CN112153052A - Method and system for monitoring database collision attack - Google Patents
Method and system for monitoring database collision attack Download PDFInfo
- Publication number
- CN112153052A CN112153052A CN202011022207.0A CN202011022207A CN112153052A CN 112153052 A CN112153052 A CN 112153052A CN 202011022207 A CN202011022207 A CN 202011022207A CN 112153052 A CN112153052 A CN 112153052A
- Authority
- CN
- China
- Prior art keywords
- login
- request
- response
- determining
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses a method and a system for monitoring a database collision attack, wherein the method comprises the following steps: acquiring request information; determining a request type based on the request information; wherein the request types include a login request and a non-login request; under the condition that the request type is a login request, acquiring a network address based on the request information; and determining whether the login behavior is a database collision attack behavior or not based on the login failure times of the network address to login the target server in a preset time period. The invention can determine whether the request information is a login request or not based on the request information by obtaining the request information from the network flow, accurately identify whether the network address in the request information carries out database collision attack or not under the condition that the request information is the login request, so as to identify the database collision attack behavior in time, and provide a foundation for network security personnel to find the database collision attack behavior in time in mass login behaviors.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a method and a system for monitoring database collision attack.
Background
With the development of internet technology, people often use accounts and passwords to log on to a certain platform or website. Therefore, a hacker can generate a corresponding dictionary table by collecting the leaked user and password information of the Internet, and obtain a series of users capable of logging in after trying to log in other websites in batch. That is, the user may use the same account and password on different websites, so a hacker may try to log in the B website by acquiring the account and password of the user on the a website, thereby implementing a library collision attack. Therefore, it is necessary to monitor the database collision attack to ensure the security of the user's account.
Disclosure of Invention
The embodiment of the invention aims to provide a method for monitoring a database collision attack, which is used for solving the problem that the prior art cannot accurately identify the database collision attack behavior.
In order to solve the technical problem, the embodiment of the application adopts the following technical scheme: a method for monitoring a database collision attack comprises the following steps:
acquiring request information;
determining a request type based on the request information; wherein the request types include a login request and a non-login request;
under the condition that the request type is a login request, acquiring a network address based on the request information;
and determining whether the login behavior is a database collision attack behavior or not based on the login failure times of the network address to login the target server in a preset time period.
Optionally, the determining the request type based on the request information specifically includes:
determining a keyword in the request information;
and when the keywords comprise one or more of user name keywords and password keywords, determining the request type as a login request.
Optionally, the user name keyword includes one or more of the following: username, phone, name and mailbox;
the password class keywords comprise one or more of the following: passwords and gestures.
Optionally, in a case that the login behavior is determined to be a library collision attack behavior, the method further includes:
acquiring response information fed back by the target server based on each login request;
and determining whether the login behavior is successful or not based on the response information so as to determine whether the database collision attack is successful or not.
Optionally, the determining whether the login behavior is successful based on each piece of response information specifically includes:
judging whether the response codes in the response information have difference and/or judging whether the number of response bytes in the response information has difference;
and determining that the login is successful under the condition that the response codes in the response messages are judged to be different and/or the number of response bytes in the response messages is judged to be different.
Optionally, in a case that the login behavior is a library collision attack behavior, the method further includes: and carrying out alarm prompt according to a preset prompt mode.
In order to solve the above problem, the present application provides a system for monitoring a database collision attack, which is characterized by comprising:
the first acquisition module is used for acquiring request information;
the login identification module is used for determining the request type based on the request information; wherein the request types include a login request and a non-login request;
the second acquisition module is used for acquiring a network address based on the request information under the condition that the request type is a login request;
and the database collision attack identification module is used for determining whether the login behavior is the database collision attack behavior or not based on the login failure times of the network address login target server in a preset time period.
Optionally, the login identification module is specifically configured to:
determining a keyword in the request information;
and when the keywords comprise one or more of user name keywords and password keywords, determining the request type as a login request.
Optionally, the system further includes a library collision attack result determination module, where the library collision attack result determination module is configured to:
acquiring response information fed back by the target server based on each login request;
and determining whether the login behavior is successful or not based on the response information so as to determine whether the database collision attack is successful or not.
Optionally, the library collision attack result determination module is specifically configured to:
judging whether the response codes in the response information have difference and/or judging whether the number of response bytes in the response information has difference;
and determining that the login is successful under the condition that the response codes in the response messages are judged to be different and/or the number of response bytes in the response messages is judged to be different.
