method provided by the embodiment of the application realizes a mode that a plurality of detection rules across TCP are buckled with each other, so that the attack flow across a plurality of TCP streams is accurately expressed, the rule expression accuracy and usability are effectively improved, and the attack detection accuracy is further improved.
On the basis of the above embodiment, as a preferred implementation, the method further includes:
if the target data stream which accords with the target detection rule corresponding to the target TCP stream is matched, judging whether target tracking exists or not; wherein the target TCP flow is a TCP flow other than the first TCP flow in the target attack behavior, and the target trace is a trace corresponding to the target attack behavior registered in the message broker by the second subscriber when the detection engine matches a target data flow conforming to a target detection rule corresponding to the first TCP flow; and if so, executing the step of determining the detection rule corresponding to the next TCP stream as the target detection rule.
In one implementation, the detection engine registers for target tracking when a target data flow is matched that complies with the target detection rule corresponding to the first TCP flow. And when the target data stream which accords with the target detection rule corresponding to the subsequent TCP stream is matched, judging whether target tracking exists or not, if the tracking identifier exists, judging that the target tracking exists, determining the detection rule corresponding to the next TCP stream in the target attack behavior as the target detection rule, and matching the target data stream which accords with the target detection rule from the updated basic data stream.
As a possible implementation, the determining whether target tracking exists includes: judging whether the communication information of the target TCP stream is consistent with that of the first TCP stream; and if so, judging that the target tracking exists. In a specific implementation, the communication information includes a source IP address, a destination IP address, a source port and a destination port, and when the four tuples are all consistent, it can be determined that target tracking exists.
As another possible implementation manner, after the tracking corresponding to the target attack behavior registered in the message broker, the method further includes: calculating a tracking identifier of the target tracking according to a preset calculation rule based on the communication information of the first TCP stream; correspondingly, the judging whether target tracking exists includes: calculating a target tracking identifier of the target tracking according to the preset calculation rule based on the communication information of the target TCP stream; judging whether the target tracking identification exists or not; and if so, judging that the target tracking exists. In specific implementation, when a target data stream conforming to a target detection rule corresponding to a first TCP stream is matched, a target tracking identifier is calculated according to a preset calculation rule based on communication information of the first TCP stream. And when a target data stream which accords with a target detection rule corresponding to the subsequent TCP stream is matched, calculating a tracking identifier according to the communication information of the subsequent TCP stream and a preset calculation rule, and if the tracking identifier exists, judging that target tracking exists.
The embodiment of the application discloses an attack detection method, and compared with the previous embodiment, the embodiment further explains and optimizes the technical scheme. Specifically, the method comprises the following steps:
referring to fig. 2, a flowchart of another attack detection method according to an exemplary embodiment is shown, as shown in fig. 2, including:
s201: creating an application fingerprint based on the protocol characteristics between the two target attack behavior interaction parties, and determining a detection rule corresponding to each TCP stream in the target attack behavior;
s202: receiving a data stream, and matching a basic data stream which accords with the application fingerprint from the data stream;
in this embodiment, an application fingerprint is created based on the protocol features between the two interacting parties of the target attack behavior, when a regularized data stream is received, a basic data stream conforming to the application fingerprint is matched from the data stream, the basic data stream conforms to the protocol features between the two interacting parties, and the two interacting parties of the target attack behavior can be accurately expressed.
S203: determining a detection rule corresponding to a first TCP flow in the target attack behavior as a target detection rule;
s204: matching a target data stream which accords with the target detection rule from the basic data streams so that a first subscriber subscribes the target data stream through a message broker and publishes the target data stream to the message broker as an updated basic data stream;
s205: determining the detection rule corresponding to the next TCP stream as a target detection rule, and re-entering the step S204: (ii) a
S206: and if the target data stream which accords with the target detection rule corresponding to the last TCP stream in the target attack behavior is matched, judging that the target attack behavior exists.
Therefore, before the target detection rule is matched, the application fingerprint is matched in the data stream, the application fingerprint is created based on the protocol characteristics between the two interactive parties of the target attack behavior, the basic data stream obtained by matching accords with the application fingerprint, namely the protocol characteristics between the two interactive parties, the two interactive parties of the target attack behavior are accurately expressed, and the accuracy of the attack detection is improved.