Optionally, the system further includes a prompt module, where the prompt module is configured to perform alarm prompt according to a preset prompt manner when the login behavior is a database collision attack behavior.
The embodiment of the invention has the beneficial effects that: by obtaining the request information from the network flow, whether the request information is a login request can be determined based on the request information, whether the network address in the request information is a database collision behavior can be accurately identified under the condition that the request information is the login request, the database collision attack behavior can be accurately identified, and a foundation is provided for network security personnel to find successful database collision attacks in mass database collision behaviors in time.
Drawings
FIG. 1 is a flow chart of a method for monitoring a database collision attack according to an embodiment of the present invention;
FIG. 2 is a flowchart of a database crash attack monitoring method according to another embodiment of the present invention; (ii) a
Fig. 3 is a block diagram of a system for monitoring a database crash attack according to another embodiment of the present invention.
Detailed Description
Various aspects and features of the present application are described herein with reference to the drawings.
It will be understood that various modifications may be made to the embodiments of the present application. Accordingly, the foregoing description should not be construed as limiting, but merely as exemplifications of embodiments. Those skilled in the art will envision other modifications within the scope and spirit of the application.
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the application and, together with a general description of the application given above and the detailed description of the embodiments given below, serve to explain the principles of the application.
These and other characteristics of the present application will become apparent from the following description of preferred forms of embodiment, given as non-limiting examples, with reference to the attached drawings.
It should also be understood that, although the present application has been described with reference to some specific examples, a person of skill in the art shall certainly be able to achieve many other equivalent forms of application, having the characteristics as set forth in the claims and hence all coming within the field of protection defined thereby.
The above and other aspects, features and advantages of the present application will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.
Specific embodiments of the present application are described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely exemplary of the application, which can be embodied in various forms. Well-known and/or repeated functions and constructions are not described in detail to avoid obscuring the application of unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present application in virtually any appropriately detailed structure.
The specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the application.
An embodiment of the present invention provides a method for monitoring a vault collision attack, which may be specifically applied to a security device, and as shown in fig. 1, the method in the embodiment includes the following steps:
step S101, acquiring request information;
in this step, the request information may specifically be an http request. Specifically, the request information sent by the terminal device to the target server may be forwarded to the security device through a router or a switch, so that the security device can obtain the request information. That is, when the terminal device sends the http request, the router or the switch may send the http request to the target server, and at this time, the router or the switch may send the http request to the security device for monitoring and analysis.
Step S102, determining a request type based on the request information; wherein the request types include a login request and a non-login request;
in the implementation process, the request information can be specifically analyzed to determine the keywords in the request information; and when the keywords comprise one or more of user name keywords and password keywords, determining the request type as a login request. The user name keywords comprise one or more of the following: username, phone, name and mailbox; the password class keywords comprise one or more of the following: passwords and gestures. That is, in this step, the content in the http request may be analyzed, and if the http request information includes both the user name keyword and the password keyword, the http request may be determined to be a login request. Of course, in the specific implementation process, if the http request only contains the user name type keyword or only contains the password type keyword, the http request may also be regarded as the login request.
Step S103, under the condition that the request type is a login request, acquiring a network address based on the request information;
in this step, when the request type is determined to be the login request, the network address of the requester, that is, the IP address of the requester, may be further obtained from the request information, so as to provide a basis for subsequently determining whether the login behavior of the requester is a database-crashing attack behavior.
And step S104, determining whether the login behavior is a database collision attack behavior or not based on the login failure times of the network address login target server in a preset time period.
In this step, after determining that the http request of the requester is a login request and acquiring the IP address of the requester from the http request, whether the login behavior of the requester is a database-crashing attack behavior may be determined according to the login failure times of the requests including the same IP address within a predetermined time period. For example, when the http request is a login request, the IP address of the requester in the http request is obtained, the count 1 is increased, and when the login failure number or the login attempt number of the IP address within one minute is greater than 30, the login behavior of the requester is considered to be a database-collision attack behavior.
In the embodiment, by obtaining the request information from the network traffic, whether the request information is a login request can be determined based on the request information, and under the condition that the request information is the login request, whether the login behavior of the requesting party is a database collision behavior can be accurately determined based on the network address of the requesting party and the login failure times, so that a basis is provided for network security personnel to find the database collision attack behavior in a large amount of login behaviors.
Another embodiment of the present invention provides a method for monitoring a database collision attack, as shown in fig. 2, including the following steps:
step S201, request information is acquired.
In the specific implementation process, the request information of the requester can be acquired in real time through the router or the switch.
Step S202, determining a request type based on the request information; wherein the request types include a login request and a non-login request.
Step S203, in case that the request type is a login request, acquiring a network address based on the request information.
And step S204, determining whether the login behavior is a database collision attack behavior or not based on the login failure times of the network address login target server in a preset time period.
Step S205, under the condition that the login behavior is determined to be a database collision attack behavior, response information fed back by the target server based on each login request is obtained; and determining whether the login behavior is successful or not based on the response information so as to determine whether the database collision attack is successful or not.
In the specific implementation process of the step, when the login behavior of the requester is determined to be the database collision attack, whether the database collision attack is successful or not can be further determined according to the response information of the target server of the receiver. Specifically, the determination may be made according to the response code and the number of bytes of the response body in the response message. That is, each time the requester sends a request message to the target server, the target server responds to the request message, so that the number of response codes and the number of response bytes in the response message corresponding to each request message can be compared, and whether the database collision attack is successful or not is judged by judging the number of response codes and the number of response bytes in each response message. That is, when the login name or the login password in the request information is wrong, the response of the server to the request information is the same, that is, the response code and the number of response bytes in the response information of the server at the time of login identification are consistent. When the login is successful, the response code and the response byte number in the response information of the server are changed, namely, the response code and the response byte number in the response information when the login is successful and the response code and the response byte number in the response information when the login is failed are different, so that whether the database collision attack behavior is successful or not can be accurately determined.
In the implementation of the invention, whether the database collision attack is successful or not can be more accurately determined by acquiring whether the response information of the target server for each request information is different or not. I.e. whether the requester successfully logs in the target server through the stolen account and password.
In a specific implementation process of this embodiment, in a case that the login behavior is a library collision attack behavior, the method further includes: and carrying out alarm prompt according to a preset prompt mode. In the specific implementation process, the alarm prompt can be carried out based on the network address of the requester, namely the IP address, so that network security personnel can acquire the source IP address of the database collision attack behavior in time,
another embodiment of the present invention provides a system for monitoring a database crash attack, which can be applied to a security device. As shown in fig. 3, the system for monitoring database collision attack in the present embodiment includes:
the first acquisition module is used for acquiring request information;
the login identification module is used for determining the request type based on the request information; wherein the request types include a login request and a non-login request;
the second acquisition module is used for acquiring a network address based on the request information under the condition that the request type is a login request;
and the database collision attack identification module is used for determining whether the login behavior is the database collision attack behavior or not based on the login failure times of the network address login target server in a preset time period.
In a specific implementation process of this embodiment, the login identification module is specifically configured to: determining a keyword in the request information; and when the keywords comprise one or more of user name keywords and password keywords, determining the request type as a login request. In a specific implementation, whether the request is a login request or a non-login request can be determined according to whether the login request information contains a username type key and/or a password type key. The user name keywords comprise one or more of the following: username, phone, name and mailbox; the password class keywords comprise one or more of the following: passwords and gestures.
Specifically, the system further comprises a library collision attack result determination module, and the library collision attack result determination module is used for: acquiring response information fed back by the target server based on each login request; and determining whether the login behavior is successful or not based on the response information so as to determine whether the database collision attack is successful or not.
Specifically, the library collision attack result determination module is specifically configured to: judging whether the response codes in the response information have difference and/or judging whether the number of response bytes in the response information has difference; and determining that the login is successful under the condition that the response codes in the response messages are judged to be different and/or the number of response bytes in the response messages is judged to be different.
In this embodiment, the system further includes a prompt module, where the prompt module is configured to perform alarm prompt according to a preset prompt manner when the login behavior is a database collision attack behavior. By arranging the prompt module, the system can give an alarm prompt in time when the database collision attack behavior is monitored, so that network security workers can know the database collision attack behavior in time to ensure the account security of users.
In the embodiment, by obtaining the request information from the network traffic, whether the request information is a login request can be determined based on the request information, and whether the network address in the request information performs a database collision attack or not can be accurately identified under the condition that the request information is the login request, so that the database collision attack behavior can be identified in time, and a basis is provided for network security personnel to find the database collision attack behavior and the successful database collision behavior in time in massive login behaviors.
The above embodiments are only exemplary embodiments of the present invention, and are not intended to limit the present invention, and the scope of the present invention is defined by the claims. Various modifications and equivalents may be made by those skilled in the art within the spirit and scope of the present invention, and such modifications and equivalents should also be considered as falling within the scope of the present invention.
Claims (10)
1. A method for monitoring a database collision attack is characterized by comprising the following steps:
acquiring request information;
determining a request type based on the request information; wherein the request types include a login request and a non-login request;
under the condition that the request type is a login request, acquiring a network address based on the request information;
and determining whether the login behavior is a database collision attack behavior or not based on the login failure times of the network address to login the target server in a preset time period.
2. The method of claim 1, wherein the determining a request type based on the request information specifically comprises:
determining a keyword in the request information;
and when the keywords comprise one or more of user name keywords and password keywords, determining the request type as a login request.
3. The method of claim 2, wherein the username class keyword comprises one or more of: username, phone, name and mailbox;
the password class keywords comprise one or more of the following: passwords and gestures.
4. The method of claim 1, wherein in the event that the logged behavior is determined to be a vault attack behavior, the method further comprises:
acquiring response information fed back by the target server based on each login request;
and determining whether the login behavior is successful or not based on the response information so as to determine whether the database collision attack is successful or not.
5. The method according to claim 4, wherein the determining whether the login behavior is successful based on each of the response messages specifically comprises:
judging whether the response codes in the response information have difference and/or judging whether the number of response bytes in the response information has difference;
and determining that the login is successful under the condition that the response codes in the response messages are judged to be different and/or the number of response bytes in the response messages is judged to be different.
6. The method of claim 1, wherein in the event that the login behavior is a vault attack behavior, the method further comprises: and carrying out alarm prompt according to a preset prompt mode.
7. A vault attack monitoring system, comprising:
the first acquisition module is used for acquiring request information;
the login identification module is used for determining the request type based on the request information; wherein the request types include a login request and a non-login request;
the second acquisition module is used for acquiring a network address based on the request information under the condition that the request type is a login request;
and the database collision attack identification module is used for determining whether the login behavior is the database collision attack behavior or not based on the login failure times of the network address login target server in a preset time period.
8. The system of claim 7, wherein the login identification module is specifically configured to:
determining a keyword in the request information;
and when the keywords comprise one or more of user name keywords and password keywords, determining the request type as a login request.
9. The system for monitoring database-crashing attacks as recited in claim 7, further comprising a module for determining the result of the database-crashing attacks, wherein the module for determining the result of the database-crashing attacks is configured to:
acquiring response information fed back by the target server based on each login request;
and determining whether the login behavior is successful or not based on the response information so as to determine whether the database collision attack is successful or not.
10. The system for monitoring library attack as claimed in claim 9, wherein the library attack result determination module is specifically configured to:
judging whether the response codes in the response information have difference and/or judging whether the number of response bytes in the response information has difference;
and determining that the login is successful under the condition that the response codes in the response messages are judged to be different and/or the number of response bytes in the response messages is judged to be different.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011022207.0A CN112153052A (en) | 2020-09-25 | 2020-09-25 | Method and system for monitoring database collision attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011022207.0A CN112153052A (en) | 2020-09-25 | 2020-09-25 | Method and system for monitoring database collision attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112153052A true CN112153052A (en) | 2020-12-29 |
Family
ID=73897062
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011022207.0A Pending CN112153052A (en) | 2020-09-25 | 2020-09-25 | Method and system for monitoring database collision attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112153052A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113591110A (en) * | 2021-07-26 | 2021-11-02 | 招商银行股份有限公司 | Method, system, device and computer program product for discriminating confidential requests |
| US11630887B2 (en) * | 2017-12-28 | 2023-04-18 | Paypal, Inc. | Using an NP-complete problem to deter malicious clients |
| CN117118753A (en) * | 2023-10-23 | 2023-11-24 | 深圳市科力锐科技有限公司 | Network attack protection method, device, equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104811449A (en) * | 2015-04-21 | 2015-07-29 | 深信服网络科技(深圳)有限公司 | Base collision attack detecting method and system |
| CN106603555A (en) * | 2016-12-29 | 2017-04-26 | 杭州迪普科技股份有限公司 | Method and device for preventing library-hit attacks |
| CN107294953A (en) * | 2017-05-18 | 2017-10-24 | 深信服科技股份有限公司 | Attack operation detection method and device |
| CN107347052A (en) * | 2016-05-05 | 2017-11-14 | 阿里巴巴集团控股有限公司 | The method and device of storehouse attack is hit in detection |
| CN108566394A (en) * | 2018-04-16 | 2018-09-21 | 新华三信息安全技术有限公司 | A kind of information processing method and device |
| CN108600172A (en) * | 2018-03-23 | 2018-09-28 | 广州广电研究院有限公司 | Hit library attack detection method, device, equipment and computer readable storage medium |
| US20190205512A1 (en) * | 2017-12-28 | 2019-07-04 | Paypal, Inc | Using an np-complete problem to deter malicious clients |
-
2020
- 2020-09-25 CN CN202011022207.0A patent/CN112153052A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104811449A (en) * | 2015-04-21 | 2015-07-29 | 深信服网络科技(深圳)有限公司 | Base collision attack detecting method and system |
| CN107347052A (en) * | 2016-05-05 | 2017-11-14 | 阿里巴巴集团控股有限公司 | The method and device of storehouse attack is hit in detection |
| CN106603555A (en) * | 2016-12-29 | 2017-04-26 | 杭州迪普科技股份有限公司 | Method and device for preventing library-hit attacks |
| CN107294953A (en) * | 2017-05-18 | 2017-10-24 | 深信服科技股份有限公司 | Attack operation detection method and device |
| US20190205512A1 (en) * | 2017-12-28 | 2019-07-04 | Paypal, Inc | Using an np-complete problem to deter malicious clients |
| CN108600172A (en) * | 2018-03-23 | 2018-09-28 | 广州广电研究院有限公司 | Hit library attack detection method, device, equipment and computer readable storage medium |
| CN108566394A (en) * | 2018-04-16 | 2018-09-21 | 新华三信息安全技术有限公司 | A kind of information processing method and device |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11630887B2 (en) * | 2017-12-28 | 2023-04-18 | Paypal, Inc. | Using an NP-complete problem to deter malicious clients |
| CN113591110A (en) * | 2021-07-26 | 2021-11-02 | 招商银行股份有限公司 | Method, system, device and computer program product for discriminating confidential requests |
| CN117118753A (en) * | 2023-10-23 | 2023-11-24 | 深圳市科力锐科技有限公司 | Network attack protection method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112153052A (en) | Method and system for monitoring database collision attack | |
| US10243904B1 (en) | Determining authenticity of reported user action in cybersecurity risk assessment | |
| US9942220B2 (en) | Preventing unauthorized account access using compromised login credentials | |
| CN109684799B (en) | Account login method, login device, account login equipment and storage medium | |
| US8392963B2 (en) | Techniques for tracking actual users in web application security systems | |
| US10848505B2 (en) | Cyberattack behavior detection method and apparatus | |
| CN107294953B (en) | Attack operation detection method and device | |
| EP2950228A1 (en) | Authentication information theft detection method, authentication information theft detection device, and program for the same | |
| CN105939326A (en) | Message processing method and device | |
| JP2016524248A (en) | Method and system for protecting identity information from theft or copying | |
| KR100745044B1 (en) | Apparatus and method for protecting access of phishing site | |
| CN109547426B (en) | Service response method and server | |
| CN112714093A (en) | Account abnormity detection method, device and system and storage medium | |
| US11836647B2 (en) | Systems, methods and apparatus for evaluating status of computing device user | |
| CN104426835B (en) | Login detection method, server, login detection device and system | |
| CN106209907B (en) | Method and device for detecting malicious attack | |
| KR20190018202A (en) | Method and apparatus for user authentication using keystroke pattern data | |
| CN112118238A (en) | Method, device, system, equipment and storage medium for authentication login | |
| CN107820237B (en) | Data transmission method and device under WIFI network | |
| CN111294337A (en) | Token-based authentication method and device | |
| KR101576993B1 (en) | Method and System for preventing Login ID theft using captcha | |
| CN107196925B (en) | Private data protection method with self-adjustment of access time | |
| CN108600209B (en) | Information processing method and device | |
| CN107370603B (en) | Identity authentication method, server and computer readable storage medium | |
| CN113836509B (en) | Information acquisition method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201229 |
|
| RJ01 | Rejection of invention patent application after publication |