An application embodiment provided by the present application is introduced below, and as shown in fig. 3, the application embodiment includes a decoding module, an IP layer packet reassembly module, a TCP stream reassembly module, a detection engine, a log response module, an application identification module, a callback interface module, and an event registration module.
The IP layer sub-packet recombination module, the TCP stream recombination module and the detection engine are used as publishers, have the function of publishing data access authority, and publish the publication statement to the message broker in a message form. The application identification module, the callback interface module and the event registration module are both publishers and subscribers. On one hand, the subscription statement related to the task can be sent to the message broker, and after the publisher publishes the data based on the requirements of the subscriber, the data access right is obtained immediately, and the targeted task is developed. On the other hand, after the three modules complete data processing, the data are re-published to the message broker and can be used for processing of other subscription modules, so that flexibility is provided.
The application identification module can be used as a subscriber to send a specific protocol preprocessing requirement for a specific publisher module to the message broker, and can also be used as a publisher to monitor application identification requests from other subscriber modules subscribed on the message broker, and after application identification is completed, the access authority of data meeting the application identification requirement is published.
The callback interface module supports external provision of callback functions, which the external system may call to submit subscriptions to particular publishers to the message broker, e.g., subscriptions that directly complete corresponding logs, alerts, or automatic response actions to the log response module. Meanwhile, the module can also realize logic for a publisher of a third party.
The event registration module supports registration requests of various events, sends a recombination or tracking requirement for a specific protocol of a specific publisher module to the message broker, and publishes result data after processing is finished.
For a specific attack flow to be detected: requiring the client to initiate a TCP request session1 and acquiring a handle 1; in the next TCP request session2, a handle1+ payload is carried to complete the attack, where payload is f (handle 1).
In detecting the above attacks, an application fingerprint of the protocol features is created: and creating an application fingerprint of a legal protocol based on the protocol characteristics of the interaction between the Client and the Server, wherein the application fingerprint is defined as AppSig 1. Create rule1, rule2 and compile the run, with the semantics expressed as follows: rule 1: the rule carries AppSig1, and the characteristics of handle1 of AppSig1 are extracted (Extract) after matching is successful, the rule is defined as pattern _ handle1, and cross TCP stream tracking Track1 is defined; rule 2: the rule will carry AppSig1, requiring an alarm to be raised when a payload-f (handle1) feature is matched, and Track1 is present.
Based on rule1, the detection engine registers and identifies the subscribes of AppSig1, the application identification module issues data _ stream1 to the message broker after detecting the matching of AppSig1, the detection engine performs matching detection on data _ stream1 based on rule1, and once matching is successful, the event registration module registers a subscribes of cross-TCP stream tracking, which is defined as Track 1. After detecting the matching of the AppSig1, the application identification module continuously issues the data stream data _ streamX to the Broker, the detection engine detects the successful matching of the data _ streamX based on rule2, and finds that Track1 exists, and the source IP, the destination IP, the source port and the destination port are consistent in quadruple, and then triggers an alarm.
In the following, an attack detection device provided by an embodiment of the present application is introduced, and an attack detection device described below and an attack detection method described above may be referred to each other.
Referring to fig. 4, a block diagram of an attack detection apparatus according to an exemplary embodiment is shown, as shown in fig. 4, including:
a first determining module 401, configured to determine a detection rule corresponding to each TCP flow in a target attack behavior, obtain a basic data flow, and determine a detection rule corresponding to a first TCP flow in the target attack behavior as a target detection rule;
a matching module 402, configured to match a target data stream that meets the target detection rule from the basic data streams, so that a first subscriber subscribes the target data stream through a message broker and publishes the target data stream to the message broker as an updated basic data stream;
a second determining module 403, configured to determine a detection rule corresponding to a next TCP flow as a target detection rule, and restart a workflow of the matching module;
a determining module 404, configured to determine that a target attack behavior exists when a target data flow that meets a target detection rule corresponding to a last TCP flow in the target attack behavior is matched.
The attack detection device provided by the embodiment of the application respectively establishes a detection rule for each TCP stream in the target attack behavior, matches the detection rule with the received data stream according to the detection rule, and judges that the target attack behavior exists when all the detection rules are matched. Therefore, the attack detection device provided by the embodiment of the application realizes a mode that a plurality of detection rules across TCP are buckled with each other, so that the attack flow across a plurality of TCP streams is accurately expressed, the rule expression accuracy and usability are effectively improved, and the attack detection accuracy is further improved.
On the basis of the above embodiment, as a preferred implementation, the method further includes:
the creating module is used for creating application fingerprints based on the protocol characteristics between the two target attack behavior interaction parties;
accordingly, the first determining module comprises:
the first determining unit is used for determining a detection rule corresponding to each TCP flow in the target attack behavior;
the acquisition unit is used for receiving data streams and matching basic data streams which accord with the application fingerprints from the data streams;
and the second determining unit is used for determining the detection rule corresponding to the first TCP flow in the target attack behavior as the target detection rule.
On the basis of the above embodiment, as a preferred implementation, the method further includes:
the judging module is used for judging whether target tracking exists or not when a target data stream which accords with a target detection rule corresponding to a target TCP stream is matched, and if so, starting the working process of the matching module 402; the target TCP stream is a TCP stream in the target attack behavior except the first TCP stream, and the target tracking is a tracking corresponding to the target attack behavior registered in the message broker by the second subscriber when the detection engine matches a target data stream conforming to a target detection rule corresponding to the first TCP stream.
On the basis of the foregoing embodiment, as a preferred implementation manner, the determining module specifically determines whether communication information of a target TCP flow is consistent with communication information of the first TCP flow when a target data flow meeting a target detection rule corresponding to the target TCP flow is matched; and if so, judging that the target tracking module exists.
On the basis of the above embodiment, as a preferred implementation, the method further includes:
the calculation module is used for calculating the tracking identifier of the target tracking according to a preset calculation rule based on the communication information of the first TCP stream;
correspondingly, the judging module is specifically configured to calculate a target tracking identifier of the target tracking according to the preset calculation rule based on communication information of the target TCP flow when the target data flow which meets the target detection rule corresponding to the target TCP flow is matched; judging whether the target tracking identification exists or not; and if so, judging that the target tracking module exists.
On the basis of the above embodiment, as a preferred implementation, the communication information includes a source IP address, a destination IP address, a source port, and a destination port.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
The present application further provides an electronic device, and referring to fig. 5, a structure diagram of an electronic device 500 provided in an embodiment of the present application may include a processor 11 and a memory 12, as shown in fig. 5. The electronic device 500 may also include one or more of a multimedia component 13, an input/output (I/O) interface 14, and a communication component 15.
The processor 11 is configured to control the overall operation of the electronic device 500, so as to complete all or part of the steps in the attack detection method. The memory 12 is used to store various types of data to support operation at the electronic device 500, such as instructions for any application or method operating on the electronic device 500, and application-related data, such as contact data, messaging, pictures, audio, video, and so forth. The Memory 12 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk or optical disk. The multimedia component 13 may include a screen and an audio component. Wherein the screen may be, for example, a touch screen and the audio component is used for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signal may further be stored in the memory 12 or transmitted via the communication component 15. The audio assembly also includes at least one speaker for outputting audio signals. The I/O interface 14 provides an interface between the processor 11 and other interface modules, such as a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 15 is used for wired or wireless communication between the electronic device 500 and other devices. Wireless communication, such as Wi-Fi, bluetooth, Near Field Communication (NFC), 2G, 3G or 4G, or a combination of one or more of them, so that the corresponding communication component 15 may include: Wi-Fi module, bluetooth module, NFC module.
In an exemplary embodiment, the electronic Device 500 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable logic devices (Programmable L) P L D, Field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors or other electronic components for performing the attack detection method described above.
In another exemplary embodiment, a computer readable storage medium comprising program instructions which, when executed by a processor, implement the steps of the attack detection method described above is also provided. For example, the computer readable storage medium may be the memory 12 described above comprising program instructions executable by the processor 11 of the electronic device 500 to perform the attack detection method described above.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. An attack detection method applied to a detection engine includes:
determining a detection rule corresponding to each TCP flow in a target attack behavior, acquiring a basic data flow, and determining a detection rule corresponding to a first TCP flow in the target attack behavior as a target detection rule;
matching a target data stream which accords with the target detection rule from the basic data streams so that a first subscriber subscribes the target data stream through a message broker and publishes the target data stream to the message broker as an updated basic data stream;
determining a detection rule corresponding to the next TCP stream as a target detection rule, and re-entering a step of matching a target data stream which accords with the target detection rule from the basic data stream;
and if the target data stream which accords with the target detection rule corresponding to the last TCP stream in the target attack behavior is matched, judging that the target attack behavior exists.
2. The attack detection method according to claim 1, wherein before determining the detection rule corresponding to each TCP flow in the target attack behavior, the method further comprises:
creating an application fingerprint based on the protocol characteristics between the two target attack behavior interaction parties;
correspondingly, the acquiring the basic data stream includes:
and receiving a data stream, and matching a basic data stream which is in accordance with the application fingerprint from the data stream.
3. The attack detection method according to claim 1, further comprising:
if the target data stream which accords with the target detection rule corresponding to the target TCP stream is matched, judging whether target tracking exists or not; wherein the target TCP flow is a TCP flow other than the first TCP flow in the target attack behavior, and the target trace is a trace corresponding to the target attack behavior registered in the message broker by the second subscriber when the detection engine matches a target data flow conforming to a target detection rule corresponding to the first TCP flow;
and if so, executing the step of determining the detection rule corresponding to the next TCP stream as the target detection rule.
4. The attack detection method according to claim 3, wherein the determining whether target tracking exists comprises:
judging whether the communication information of the target TCP stream is consistent with that of the first TCP stream;
and if so, judging that the target tracking exists.
5. The attack detection method according to claim 3, further comprising, after tracking corresponding to the target attack behavior registered in the message broker, the following:
calculating a tracking identifier of the target tracking according to a preset calculation rule based on the communication information of the first TCP stream;
correspondingly, the judging whether target tracking exists includes:
calculating a target tracking identifier of the target tracking according to the preset calculation rule based on the communication information of the target TCP stream;
judging whether the target tracking identification exists or not;
and if so, judging that the target tracking exists.
6. The attack detection method according to claim 4 or 5, wherein the communication information comprises a source IP address, a destination IP address, a source port and a destination port.
7. An attack detection device applied to a detection engine, comprising:
the first determining module is used for determining a detection rule corresponding to each TCP flow in the target attack behavior, acquiring a basic data flow and determining the detection rule corresponding to the first TCP flow in the target attack behavior as a target detection rule;
the matching module is used for matching a target data stream which accords with the target detection rule from the basic data streams so that a first subscriber subscribes the target data stream through a message broker and publishes the target data stream to the message broker as an updated basic data stream;
the second determining module is used for determining the detection rule corresponding to the next TCP stream as a target detection rule and restarting the working process of the matching module;
and the judging module is used for judging that the target attack behavior exists when the target data stream which accords with the target detection rule corresponding to the last TCP stream in the target attack behavior is matched.
8. The attack detection apparatus according to claim 7, further comprising:
the creating module is used for creating application fingerprints based on the protocol characteristics between the two target attack behavior interaction parties;
accordingly, the first determining module comprises:
the first determining unit is used for determining a detection rule corresponding to each TCP flow in the target attack behavior;
the acquisition unit is used for receiving data streams and matching basic data streams which accord with the application fingerprints from the data streams;
and the second determining unit is used for determining the detection rule corresponding to the first TCP flow in the target attack behavior as the target detection rule.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the attack detection method according to any one of claims 1 to 6 when executing the computer program.
10. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the attack detection method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010278746.4A CN111510446B (en) | 2020-04-10 | 2020-04-10 | Attack detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010278746.4A CN111510446B (en) | 2020-04-10 | 2020-04-10 | Attack detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111510446A true CN111510446A (en) | 2020-08-07 |
| CN111510446B CN111510446B (en) | 2022-03-22 |
Family
ID=71864783
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010278746.4A Active CN111510446B (en) | 2020-04-10 | 2020-04-10 | Attack detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111510446B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113297577A (en) * | 2021-06-16 | 2021-08-24 | 深信服科技股份有限公司 | Request processing method and device, electronic equipment and readable storage medium |
| CN113596043A (en) * | 2021-08-03 | 2021-11-02 | 中国电信股份有限公司 | Attack detection method, attack detection device, storage medium and electronic device |
| CN114465742A (en) * | 2020-11-10 | 2022-05-10 | 华为技术有限公司 | Network security protection method and protection equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170054745A1 (en) * | 2014-02-17 | 2017-02-23 | Beijing Qihoo Technology Company Limited | Method and device for processing network threat |
| CN108111466A (en) * | 2016-11-24 | 2018-06-01 | 北京金山云网络技术有限公司 | A kind of attack detection method and device |
| CN108809926A (en) * | 2017-12-25 | 2018-11-13 | 北京安天网络安全技术有限公司 | Inbreak detection rule optimization method, device, electronic equipment and storage medium |
-
2020
- 2020-04-10 CN CN202010278746.4A patent/CN111510446B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170054745A1 (en) * | 2014-02-17 | 2017-02-23 | Beijing Qihoo Technology Company Limited | Method and device for processing network threat |
| CN108111466A (en) * | 2016-11-24 | 2018-06-01 | 北京金山云网络技术有限公司 | A kind of attack detection method and device |
| CN108809926A (en) * | 2017-12-25 | 2018-11-13 | 北京安天网络安全技术有限公司 | Inbreak detection rule optimization method, device, electronic equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 宋春玉等: "一种可抗TCP Flooding攻击的网络流量监测机制", 《计算机系统应用》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114465742A (en) * | 2020-11-10 | 2022-05-10 | 华为技术有限公司 | Network security protection method and protection equipment |
| CN113297577A (en) * | 2021-06-16 | 2021-08-24 | 深信服科技股份有限公司 | Request processing method and device, electronic equipment and readable storage medium |
| CN113297577B (en) * | 2021-06-16 | 2024-05-28 | 深信服科技股份有限公司 | Request processing method and device, electronic equipment and readable storage medium |
| CN113596043A (en) * | 2021-08-03 | 2021-11-02 | 中国电信股份有限公司 | Attack detection method, attack detection device, storage medium and electronic device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111510446B (en) | 2022-03-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111510446B (en) | Attack detection method and device, electronic equipment and storage medium | |
| US9553918B1 (en) | Stateful and stateless cookie operations servers | |
| CN109246064B (en) | Method, device and equipment for generating security access control and network access rule | |
| US8577829B2 (en) | Extracting information from unstructured data and mapping the information to a structured schema using the naïve bayesian probability model | |
| CN112468520B (en) | Data detection method, device and equipment and readable storage medium | |
| CN110798488B (en) | Web application attack detection method | |
| CN109547426B (en) | Service response method and server | |
| CN104980402B (en) | Method and device for identifying malicious operation | |
| CN109618176B (en) | Processing method, equipment and storage medium for live broadcast service | |
| KR101496632B1 (en) | System for safe contents service for youths and method therefor | |
| CN111680068A (en) | Verification method, device, equipment and storage medium | |
| CN110955395A (en) | Risk assessment method and device for printing system and storage medium | |
| CN110113315A (en) | A kind of processing method and equipment of business datum | |
| KR20190033170A (en) | Abuser detecting | |
| CN112202661A (en) | Session message processing method and device, computer equipment and storage medium | |
| CN108668241B (en) | Information reminding method and device, storage medium and electronic equipment | |
| CN113344453A (en) | Risk monitoring method, device, system, storage medium and equipment | |
| CN112581129A (en) | Block chain transaction data management method and device, computer equipment and storage medium | |
| CN114598671B (en) | Session message processing method, device, storage medium and electronic equipment | |
| CN110955905A (en) | Block chain based asset transfer method, device, equipment and readable storage medium | |
| CN114185743A (en) | Data processing method and device, computer equipment and storage medium | |
| CN107846381A (en) | Network security processing method and equipment | |
| CN109831417B (en) | Method, device, server and storage medium for processing account number for preventing harassment | |
| CN113779437A (en) | Privacy detection method and device and computer storage medium | |
| US20170279777A1 (en) | File signature system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |