CN112887327B - Method, device and storage medium for detecting malicious behaviors - Google Patents

Method, device and storage medium for detecting malicious behaviors Download PDF

Info

Publication number
CN112887327B
CN112887327B CN202110203939.8A CN202110203939A CN112887327B CN 112887327 B CN112887327 B CN 112887327B CN 202110203939 A CN202110203939 A CN 202110203939A CN 112887327 B CN112887327 B CN 112887327B
Authority
CN
China
Prior art keywords
weight information
request message
request
malicious
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110203939.8A
Other languages
Chinese (zh)
Other versions
CN112887327A (en
Inventor
卢再锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202110203939.8A priority Critical patent/CN112887327B/en
Publication of CN112887327A publication Critical patent/CN112887327A/en
Application granted granted Critical
Publication of CN112887327B publication Critical patent/CN112887327B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The invention provides a method, a device and a storage medium for detecting malicious behaviors; the method comprises the following steps: receiving at least one request message of an object to be detected; analyzing each request message in at least one request message to respectively obtain at least two of a corresponding information position directory, a corresponding file type and a corresponding request method; if at least two of the request method, the information position directory and the file type conflict, obtaining first weight information corresponding to each request message from a preset conflict relationship; and determining a detection result of the at least one request message based on the at least one first weight information corresponding to the at least one request message. The invention can improve the accuracy of detecting the malicious behavior.

Description

Method, device and storage medium for detecting malicious behaviors
Technical Field
The present invention relates to the field of network security, and in particular, to a method, an apparatus, and a storage medium for detecting malicious behavior.
Background
Passive anti-scanning (Passive anti-scan) technology in a Firewall (WAF) is used for preventing a malicious object from scanning website information for network attack, specifically, scanning traffic is analyzed, and scanning traffic characteristics are extracted to identify malicious behaviors, so that the malicious object is prevented from scanning websites. Compared with active anti-scanning (passive anti-scan), passive anti-scanning does not add codes to normal network traffic to actively identify malicious behaviors, and therefore, normal service data cannot be damaged.
Currently known passive anti-scanning methods usually only extract more intuitive features in the scanning traffic, such as sensitive words, scanner fingerprints and response codes, to detect malicious behavior. However, in the operation process, malicious behaviors which cannot be detected by the existing passive scanning prevention scheme exist, and the accuracy rate of detecting the malicious behaviors is low.
Disclosure of Invention
The embodiment of the invention provides a method, a device and a storage medium for detecting a malicious object, which can improve the accuracy of detecting malicious behaviors.
The technical scheme of the invention is realized as follows:
the embodiment of the invention provides a method for detecting malicious behaviors, which comprises the following steps:
receiving at least one request message of an object to be detected;
analyzing each request message in the at least one request message to respectively obtain at least two of a corresponding information position directory, a corresponding file type and a corresponding request method;
if at least two of the request method, the information position directory and the file type conflict, obtaining first weight information corresponding to each request message from a preset conflict relationship;
and determining a detection result of the at least one request message based on at least one piece of first weight information corresponding to the at least one request message.
In the above solution, after receiving at least one request packet of an object to be detected, the method further includes:
screening whether the at least one request message contains special information, wherein the special information comprises: information location sensitive words or scanner fingerprints;
if each request message contains the special information, second weight information corresponding to each request message is obtained from a preset special information base, and therefore at least one piece of second weight information corresponding to at least one request message is obtained;
correspondingly, the determining a detection result of the at least one request packet based on the at least one first weight information corresponding to the at least one request packet includes:
and determining a detection result of the at least one request message according to the at least one first weight information and the at least one second weight information.
In the above solution, after receiving at least one request packet of an object to be detected, the method further includes:
receiving at least one response message in response to the at least one request message; the at least one response message is obtained by the server responding after receiving the at least one request message;
analyzing the at least one response message to obtain response information corresponding to each response message;
if the response information represents that the content to be requested is not found, obtaining third weight information corresponding to each request message from a preset abnormal response relation, thereby obtaining at least one third weight information corresponding to at least one request message;
correspondingly, the determining a detection result of the at least one request packet based on the at least one first weight information corresponding to the at least one request packet includes:
determining a detection result of the at least one request message according to the at least one first weight information and the at least one third weight information; alternatively, the first and second electrodes may be,
and determining a detection result of the at least one request message according to the at least one first weight information, the at least one second weight information and the at least one third weight information.
In the foregoing solution, the determining a detection result of the at least one request packet based on the at least one piece of first weight information corresponding to the at least one request packet includes:
if first target weight information which is larger than a first malicious score threshold exists in at least one piece of first weight information corresponding to the at least one request message, determining that the detection result of the request message corresponding to the first target weight information is malicious behavior.
In the above solution, the determining a detection result of the at least one request packet based on the at least one piece of first weight information corresponding to the at least one request packet includes:
if second target weight information smaller than or equal to a first malicious score threshold exists in at least one first weight information corresponding to the at least one request message, adding the second target weight information to obtain a first weighting result;
if the first weighting result is smaller than or equal to a first malicious weighting threshold, the detection result of the request message corresponding to the second target weight information is a normal behavior;
and if the first weighting result is greater than a first malicious weighting threshold, the detection result of the request message corresponding to the second target weight information is a malicious behavior.
In the foregoing solution, the method further includes:
analyzing each request message in the at least one request message to respectively obtain one-to-one corresponding request parameters;
and counting the number of the request parameters corresponding to each request message.
And determining a detection result of the at least one request message according to at least one of the at least one second weight information and the at least one third weight information, the at least one first weight information and the number of the request parameters.
In the above solution, the first weight information corresponding to each request packet includes: first sub-weight information and second sub-weight information;
if there is a conflict between at least two of the request method, the information location directory, and the file type, obtaining first weight information corresponding to each request packet from a preset conflict relationship, including:
if the request method conflicts with the file type, first sub-weight information corresponding to each request message is obtained from a first preset conflict relationship; alternatively, the first and second liquid crystal display panels may be,
and if the information position directory conflicts with the file types, obtaining second sub-weight information corresponding to each request message from a second preset conflict relationship.
In the foregoing solution, if there is a conflict between the request method and the file type, obtaining, from a first preset conflict relationship, first sub-weight information corresponding to each request packet, includes:
if the file type and the request method have a matched first target conflict relationship with the first preset conflict relationship, characterizing that the first sub-weight information corresponding to the first target conflict relationship is obtained from the first preset conflict relationship.
In the foregoing solution, if there is a conflict between the information location directory and the file type, obtaining, from a second preset conflict relationship, second sub-weight information corresponding to each request packet, includes:
if the information position directory and the file type have a matched second target conflict relationship with the second preset conflict relationship, characterizing that the second sub-weight information corresponding to the second target conflict relationship is obtained from the second preset conflict relationship.
In the foregoing solution, after obtaining the first sub-weight information corresponding to each request packet from the first preset conflict relationship if there is a conflict between the request method and the file type, the method further includes:
counting the number of the types of the first risk file corresponding to the first sub-weight information;
and if the number of the types of the first risk file types is larger than a first malicious type threshold value, determining that the detection result of the request message corresponding to the first risk file type is malicious behavior.
In the foregoing solution, after obtaining the second sub-weight information corresponding to each request packet from the second preset conflict relationship if there is a conflict between the information location directory and the file type, the method further includes:
counting the number of the types of the second risk files corresponding to the second sub-weight information;
and if the number of the types of the second risk file types is greater than a second malicious type threshold value, determining that the detection result of the request message corresponding to the second risk file types is malicious behavior.
In the foregoing solution, after determining the detection result of the at least one request packet, the method further includes:
if the detection result of the at least one request message is a malicious behavior, discarding the at least one request message; alternatively, the first and second electrodes may be,
if the detection result of the at least one request message is a malicious behavior and at least one response message for responding to the at least one request message is received, discarding the at least one response message; alternatively, the first and second liquid crystal display panels may be,
and if the detection result of the at least one request message is normal behavior and at least one response message for responding to the at least one request message is received, feeding back the at least one response message.
An embodiment of the present invention further provides a device for detecting a malicious behavior, including:
the receiving unit is used for receiving at least one request message of an object to be detected;
the analysis unit is used for analyzing each request message in the at least one request message to respectively obtain at least two of the corresponding information position directory, the file type and the request method;
a generating unit, configured to obtain, from a preset conflict relationship, first weight information corresponding to each request packet if a conflict exists between at least two of the request method, the information location directory, and the file type;
a determining unit, configured to determine a detection result of the at least one request packet based on at least one piece of weight information corresponding to the at least one request packet.
An embodiment of the present invention further provides a device for detecting a malicious behavior, including:
a memory for storing executable instructions;
and the processor is used for realizing the method for detecting the malicious behaviors in the scheme when executing the executable instructions stored in the memory.
The embodiment of the present invention further provides a storage medium, which stores executable instructions for causing a processor to execute the method for detecting malicious behavior in the foregoing scheme.
Therefore, embodiments of the present invention provide a method, an apparatus, and a storage medium for detecting a malicious object, which can analyze each request packet in at least one request packet after receiving at least one request packet of an object to be detected, and obtain at least two of a corresponding information location directory, a corresponding file type, and a corresponding request method. And if at least two of the request method, the information position directory and the file type conflict, obtaining first weight information corresponding to each request message from a preset conflict relation. And finally, determining the detection result of at least one request message based on at least one piece of first weight information corresponding to at least one request message. Therefore, the conflict relation among the request method, the information position directory and the file type in the request message can be extracted as the characteristic to determine whether the object to be detected is a malicious object, so that the diversity of malicious behavior detection is provided, and the accuracy of the malicious behavior detection is improved.
Drawings
Fig. 1 is a first flowchart of a method for detecting a malicious object according to an embodiment of the present invention;
fig. 2 is a schematic view of an application scenario of a method for detecting a malicious object according to an embodiment of the present invention;
fig. 3 is a second flowchart of a method for detecting a malicious object according to an embodiment of the present invention;
fig. 4 is a flowchart of a third method for detecting a malicious object according to an embodiment of the present invention;
fig. 5 is a fourth flowchart of a method for detecting a malicious object according to an embodiment of the present invention;
fig. 6 is a fifth flowchart of a method for detecting a malicious object according to an embodiment of the present invention;
fig. 7 is a sixth flowchart of a method for detecting a malicious object according to an embodiment of the present invention;
fig. 8 is a seventh flowchart of a method for detecting a malicious object according to an embodiment of the present invention;
fig. 9 is an eighth flowchart of a method for detecting a malicious object according to an embodiment of the present invention;
fig. 10 is a flowchart nine of a method for detecting a malicious object according to an embodiment of the present invention;
fig. 11 is a first schematic structural diagram of a malicious object detection apparatus according to an embodiment of the present invention;
fig. 12 is a schematic structural diagram of a malicious object detection apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention are further elaborated with reference to the drawings and the embodiments, which are not to be construed as limiting the present invention, and all other embodiments obtained by a person of ordinary skill in the art without making creative efforts fall within the protection scope of the present invention.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or different subsets of all possible embodiments, and may be combined with each other without conflict.
The following description will be added if similar descriptions of "first/second" appear in the invention document, and in the following description, reference is made to the term "first \ second \ third" merely to distinguish similar objects and not to represent a particular ordering for the objects, and it is to be understood that "first \ second \ third" may be interchanged under certain circumstances or the order of precedence so that embodiments of the invention described herein can be practiced in other than the order illustrated or described herein.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein is for the purpose of describing embodiments of the invention only and is not intended to be limiting of the invention.
Fig. 1 is an optional flowchart of a method for detecting malicious behavior according to an embodiment of the present invention, which will be described with reference to the steps shown in fig. 1.
S101, receiving at least one request message of an object to be detected.
In the embodiment of the invention, the object to be detected can send the request message through the client, and the equipment for receiving at least one request message of the object to be detected can be network security equipment. The client establishes a communication line with the server in advance, the network security equipment is positioned between the client and the server, and when the client needs to request data information from the server, the client sends a request message to the server, and the request message passes through the network security equipment.
The client can be a mobile phone, a computer, an intelligent terminal, a vehicle-mounted computer and the like. The server may be a web server for storing web site data, as well as publishing and application web sites in the internet. The network security equipment is used for preventing malicious users from scanning and tampering website data and other attack behaviors.
Referring to fig. 2, a server 300 establishes a communication line 301 with a client 1 and a client 2 in advance, and a network security device 302 is located in front of the server 300. The client 1 is a mobile terminal, and the client 2 is a computer. The client 1 or the client 2 may transmit a request message to the server 300 through the pre-established communication line 301.
In the embodiment of the invention, the data information requested by the client can be a webpage. When a client requests a web page, the client may first encapsulate the requested content in a request message through a hypertext Transfer Protocol (HTTP), and then send the request message to a server.
S102, analyzing each request message in at least one request message to respectively obtain at least two of the corresponding information position directory, the corresponding file type and the corresponding request method.
In the embodiment of the invention, after receiving at least one request message, the network security equipment analyzes the content of each request message to obtain at least two of an information position directory, a file type and a request method which are respectively corresponding to each request message.
In the embodiment of the present invention, the request message includes a request method and Uniform Resource Locator (URL), where the request method may represent an operation manner of the data information to be requested, and the URL may represent a location and a format of the data information to be requested. The URL comprises an information position directory and a file type, wherein the information position directory can be the URL directory and represents the position of the data information to be requested in a hierarchical mode; the file type characterizes the format of the data information to be requested.
S103, if at least two of the request method, the information position directory and the file type conflict, first weight information corresponding to each request message is obtained from a preset conflict relationship.
In the embodiment of the invention, the preset conflict relationship is stored in the network security equipment, and the preset conflict relationship comprises the conflict relationship of risks among the information position directory, the file type and the request method, and corresponding weight information respectively configured for different abnormal combinations.
The preset conflict relationship may be configured and updated by a technician according to practical experience, for example, when the information location directory is/js/time, the file type under the directory is usually a js type file, if there are other types of files, a conflict may exist, and the conflict may be considered as a conflict relationship; in order to bypass the WAF detection, a malicious user often requests a tar-type file by using a POST request method, and therefore, the combination of the POST request method and the tar-type file can be considered as a conflict combination. The weight information represents the probability that the request message belongs to the malicious message in a score value mode, and the higher the security risk is, the higher the corresponding score value is.
Further, the network security device may identify, according to a preset conflict relationship, whether a conflict exists between at least two of the information location directory, the file type, and the request method corresponding to each request packet. If the conflict exists, the network security equipment obtains the first weight information corresponding to each request message from a preset conflict relationship, and thus obtains at least one first weight information corresponding to at least one request message.
The first weight information refers to weight information corresponding to each request message obtained from a preset conflict relationship. Whether a conflict exists between the information location directory, the file type and the request method corresponding to each request message or not can be whether a conflict exists between the information location directory and the file type corresponding to each request message or whether a conflict exists between the file type and the request method corresponding to each request message or not.
In the embodiment of the present invention, if there is a conflict between the request method and the file type in each request packet, the network security device may obtain the first sub-weight information corresponding to each request packet from the first preset conflict relationship. The first preset conflict relationship is a part corresponding to a conflict between the request method and the file type in the preset conflict relationship. The first sub-weight information is weight information corresponding to each request message obtained from the first preset conflict relationship.
The process of determining whether a conflict exists between the request method and the file type in each request message by the network security device may be to first determine whether the request method is a request method in a first preset conflict relationship, and if so, then determine whether the file type is a file type which conflicts with the request method in the first preset conflict relationship; or judging whether the file type is the file type in the first preset conflict relationship or not, and if so, judging whether the request method is the request method which conflicts with the file type in the first preset conflict relationship or not.
In the embodiment of the invention, if the information position directory and the file type in each request message conflict, the network security equipment obtains the second sub-weight information corresponding to each request message from the second preset conflict relationship. And the second preset conflict relationship is a part corresponding to the conflict between the information position directory and the file type in the preset conflict relationship. The second sub-weight information refers to the weight information corresponding to each request message obtained from the second preset conflict relationship.
The process of determining whether a conflict exists between the information location directory and the file type in each request message by the network security device may be determining whether the information location directory is an information location directory in a second preset conflict relationship, and if so, determining whether the file type is a file type which conflicts with the information location directory in the second preset conflict relationship; or, it may be determined whether the file type is a file type in the second preset conflict relationship, and if so, it is determined whether the information location directory is an information location directory in the second preset conflict relationship where there is a conflict with the file type.
It can be understood that the conflict relationship among the information location directory, the file type and the request method corresponding to the request message is not a more intuitive feature extracted in the existing passive scanning prevention method. The malicious objects are detected according to whether the conflicts exist or not, and the detection blind spots of the known detection method can be covered, so that the accuracy of detecting the malicious behaviors is improved.
S104, determining the detection result of at least one request message based on at least one piece of first weight information corresponding to at least one request message.
In this embodiment of the present invention, the network security device may determine a detection result of the at least one request packet based on the at least one piece of first weight information. Wherein, one request message may be matched with a plurality of pieces of first weight information, and the determination of the detection result of one request message needs to be carried out by integrating all the first weight information matched with the request message.
It can be understood that, when detecting a malicious object, the request message is determined by integrating all the first weight information corresponding to one request message, so that misdetermination caused by single determination basis can be effectively avoided, and the accuracy of detecting malicious behaviors is improved. Furthermore, a malicious object implementing the malicious behavior can be determined according to the malicious behavior, and then subsequent processing such as IP (Internet protocol) blocking can be performed on the malicious object.
In some embodiments of the present invention, referring to fig. 3, fig. 3 is an optional flowchart of the method provided in the embodiments of the present invention, S101 shown in fig. 1 may further include S105-S106, and S104 shown in fig. 1 may be implemented by S107 shown in fig. 3, which will be described with reference to the steps.
S105, screening whether at least one request message contains special information, wherein the special information comprises: information location sensitive words or scanner fingerprints.
In the embodiment of the invention, the network security equipment can pre-extract the information position sensitive words or scanner fingerprints with high frequency in the historical scanning flow into the regular expression. And then, screening the content of the request message by using a regular expression to screen out whether the request message contains information position sensitive words or scanner fingerprints.
The information position sensitive word may be a URL sensitive word, which is content that is not frequently present in a normal request message. The scanner fingerprint is characteristic information left in a request message when a malicious object scans server website information by using a scanner.
S106, if each request message contains the special information, second weight information corresponding to each request message is obtained from a preset special information base, and therefore at least one piece of second weight information corresponding to at least one request message is obtained.
In the embodiment of the invention, a preset special information base is stored in the network security equipment, wherein the preset special information base comprises special information such as information position sensitive words or scanner fingerprints and the like, and corresponding weight information configured for different special information respectively.
Further, if each request message includes special information, the network security device may obtain, from a preset special information base, second weight information corresponding to each request message, so as to obtain at least one second weight information corresponding to at least one request message. The second weight information is the weight information corresponding to each request message obtained from a preset special information base, and represents the probability that the request message belongs to the malicious message.
In the embodiment of the invention, the network security equipment can also couple the weight information in the preset special information base with the regular expression, so that when the regular expression is used for screening out the special information contained in the request message, the second weight information corresponding to the request message is directly obtained.
It can be understood that, after the network security device obtains at least one piece of weight information including the second weight information, the network security device may determine the request message by synthesizing all pieces of weight information corresponding to one request message to determine whether the object to be detected corresponding to the request message is a malicious object. Therefore, misjudgment caused by single judgment basis can be effectively avoided, and the accuracy rate of detecting malicious behaviors is improved.
S107, determining the detection result of at least one request message according to at least one piece of first weight information and at least one piece of second weight information.
In the embodiment of the invention, the network security equipment determines the detection result of at least one request message according to at least one piece of first weight information and at least one piece of second weight information. The first weight information refers to weight information corresponding to each request message obtained from a preset conflict relationship, and the second weight information refers to weight information corresponding to each request message obtained from a preset special information base.
It can be understood that, the first weight information and the second weight information are integrated to determine the detection result of the request packet, so that the judgment basis can be increased, and the accuracy of the detection result can be improved.
In some embodiments of the present invention, referring to fig. 4 and fig. 5, fig. 4 and fig. 5 are schematic diagrams of an optional flow of a method provided by an embodiment of the present invention, S101 shown in fig. 1 may further include S108-S110 shown in fig. 4 and fig. 5, and S104 shown in fig. 1 may be implemented by S111 shown in fig. 4 and S112 shown in fig. 5, respectively, which will be described with reference to each step.
S108, receiving at least one response message for the at least one request message response; the at least one response message is obtained by the server responding after receiving the at least one request message.
In the embodiment of the present invention, the network security device may receive at least one response packet sent by the server, where the at least one response packet is obtained by the server responding to the received at least one request packet.
S109, analyzing at least one response message to obtain response information corresponding to each response message.
In the embodiment of the invention, after the network security equipment receives at least one response message, the content of each response message is analyzed to obtain the response information corresponding to each response message. The response information contains a response code and other information, and can represent the response state of the server to the request message.
And S110, if the response information represents that the content to be requested is not found, obtaining third weight information corresponding to each request message from a preset abnormal response relation, thereby obtaining at least one piece of third weight information corresponding to at least one request message.
In the embodiment of the invention, the network security equipment stores the preset abnormal response relationship, wherein the preset abnormal response relationship comprises the abnormal response information and the corresponding weight information respectively configured for different abnormal response information. The abnormal response information represents that the response state of the server to the request message is abnormal, for example, when the response code is 404, the server does Not find (Not Found) the content to be requested; if the response code is 200 but the response message contains the Not Found (Not Found) related content, it means that the server has Not Found the originally requested content, and the server performs a jump, and uses the content obtained after the jump as the response content.
Further, if the response information indicates that the content to be requested is not found, the network security device may obtain, from the preset abnormal response relationship, third weight information corresponding to each request packet, so as to obtain at least one piece of third weight information corresponding to at least one request packet. The third weight information refers to weight information corresponding to each request message, which is obtained from a preset abnormal response relationship.
It can be understood that, after the network security device obtains at least one third weight information including the third weight information, the network security device may determine the request message by synthesizing all weight information corresponding to one request message to determine whether the object to be detected corresponding to the request message is a malicious object. Therefore, misjudgment caused by single judgment basis can be effectively avoided, and the accuracy rate of detecting malicious behaviors is improved.
S111, determining a detection result of at least one request message according to the at least one first weight information and the at least one third weight information.
In the embodiment of the invention, the network security equipment determines the detection result of at least one request message according to at least one piece of first weight information and at least one piece of third weight information. The third weight information refers to weight information corresponding to each request message obtained from a preset abnormal response relationship.
It can be understood that, the first weight information and the third weight information are integrated to determine the detection result of the request packet, so that the judgment basis can be increased, and the accuracy of the detection result can be improved.
S112, determining a detection result of at least one request message according to at least one piece of first weight information, at least one piece of second weight information and at least one piece of third weight information.
In the embodiment of the invention, the network security equipment determines the detection result of at least one request message according to at least one piece of first weight information, at least one piece of second weight information and at least one piece of third weight information.
It can be understood that, the first weight information, the second weight information and the third weight information are integrated to determine the detection result of the request packet, so that the determination basis can be increased, and the accuracy of the detection result can be improved.
In some embodiments of the present invention, referring to fig. 6, fig. 6 is an optional flowchart of a method provided in the embodiments of the present invention, and S104 shown in fig. 1 may be implemented through S201 shown in fig. 6, which will be described with reference to steps.
S201, if at least one piece of first weight information corresponding to at least one request message has first target weight information which is larger than a first malicious score threshold value, determining that a detection result of the request message corresponding to the first target weight information is malicious behavior.
In the embodiment of the invention, the network security equipment presets a first malicious score threshold value. If the network security equipment detects that first target weight information larger than a first malicious score threshold exists in at least one piece of first weight information corresponding to at least one request message, the first feature is hit by the weight information, and the detection result of the request message corresponding to the first target weight information is directly determined to be malicious behavior.
The weight information hits the first characteristic to indicate that a high risk situation occurs, and the request message corresponding to the weight information is most likely to be a malicious behavior, so that the request message is directly determined to be the malicious behavior.
It can be understood that the first malicious score threshold is preset to judge the high risk condition in different first weight information, so that the high risk condition can be screened out most timely and processed correspondingly, and the attack of malicious behaviors can be prevented rapidly.
In some embodiments of the present invention, referring to fig. 6, fig. 6 is an optional flowchart of the method provided in the embodiments of the present invention, and S104 shown in fig. 1 may be implemented through S202-S204 shown in fig. 6, which will be described with reference to each step.
S202, if second target weight information smaller than or equal to the first malicious score threshold exists in at least one first weight information corresponding to at least one request message, adding the second target weight information to obtain a first weighting result.
In the embodiment of the invention, if the network security equipment detects that second target weight information smaller than or equal to a first malicious score threshold exists in at least one piece of first weight information, the second characteristic hit by the weight information is represented, and the network security equipment adds the second target weight information to obtain a first weighting result.
And the weight information hits the second characteristic to indicate that a low-risk condition occurs, and comprehensive judgment is needed.
It can be understood that the low risk condition is comprehensively judged, so that misjudgment can be reduced, and the accuracy of detecting the malicious behavior is improved.
S203, if the first weighting result is smaller than or equal to the first malicious weighting threshold, the detection result of the request message corresponding to the second target weight information is a normal behavior.
In the embodiment of the present invention, if the first weighting result is less than or equal to the first malicious weighting threshold, the network security device determines that the detection result of the request packet corresponding to the second target weight information is a normal behavior.
And S204, if the first weighting result is greater than the first malicious weighting threshold, the detection result of the request message corresponding to the second target weight information is a malicious behavior.
In the embodiment of the present invention, if the first weighting result is greater than the first malicious weighting threshold, the network security device determines that the detection result of the request packet corresponding to the second target weight information is a malicious behavior.
In some embodiments of the present invention, S104 shown in fig. 1 may be implemented through the following S205, which will be described in conjunction with various steps.
S205, determining a detection result of at least one request message according to at least one of the at least one second weight information and the at least one third weight information, and the at least one first weight information.
In the embodiment of the invention, the network security equipment determines the detection result of at least one request message according to at least one of the at least one second weight information and the at least one third weight information, and the at least one first weight information.
It is to be understood that the integrated decision is made in combination with the at least one first weight information and the further weight information,
whether the object to be detected corresponding to the request message is a malicious object or not is determined, so that misjudgment caused by single judgment basis can be effectively avoided, and the accuracy of detecting malicious behaviors is improved.
In some embodiments of the present invention, referring to fig. 7, fig. 7 is an optional flowchart of the method provided in the embodiments of the present invention, and S113 to S115 may be further included after S101 shown in fig. 1, which will be described with reference to the steps.
S113, analyzing each request message in the at least one request message to respectively obtain one-to-one corresponding request parameters.
In the embodiment of the invention, the network security equipment analyzes each request message in at least one request message to respectively obtain the request parameters corresponding to each request message. Wherein, in the request message, the request parameters are usually recorded after the URL, separated by the identifier. The request parameter includes information of the object to be detected.
S114, counting the number of the request parameters corresponding to each request message and each request message.
In the embodiment of the invention, the network security equipment counts the number of the request parameters in each request message. The number of the request parameters reflects the information quantity of the object to be detected. Generally, the number of request parameters of the malicious object is small, that is, the information amount is small; the number of request parameters of the normal object is large, that is, the number of information is large.
It can be understood that the number of the request parameters can be used as another basis for determining whether the object to be detected is a malicious object.
S115, determining the detection result of at least one request message according to at least one of the at least one second weight information and the at least one third weight information, the at least one first weight information and the number of the request parameters.
In the embodiment of the present invention, the network security device determines the detection result of at least one request packet according to at least one of the at least one second weight information and the at least one third weight information, the at least one first weight information, and the number of request parameters corresponding to each request packet.
It can be understood that the number of the added request parameters is used as one of the bases for judging whether the object to be detected is a malicious object, and the judgment accuracy can be effectively improved.
In some embodiments of the present invention, the above S301 may be implemented by the following S3011 to S3013, which will be described in conjunction with the respective steps.
S3011, if second target weight information smaller than or equal to a first malicious score threshold exists in the at least one piece of first weight information and third target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of second weight information, adding the second target weight information and the third target weight information to obtain a second weighting result.
In the embodiment of the invention, if second target weight information smaller than or equal to a first malicious score threshold exists in at least one piece of first weight information and third target weight information smaller than or equal to the first malicious score threshold exists in at least one piece of second weight information, the network security equipment adds the second target weight information and the third target weight information to obtain a second weighting result. Wherein being less than or equal to the first malicious score threshold indicates that the weight information corresponds to a low risk condition.
It can be understood that the low risk condition is comprehensively judged, so that misjudgment can be reduced, and the accuracy of detecting the malicious behavior is improved.
S3012, if the second weighting result is smaller than or equal to a second malicious weighting threshold, the detection results of the request messages corresponding to the second target weight information and the third target weight information are normal behaviors.
In the embodiment of the present invention, if the second weighting result is less than or equal to the second malicious weighting threshold, the network security device determines that the detection results of the request packets corresponding to the second target weight information and the third target weight information are normal behaviors.
S3013, if the second weighting result is greater than the second malicious weighting threshold, the detection result of the request packet corresponding to the second target weight information and the third weight information is a malicious behavior.
In the embodiment of the present invention, if the second weighting result is greater than the second malicious weighting threshold, the network security device determines that the detection result of the request packet corresponding to the second target weight information and the third weight information is a malicious behavior.
In some embodiments of the present invention, the above S302 may be implemented by the following S3021 to S3023, which will be described in conjunction with the respective steps.
S3021, if second target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of first weight information, and fourth target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of third weight information, adding the second target weight information and the fourth target weight information to obtain a third weighting result.
In the embodiment of the invention, if second target weight information smaller than or equal to a first malicious score threshold exists in at least one piece of first weight information and fourth target weight information smaller than or equal to the first malicious score threshold exists in at least one piece of third weight information, the network security equipment adds the second target weight information and the fourth target weight information to obtain a third weighting result. Wherein less than or equal to the first malicious score threshold indicates that the weight information corresponds to a low risk condition.
It can be understood that the low risk condition is comprehensively judged, so that misjudgment can be reduced, and the accuracy of detecting the malicious behavior is improved.
And S3022, if the third weighting result is less than or equal to the third malicious weighting threshold, the detection results of the request messages respectively corresponding to the second target weight information and the fourth target weight information are normal behaviors.
In the embodiment of the present invention, if the third weighting result is less than or equal to the third malicious weighting threshold, the network security device determines that the detection results of the request packets corresponding to the second target weight information and the fourth target weight information are normal behaviors.
And S3023, if the third weighting result is greater than the third malicious weighting threshold, determining that the detection results of the request messages respectively corresponding to the second target weight information and the fourth weight information are malicious behaviors.
In the embodiment of the present invention, if the third weighting result is greater than the third malicious weighting threshold, the network security device determines that the detection result of the request packet corresponding to the second target weight information and the fourth weight information is a malicious behavior.
In some embodiments of the present invention, the above S303 may be implemented by the following S3031 to S3033, which will be described in conjunction with each step.
S3031, if second target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of first weight information, third target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of second weight information, and fourth target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of third weight information, adding the second target weight information, the third target weight information and the fourth target weight information to obtain a fourth weighting result.
In the embodiment of the present invention, if second target weight information that is less than or equal to a first malicious score threshold exists in at least one piece of first weight information, third target weight information that is less than or equal to the first malicious score threshold exists in at least one piece of second weight information, and fourth target weight information that is less than or equal to the first malicious score threshold exists in at least one piece of third weight information, the network security device adds the second target weight information, the third target weight information, and the fourth target weight information to obtain a fourth weighting result. Wherein less than or equal to the first malicious score threshold indicates that the weight information corresponds to a low risk condition.
It can be understood that the low risk condition is comprehensively judged, so that misjudgment can be reduced, and the accuracy of detecting the malicious behavior is improved.
S3032, if the fourth weighting result is less than or equal to the fourth malicious weighting threshold, the detection results of the request packets respectively corresponding to the second target weight information, the third target weight information, and the fourth target weight information are normal behaviors.
In the embodiment of the present invention, if the fourth weighting result is less than or equal to the fourth malicious weighting threshold, the network security device determines that the detection results of the request packets respectively corresponding to the second target weight information, the third target weight information, and the fourth target weight information are normal behaviors.
S3033, if the fourth weighting result is greater than the fourth malicious weighting threshold, the detection results of the request message corresponding to the second target weight information, the third target weight information and the fourth weight information are malicious behaviors.
In the embodiment of the present invention, if the fourth weighting result is greater than the fourth malicious weighting threshold, the network security device determines that the detection result of the request packet corresponding to the second target weight information, the third target weight information, and the fourth weight information is a malicious behavior.
In some embodiments of the present invention, S202 shown in fig. 6 may be implemented through the following S401 to S402, which will be described in conjunction with various steps.
S401, if second target weight information smaller than or equal to a first malicious score threshold exists in at least one piece of first weight information and the number of request parameters of a request message corresponding to the second target weight information is smaller than or equal to a goodness request parameter number threshold, representing that the request message corresponding to the second target weight information hits a second feature, and adding the second target weight information to obtain a first weighting result.
In the embodiment of the present invention, if at least one piece of first weight information includes second target weight information that is less than or equal to a first malicious score threshold and the number of request parameters of a request packet corresponding to the second target weight information is less than or equal to a goodwill request parameter number threshold, it is characterized that the request packet corresponding to the second target weight information hits a second feature. And the network security equipment adds the second target weight information to obtain a first weighting result.
It can be understood that the low-risk weight information is comprehensively judged by combining the number of the request parameters, so that misjudgment can be reduced, and the accuracy of detecting malicious behaviors can be improved.
S402, if second target weight information smaller than or equal to a first malicious score threshold exists in at least one piece of first weight information, and a request message corresponding to the second target weight information hits a first target request message with the number of request parameters of the corresponding request message larger than a goodwill request parameter number threshold, representing that the first target request message does not hit a second feature, and representing that first other request messages except the first target request message hit the second feature in the request message corresponding to the second target weight information, and adding first other target weight information corresponding to the first other request messages in the second target weight information to obtain a first weighting result.
In the embodiment of the present invention, if second target weight information smaller than or equal to a first malicious score threshold exists in at least one piece of first weight information, and a request message corresponding to the second target weight information hits a first target request message in which the number of request parameters of a corresponding request message is greater than a goodness request parameter number threshold, it is characterized that the first target request message does not hit a second feature, and a first other request message except the first target request message in the request message corresponding to the second target weight information hits the second feature. And the network security equipment adds the first other target weight information corresponding to the first other request message in the second target weight information to obtain a first weighting result.
It can be understood that the low-risk weight information is comprehensively judged by combining the number of the request parameters, so that misjudgment can be reduced, and the accuracy of detecting malicious behaviors can be improved.
In some embodiments of the present invention, S3011 may be implemented through the following S403 to S405, which will be described in conjunction with the steps.
S403, if second target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of first weight information, third target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of second weight information, the number of request parameters of the request message corresponding to the second target weight information is smaller than or equal to the goodness request parameter number threshold, and the number of request parameters of the request message corresponding to the third target weight information is smaller than or equal to the goodness request parameter number threshold, it is represented that the second target weight information and the request message corresponding to the third target weight information hit a second feature. And the network security equipment adds the second target weight information and the third target weight information to obtain a second weighting result.
In the embodiment of the present invention, if at least one first weight information includes second target weight information smaller than or equal to a first malicious score threshold, and at least one second weight information includes third target weight information smaller than or equal to the first malicious score threshold, and the number of request parameters of a request packet corresponding to the second target weight information is smaller than or equal to a goodness request parameter number threshold, and the number of request parameters of a request packet corresponding to the third target weight information is smaller than or equal to a goodness request parameter number threshold, it is characterized that the second target weight information and the request packet corresponding to the third target weight information hit a second feature, and the second target weight information and the third target weight information are added to obtain a second weighting result.
It can be understood that the low-risk weight information is comprehensively judged by combining the number of the request parameters, so that misjudgment can be reduced, and the accuracy of detecting malicious behaviors can be improved.
S404, if second target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of first weight information and third target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of second weight information, acquiring the number of first request parameters of a request message corresponding to the second target weight information and the number of second request parameters of the request message corresponding to the third target weight information.
In the embodiment of the present invention, if second target weight information smaller than or equal to a first malicious score threshold exists in at least one piece of first weight information, and third target weight information smaller than or equal to the first malicious score threshold exists in at least one piece of second weight information, the network security device obtains the number of first request parameters of a request packet corresponding to the second target weight information, and the number of second request parameters of the request packet corresponding to the third target weight information.
It can be understood that the low-risk weight information is comprehensively judged by combining the number of the request parameters, so that the misjudgment can be reduced, and the accuracy of detecting the malicious behavior can be improved.
S405, if a first target request message with the number of the first request parameters larger than the threshold value of the number of the goodwill request parameters and/or a second target request message with the number of the second request parameters larger than the threshold value of the number of the goodwill request parameters exist in the number of the first request parameters, the fact that the first target request message and/or the second target request message does not hit the second feature is represented, a first other request message except the first target request message in the request message corresponding to the second target weight information and/or a second other request message except the second target request message in the request message corresponding to the third target weight information hit the second feature, and first other target weight information corresponding to the first other request message and/or second other target weight information corresponding to the second other request message are added to obtain a second weighting result.
In the embodiment of the present invention, if there is a first target request packet whose number is greater than the threshold of the number of the goodwill request parameters in the number of the first request parameters and/or a second target request packet whose number is greater than the threshold of the number of the goodwill request parameters, it is characterized that the first target request packet and/or the second target request packet miss the second feature, and a first other request packet except the first target request packet in a request packet corresponding to the second target weight information and/or a second other request packet except the second target request packet in a request packet corresponding to the third target weight information hit the second feature. And the network security equipment adds the first other target weight information corresponding to the first other request message and/or the second other target weight information corresponding to the second other request message to obtain a second weighting result.
It can be understood that the low-risk weight information is comprehensively judged by combining the number of the request parameters, so that the misjudgment can be reduced, and the accuracy of detecting the malicious behavior can be improved.
In some embodiments of the present invention, S3021 may be implemented by the following S406 to S408, and will be described with reference to the respective steps.
S406, if second target weight information smaller than or equal to a first malicious score threshold exists in the at least one first weight information, fourth target weight information smaller than or equal to the first malicious score threshold exists in the at least one third weight information, the number of request parameters of a request message corresponding to the second target weight information is smaller than or equal to a goodness request parameter number threshold, and the number of request parameters of a request message corresponding to the fourth target weight information is smaller than or equal to a goodness request parameter number threshold, the second target weight information and the request message corresponding to the fourth target weight information are represented to hit a second feature, and the second target weight information and the fourth target weight information are added to obtain a third weighting result.
In the embodiment of the present invention, if at least one of the first weight information includes second target weight information smaller than or equal to a first malicious score threshold, and at least one of the third weight information includes fourth target weight information smaller than or equal to the first malicious score threshold, and the number of request parameters of a request packet corresponding to the second target weight information is smaller than or equal to a goodness request parameter number threshold, and the number of request parameters of a request packet corresponding to the fourth target weight information is smaller than or equal to a goodness request parameter number threshold, it is characterized that the second target weight information and the request packet corresponding to the fourth target weight information hit a second feature. And the network security equipment adds the second target weight information and the fourth target weight information to obtain a third weighting result.
It can be understood that the low-risk weight information is comprehensively judged by combining the number of the request parameters, so that misjudgment can be reduced, and the accuracy of detecting malicious behaviors can be improved.
S407, if second target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of first weight information, and fourth target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of third weight information, acquiring the number of first request parameters of the request message corresponding to the second target weight information, and the number of third request parameters of the request message corresponding to the fourth target weight information.
In the embodiment of the present invention, if second target weight information smaller than or equal to a first malicious score threshold exists in at least one piece of first weight information, and fourth target weight information smaller than or equal to the first malicious score threshold exists in at least one piece of third weight information, the network security device obtains the number of first request parameters of a request packet corresponding to the second target weight information, and the number of third request parameters of the request packet corresponding to the fourth target weight information.
It can be understood that the low-risk weight information is comprehensively judged by combining the number of the request parameters, so that the misjudgment can be reduced, and the accuracy of detecting the malicious behavior can be improved.
S408, if a first target request message with the number larger than the threshold value of the number of the goodwill request parameters and/or a third target request message with the number larger than the threshold value of the number of the goodwill request parameters exist in the number of the first request parameters, the second characteristic that the first target request message and/or the third target request message do not hit is represented, the second characteristic that the first other request message except the first target request message in the request message corresponding to the second target weight information and/or the third other request message except the third target request message in the request message corresponding to the fourth target weight information hit is represented, the first other target weight information corresponding to the first other request message and/or the third other target weight information corresponding to the third other request message are added, and a third weighting result is obtained.
In the embodiment of the present invention, if there is a first target request packet whose number is greater than the threshold of the number of the goodwill request parameters and/or a third target request packet whose number is greater than the threshold of the number of the goodwill request parameters in the number of the first request parameters, it is characterized that the first target request packet and/or the third target request packet miss the second feature, and a first other request packet except the first target request packet in a request packet corresponding to the second target weight information and/or a third other request packet except the third target request packet in a request packet corresponding to the fourth target weight information hit the second feature. And the network security equipment adds the first other target weight information corresponding to the first other request message and/or the third other target weight information corresponding to the third other request message to obtain a third weighting result.
It can be understood that the low-risk weight information is comprehensively judged by combining the number of the request parameters, so that misjudgment can be reduced, and the accuracy of detecting malicious behaviors can be improved.
In some embodiments of the present invention, the above S3031 may be implemented by the following S409 to S411, which will be described in conjunction with the respective steps.
S409, if second target weight information smaller than or equal to a first malicious score threshold exists in the at least one first weight information, third target weight information smaller than or equal to the first malicious score threshold exists in the at least one second weight information, fourth target weight information smaller than or equal to the first malicious score threshold exists in the at least one third weight information, the number of request parameters of a request message corresponding to the second target weight information is smaller than or equal to a goodness request parameter number threshold, the number of request parameters of the request message corresponding to the third target weight information is smaller than or equal to a goodness request parameter number threshold, and the number of request parameters of the request message corresponding to the fourth target weight information is smaller than or equal to a goodness request parameter number threshold, the second target weight information, the third target weight information and the fourth target weight information are represented to hit a second feature, and the second target weight information, the third target weight information and the fourth target weight information are added to obtain a fourth weighting result.
In the embodiment of the present invention, if second target weight information smaller than or equal to a first malicious score threshold exists in at least one piece of first weight information, third target weight information smaller than or equal to the first malicious score threshold exists in at least one piece of second weight information, fourth target weight information smaller than or equal to the first malicious score threshold exists in at least one piece of third weight information, the number of request parameters of a request packet corresponding to the second target weight information is smaller than or equal to a goodness request parameter number threshold, the number of request parameters of the request packet corresponding to the third target weight information is smaller than or equal to a goodness request parameter number threshold, and the number of request parameters of the request packet corresponding to the fourth target weight information is smaller than or equal to a goodness request parameter number threshold, it is characterized that the request packets corresponding to the second target weight information, the third target weight information, and the fourth target weight information hit a second feature. And the network security equipment adds the second target weight information, the third target weight information and the fourth target weight information to obtain a fourth weighting result.
It can be understood that the low-risk weight information is comprehensively judged by combining the number of the request parameters, so that misjudgment can be reduced, and the accuracy of detecting malicious behaviors can be improved.
S410, if second target weight information smaller than or equal to a first malicious score threshold exists in the at least one piece of first weight information, third target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of second weight information, and fourth target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of third weight information, the number of first request parameters of the request message corresponding to the second target weight information, the number of second request parameters of the request message corresponding to the third target weight information, and the number of third request parameters of the request message corresponding to the fourth target weight information are obtained.
In the embodiment of the present invention, if second target weight information smaller than or equal to a first malicious score threshold exists in at least one piece of first weight information, third target weight information smaller than or equal to the first malicious score threshold exists in at least one piece of second weight information, and fourth target weight information smaller than or equal to the first malicious score threshold exists in at least one piece of third weight information, the network security device obtains the number of first request parameters of a request packet corresponding to the second target weight information, the number of second request parameters of the request packet corresponding to the third target weight information, and the number of third request parameters of the request packet corresponding to the fourth target weight information.
It can be understood that the low-risk weight information is comprehensively judged by combining the number of the request parameters, so that misjudgment can be reduced, and the accuracy of detecting malicious behaviors can be improved.
S411, if a first target request message with the number of the first request parameters larger than the threshold of the number of the goodwill request parameters exists, and/or a second target request message with the number of the second request parameters larger than the threshold of the number of the goodwill request parameters exists, and/or a third target request message with the number of the third request parameters larger than the threshold of the number of the goodwill request parameters exists, the first target request message, and/or the second target request message, and/or the third target request message does not hit the second feature, a first other request message except the first target request message in the request message corresponding to the second target weight information, and/or a second other request message except the second target request message in the request message corresponding to the third target weight information hits the second feature, a first other target weight information corresponding to the first other request message, and/or a second other request message corresponding to the second target weight information, and/or a third target request message corresponding to the fourth target weight information, and/or other target request messages corresponding to the weighted result is added.
In the embodiment of the present invention, if there is a first target request message in the number of first request parameters, which is greater than the threshold of the number of goodwill request parameters, and/or a second target request message in which the number of second request parameters is greater than the threshold of the number of goodwill request parameters, and/or a third target request message in which the number of third request parameters is greater than the threshold of the number of goodwill request parameters, the first target request message, and/or the second target request message, and/or the third target request message do not hit the second feature, a first other request message in the request message corresponding to the second target weight information except the first target request message, and/or a second other request message in the request message corresponding to the third target weight information except the second target request message, and/or a third other request message in the request message corresponding to the fourth target weight information except the third target request message hit the second feature. And the network security equipment adds the first other target weight information corresponding to the first other request message, and/or the second other target weight information corresponding to the second other request message, and/or the third other target weight information corresponding to the third other request message to obtain a fourth weighting result.
It can be understood that the low-risk weight information is comprehensively judged by combining the number of the request parameters, so that the misjudgment can be reduced, and the accuracy of detecting the malicious behavior can be improved.
In some embodiments of the present invention, referring to fig. 8, fig. 8 is an optional flowchart schematic diagram of a method provided in the embodiments of the present invention, where weight information corresponding to each request packet includes: the first sub weight information and the second sub weight information may be implemented by S1031 to S1032 as S103 shown in fig. 1, and will be described with reference to the respective steps.
And S1031, if a conflict exists between the request method and the file type, obtaining first sub-weight information corresponding to each request message from the first preset conflict relationship.
In the embodiment of the invention, if the conflict exists between the request method and the file type in each request message, the network security equipment obtains the first sub-weight information corresponding to each request message from the first preset conflict relationship. The first preset conflict relationship is a part corresponding to a conflict between the request method and the file type in the preset conflict relationship. The first sub-weight information is weight information corresponding to each request message obtained from the first preset conflict relationship.
The process of determining whether a conflict exists between the request method and the file type in each request message by the network security device may be to first determine whether the request method is a request method in a first preset conflict relationship, and if so, then determine whether the file type is a file type which conflicts with the request method in the first preset conflict relationship; or judging whether the file type is the file type in the first preset conflict relationship or not, and if so, judging whether the request method is the request method which conflicts with the file type in the first preset conflict relationship or not.
S1032, if the conflict exists between the information position directory and the file type, second sub-weight information corresponding to each request message is obtained from a second preset conflict relationship.
In the embodiment of the invention, if the information position directory and the file type in each request message conflict, the network security equipment obtains the second sub-weight information corresponding to each request message from the second preset conflict relationship. And the second preset conflict relationship is a part corresponding to the conflict between the information position directory and the file type in the preset conflict relationship. The second sub-weight information is weight information corresponding to each request message obtained from the second preset conflict relationship.
The network security device determines whether a conflict exists between the information location directory and the file type in each request message, wherein the process of determining whether the information location directory is in a second preset conflict relationship may be to first determine whether the information location directory is in the second preset conflict relationship, and if so, then determine whether the file type is in the second preset conflict relationship and the file type in which the conflict exists with the information location directory; or judging whether the file type is the file type in the second preset conflict relationship or not, and if so, judging whether the information position directory is the information position directory which conflicts with the file type in the second preset conflict relationship or not.
In some embodiments of the present invention, S1031 illustrated in fig. 10 may be implemented through the following S1033, which will be described in conjunction with the steps.
S1033, if the file type and the request method have the matched first target conflict relationship with the first preset conflict relationship, characterizing that first sub-weight information corresponding to the first target conflict relationship is obtained from the first preset conflict relationship.
In the embodiment of the invention, if the file type and the request method of each request message have a matched first target conflict relationship with a first preset conflict relationship, the network security equipment is characterized to obtain first sub-weight information corresponding to the first target conflict relationship from the first preset conflict relationship.
In some embodiments of the present invention, S1032 shown in fig. 10 may be implemented through the following S1034, which will be described in conjunction with the steps.
S1034, if the information position directory and the file type have a second target conflict relationship which is matched with the second preset conflict relationship, characterizing that second sub-weight information corresponding to the second target conflict relationship is obtained from the second preset conflict relationship.
In the embodiment of the invention, if the information position directory and the file type of each request message have a second target conflict relationship matched with the second preset conflict relationship, the network security equipment is represented to obtain second sub-weight information corresponding to the second target conflict relationship from the second preset conflict relationship.
In some embodiments of the present invention, S501-S502 are further included after S1031 shown in fig. 10, which will be described with reference to the steps.
S501, counting the number of types of the first risk file type corresponding to the first sub-weight information.
In the embodiment of the invention, the network security equipment counts the number of the types of the first risk files corresponding to the first sub-weight information. The first sub-weight information is weight information obtained from a preset conflict relationship when a conflict exists between a request method and a file type in each request message. The first risk file type refers to a file type that conflicts with the requesting method. The number of types of the first risk file type is the number of different types after dividing the file types which conflict with the request method according to different types, such as rar format, js format and the like.
S502, if the number of the types of the first risk file type is larger than the first malicious type threshold value, the detection result of the request message corresponding to the first risk file type is a malicious behavior.
In the embodiment of the present invention, if the number of types of the first risk file type is greater than the first malicious type threshold, the network security device determines that the detection result of the request packet corresponding to the first risk file type is a malicious behavior.
It can be understood that if the object to be detected sends at least one request message of multiple different risk file types, it is directly determined that the object to be detected is a malicious object. Therefore, malicious objects can be prevented from probing and exhausting the firewall by utilizing a large number of different types of low-risk behaviors, so that possible detection blind spots are covered, and the accuracy of detecting the malicious behaviors is improved.
In some embodiments of the present invention, S1032 shown in fig. 10 above further includes S503-S504, which will be described in conjunction with the above steps.
S503, counting the number of the types of the second risk file corresponding to the second sub-weight information.
In the embodiment of the invention, the network security equipment counts the number of the types of the second risk files corresponding to the second sub-weight information. And the second sub-weight information is weight information obtained from a preset conflict relationship when a conflict exists between the information position directory and the file type in each request message. The second risky file type is a file type having a conflict with the information location directory. The number of types of the second risk file type is the number of different types of file types which conflict with the information location directory and are divided into different types, such as a rar format, a js format and the like.
S504, if the number of the types of the second risk file types is larger than the second malicious type threshold value, the detection result of the request message corresponding to the second risk file types is a malicious behavior.
In the embodiment of the present invention, if the number of the types of the second risk file is greater than the second malicious type threshold, the network security device determines that the detection result of the request packet corresponding to the second risk file type is a malicious behavior.
It can be understood that if the object to be detected sends at least one request message of multiple different risk file types, it is directly determined that the object to be detected is a malicious object. Therefore, malicious objects can be prevented from utilizing a large number of different types of low-risk behaviors to probe and exhaust the firewall, so that possible detection blind spots are covered, and the accuracy of detecting malicious behaviors is improved.
In some embodiments of the present invention, referring to fig. 9, fig. 9 is an optional flowchart of the method provided in the embodiments of the present invention, and S116-S118 may be further included after S104 shown in fig. 1, which will be described with reference to each step.
S116, if the detection result of the at least one request message is a malicious behavior, discarding the at least one request message.
In the embodiment of the invention, if the detection result of at least one request message is malicious behavior, the network security equipment discards the at least one request message.
It can be understood that the request message from the malicious object, which is not sent to the server, is directly discarded, so that the server can be prevented from consuming the calculation force for responding to the malicious message, and the malicious message is prevented from occupying the storage space.
And S117, if the detection result of the at least one request message is malicious behavior and the at least one response message for the at least one request message response is already received, discarding the at least one response message.
In the embodiment of the present invention, if the detection result of at least one request packet is a malicious behavior and at least one response packet for responding to at least one request packet has been received, the network security device discards the at least one response packet.
It can be understood that the response message sent to the malicious object is directly discarded, so that the malicious object can be prevented from obtaining the required data, and the response message is prevented from occupying a storage space.
In the embodiment of the present invention, if the detection result of at least one request packet is a malicious behavior, the network security device may add the network address information of the object to be detected to the blacklist. The network address information may be an Internet Protocol (IP) address, and adding the network address information of the object to be detected to a blacklist may be blocking the IP address of the object to be detected. The network security appliance may automatically intercept and discard all data from and to the blocked IP address, including request and response messages.
It can be understood that adding the network address information of the malicious object into the blacklist can prevent further network attacks that may be performed by the malicious object, thereby protecting the security of the data information.
And S118, if the detection result of the at least one request message is normal behavior and the at least one response message for the at least one request message response has been received, feeding back the at least one response message.
In the embodiment of the present invention, if the detection result of the at least one request packet is a normal behavior and at least one response packet for the response of the at least one request packet has been received, the network security device feeds back the at least one response packet.
It will be appreciated that the network security appliance does not interfere with normal user requests and responses.
In some embodiments of the present invention, S206 is further provided after S104 shown in fig. 1, and will be described with reference to the steps.
S206, if fourth target weight information which is larger than the second malicious score threshold exists in the at least one second weight information, determining that the detection result of the request message corresponding to the fifth target weight information is malicious behavior.
In the embodiment of the invention, the network security equipment presets a second malicious score threshold value. If the network security equipment detects that fourth target weight information larger than a second malicious score threshold exists in at least one second weight information, the fourth target weight information is represented to hit the first feature, and a detection result of a request message corresponding to the fifth target weight information is determined to be malicious behavior.
The weight information hits the first characteristic to indicate that a high risk situation occurs, and the request message corresponding to the weight information is most likely to be a malicious behavior, so that the request message is directly determined to be the malicious behavior.
It can be understood that the second malicious score threshold is preset to judge the high risk condition in different weight information, and the high risk condition can be screened out most timely and processed correspondingly, so as to rapidly prevent the attack of malicious behaviors.
In some embodiments of the present invention, S104 shown in fig. 1 may be implemented through the following S207-S209, which will be described in conjunction with the steps.
And S207, if sixth target weight information smaller than or equal to the second malicious score threshold exists in the at least one second weight information, adding the sixth target weight information to obtain a second weighting result.
In the embodiment of the invention, if the network security device detects that the sixth target weight information which is less than or equal to the second malicious score threshold exists in the at least one second weight information, the sixth target weight information is shown to hit the second feature, and the sixth target weight information is added to obtain the second weighting result.
And when the weight information hits the second characteristic, the low risk condition is shown, and comprehensive judgment is needed.
It can be understood that the low risk condition is comprehensively judged, so that misjudgment can be reduced, and the accuracy of detecting the malicious behavior is improved.
And S208, if the second weighting result is smaller than or equal to the second malicious weighting threshold, the detection result of the request message corresponding to the sixth target weight information is a normal behavior.
In the embodiment of the present invention, if the second weighting result is less than or equal to the second malicious weighting threshold, the network security device determines that the detection result of the request packet corresponding to the sixth target weight information is a normal behavior.
And S209, if the second weighting result is greater than the second malicious weighting threshold, determining that the detection result of the request message corresponding to the sixth target weight information is a malicious behavior.
In the embodiment of the present invention, if the second weighting result is greater than the second malicious weighting threshold, the network security device determines that the detection result of the request packet corresponding to the sixth target weight information is a malicious behavior.
In some embodiments of the present invention, referring to fig. 10, fig. 10 is an optional flowchart of a method provided in the embodiments of the present invention, and the method for detecting malicious behavior may be implemented through S701 to S716 shown in fig. 10, which will be described with reference to each step.
And S701, receiving the request message.
In the embodiment of the present invention, the network security device 302 receives the request message sent by the client 2
S702, special information is screened.
In this embodiment of the present invention, the network security device 302 filters out the special information in the request message, where the special information includes: sensitive words and scanner fingerprints; and configuring second weight information for the screened special information.
And S703, judging the first characteristic.
In this embodiment of the present invention, the network security device 302 determines whether the request packet hits the first feature, where the first feature represents a high-risk packet. Specifically, the network security device 302 detects whether the second weight information exceeds a threshold, and if the second weight information exceeds the threshold, the first feature is hit.
And S704, analyzing the request message.
In the embodiment of the present invention, the network security device 302 parses the request packet to obtain the information location directory, the file type, and the file type.
S705, the conflict between the information position directory and the file type is detected.
In this embodiment of the present invention, the network security device 302 determines whether the information location directory conflicts with the file type from a preset conflict relationship. If the information location directory and the file type conflict are determined to exist, the network security equipment 302 configures first weight information for the conflict.
S706, detecting the conflict between the request method and the file type.
In this embodiment of the present invention, the network security device 302 determines whether the request method conflicts with the file type from a preset conflict relationship. If it is determined that there is a conflict between the request method and the file type, the network security device 302 configures first weight information for the conflict.
And S707, judging the number of file type types.
In this embodiment of the present invention, the network security device 302 counts the number of file types in the generated conflict, and if the number of file types exceeds a threshold, the first feature is represented and hit.
S708, sending the request message.
In this embodiment of the present invention, the network security device 302 sends the request packet sent by the client 2 to the server 300.
S709, receiving the response message.
In this embodiment of the present invention, the network security device 302 receives a response message sent by the server 300.
And S710, analyzing the response message.
In this embodiment of the present invention, the network security device 302 analyzes the response packet to obtain response information corresponding to the response packet, where the response information includes a response code and other information. If the response code is 404, it indicates that the server 300 does not find the request content, and configures third weight information for the request packet corresponding to the response packet from the preset abnormal response relationship.
And S711, matching the contents of the response message.
In the embodiment of the invention, if the response code is 200, whether the content of the matching response message has the keyword reflecting that the request content is not found is judged. If the keyword exists, the server 300 is also considered that the request content is not found, and third weight information is configured for the request message corresponding to the response message from the preset abnormal response relation.
And S712, first characteristic processing.
In this embodiment of the present invention, the network security device 302 receives all the weight information of the request packet and performs screening processing. If the information of the first characteristic is hit, the IP is blocked and the message is discarded; if there is no information that hits the first feature, then a weighted calculation is prepared for all weight information.
And S713, weight calculation.
In this embodiment of the present invention, the network security device 302 performs weighted calculation on the weight information of the missed first feature.
And S714, sending a response message.
In this embodiment of the present invention, if the weighting calculation result does not exceed the threshold, the network security device 302 sends the response packet sent by the server 300 to the client 2.
And S715, blocking the IP.
In the embodiment of the present invention, if the weighting calculation result exceeds the threshold, or the information of the request packet has information of hitting the first feature, the IP of the client 2 is blocked.
And S716, discarding the message.
In the embodiment of the present invention, if the IP of the client 2 is blocked, the request packet from the client 2 and the response packet to be sent to the client 2 are discarded.
Fig. 11 is an optional structural schematic diagram of an apparatus for detecting malicious behavior according to an embodiment of the present invention. As shown in fig. 11, an embodiment of the present invention further provides an apparatus 800 for detecting a malicious activity, including: a receiving unit 804, a parsing unit 805, a generating unit 806, and a determining unit 807, wherein:
a receiving unit 804, configured to receive at least one request message of an object to be detected;
an analyzing unit 805, configured to analyze each request packet in the at least one request packet to obtain at least two of a corresponding information location directory, a corresponding file type, and a corresponding request method;
a generating unit 806, configured to, if a conflict exists between at least two of the request method, the information location directory, and the file type, obtain, from a preset conflict relationship, first weight information corresponding to each request packet;
a determining unit 807, configured to determine a detection result of the at least one request message based on the at least one first weight information corresponding to the at least one request message.
In some embodiments of the present invention, the parsing unit 805 is further configured to filter whether at least one request message includes special information, where the special information includes: information location sensitive words or scanner fingerprints.
The generating unit 806 is further configured to, if each request message includes special information, obtain, from a preset special information base, second weight information corresponding to each request message, so as to obtain at least one piece of second weight information corresponding to at least one request message.
The determining unit 807 is further configured to determine a detection result of at least one request packet according to at least one first weight information and at least one second weight information.
In some embodiments of the present invention, the receiving unit 804 is further configured to receive at least one response packet for at least one request packet response; the at least one response message is obtained by the server responding after receiving the at least one request message.
The parsing unit 805 is further configured to parse at least one response packet to obtain response information corresponding to each response packet.
The generating unit 806 is further configured to, if the response information indicates that the content to be requested is not found, obtain, from the preset abnormal response relationship, third weight information corresponding to each request packet, so as to obtain at least one third weight information corresponding to at least one request packet.
The determining unit 807 is further configured to determine a detection result of at least one request packet according to at least one first weight information and at least one third weight information; or determining the detection result of at least one request message according to at least one piece of first weight information, at least one piece of second weight information and at least one piece of third weight information.
In some embodiments of the present invention, the determining unit 807 is further configured to determine that a detection result of a request packet corresponding to first target weight information is a malicious behavior if there is first target weight information that is greater than a first malicious score threshold in at least one piece of first weight information corresponding to at least one request packet.
In some embodiments of the present invention, the generating unit 806 is further configured to, if there is second target weight information that is less than or equal to the first malicious score threshold in at least one piece of first weight information corresponding to at least one request packet, add the second target weight information to obtain a first weighting result.
The determining unit 807 is further configured to determine that a detection result of the request packet corresponding to the second target weight information is a normal behavior if the first weighting result is less than or equal to the first malicious weighting threshold; and if the first weighting result is greater than the first malicious weighting threshold, the detection result of the request message corresponding to the second target weight information is a malicious behavior.
In some embodiments of the present invention, the parsing unit 805 is further configured to parse each request packet in the at least one request packet to obtain one-to-one corresponding request parameters; and counting the number of the request parameters corresponding to each request message.
The determining unit 807 is further configured to determine a detection result of the at least one request packet according to at least one of the at least one second weight information and the at least one third weight information, the at least one first weight information, and the number of request parameters.
In some embodiments of the present invention, the generating unit 806 is further configured to, if there is second target weight information that is less than or equal to the first malicious score threshold in the at least one first weight information and there is third target weight information that is less than or equal to the first malicious score threshold in the at least one second weight information, add the second target weight information and the third target weight information to obtain a second weighting result;
the determining unit 807 is further configured to determine that the detection results of the request messages respectively corresponding to the second target weight information and the third target weight information are normal behaviors if the second weighting result is less than or equal to the second malicious weighting threshold; and if the second weighting result is greater than the second malicious weighting threshold, the detection result of the request message corresponding to the second target weight information and the third weight information is malicious behavior.
In some embodiments of the present invention, the generating unit 806 is further configured to, if there is second target weight information that is less than or equal to the first malicious score threshold in the at least one first weight information and there is fourth target weight information that is less than or equal to the first malicious score threshold in the at least one third weight information, add the second target weight information and the fourth target weight information to obtain a third weighting result.
The determining unit 807 is further configured to determine that the detection results of the request messages respectively corresponding to the second target weight information and the fourth target weight information are normal behaviors if the third weighting result is less than or equal to a third malicious weighting threshold; and if the third weighting result is greater than the third malicious weighting threshold, the detection result of the request message corresponding to the second target weight information and the fourth weight information is malicious behavior.
In some embodiments of the present invention, the generating unit 806 is further configured to add the second target weight information, the third target weight information, and the fourth target weight information to obtain a fourth weighting result, if there is a second target weight information that is less than or equal to the first malicious score threshold in the at least one first weight information, and there is a third target weight information that is less than or equal to the first malicious score threshold in the at least one second weight information, and there is a fourth target weight information that is less than or equal to the first malicious score threshold in the at least one third weight information.
The determining unit 807 is further configured to determine that the detection results of the request messages respectively corresponding to the second target weight information, the third target weight information, and the fourth target weight information are normal behaviors if the fourth weighting result is less than or equal to the fourth malicious weighting threshold; and if the fourth weighting result is greater than the fourth malicious weighting threshold, the detection results of the request messages respectively corresponding to the second target weight information, the third target weight information and the fourth weight information are malicious behaviors.
In some embodiments of the present invention, the generating unit 806 is further configured to, if there is second target weight information that is less than or equal to the first malicious score threshold in the at least one piece of first weight information, and the number of request parameters of the request packet corresponding to the second target weight information is less than or equal to the goodness request parameter number threshold, characterize that the request packet corresponding to the second target weight information hits the second feature, and add the second target weight information to obtain a first weighting result; or if second target weight information smaller than or equal to a first malicious score threshold exists in at least one piece of first weight information and a request message corresponding to the second target weight information hits a first target request message of which the number of request parameters of the corresponding request message is larger than a goodness request parameter number threshold, the second feature of the first target request message is represented, first other request messages except the first target request message in the request message corresponding to the second target weight information hit the second feature, and first other target weight information corresponding to the first other request messages in the second target weight information is added to obtain a first weighting result.
In some embodiments of the present invention, the generating unit 806 is further configured to, if there is second target weight information that is less than or equal to the first malicious score threshold in the at least one first weight information, and there is third target weight information that is less than or equal to the first malicious score threshold in the at least one second weight information, and the number of request parameters of the request message corresponding to the second target weight information is less than or equal to the goodness request parameter number threshold, and the number of request parameters of the request message corresponding to the third target weight information is less than or equal to the goodness request parameter number threshold, characterize that the request message corresponding to the second target weight information and the third target weight information hits a second feature, and add the second target weight information and the third target weight information to obtain a second weighting result; or if second target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of first weight information and third target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of second weight information, acquiring the number of first request parameters of a request message corresponding to the second target weight information and the number of second request parameters of the request message corresponding to the third target weight information; if a first target request message with the number larger than the threshold value of the number of the goodwill request parameters and/or a second target request message with the number larger than the threshold value of the number of the goodwill request parameters exist in the number of the first request parameters, the second characteristic is represented as a missing of the first target request message and/or the second target request message, the second characteristic is represented as a missing of a first other request message except the first target request message in the request message corresponding to the second target weight information and/or a missing of a second other request message except the second target request message in the request message corresponding to the third target weight information, and the first other target weight information corresponding to the first other request message and/or the second other target weight information corresponding to the second other request message are added to obtain a second weighting result.
In some embodiments of the present invention, the generating unit 806 is further configured to characterize that the request packet corresponding to the second target weight information and the fourth target weight information hits a second feature if the at least one first weight information includes second target weight information smaller than or equal to a first malicious score threshold, and the at least one third weight information includes fourth target weight information smaller than or equal to the first malicious score threshold, and the number of request parameters of the request packet corresponding to the second target weight information is smaller than or equal to a goodness request parameter number threshold, and the number of request parameters of the request packet corresponding to the fourth target weight information is smaller than or equal to a goodness request parameter number threshold, and add the second target weight information and the fourth target weight information to obtain a third weighting result; or, if second target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of first weight information, and fourth target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of third weight information, acquiring the number of first request parameters of a request message corresponding to the second target weight information, and the number of third request parameters of the request message corresponding to the fourth target weight information; if the number of the first request parameters is greater than the threshold value of the number of the goodwill request parameters, and/or a third target request message with the number of the third request parameters greater than the threshold value of the number of the goodwill request parameters, the first target request message and/or the third target request message is represented as not hitting the second feature, the first other request message except the first target request message in the request message corresponding to the second target weight information and/or the third other request message except the third target request message in the request message corresponding to the fourth target weight information hit the second feature, and the first other target weight information corresponding to the first other request message and/or the third other target weight information corresponding to the third other request message are added to obtain a third weighting result.
In some embodiments of the present invention, the generating unit 806 is further configured to, if there is second target weight information smaller than or equal to the first malicious score threshold in the at least one first weight information, there is third target weight information smaller than or equal to the first malicious score threshold in the at least one second weight information, there is fourth target weight information smaller than or equal to the first malicious score threshold in the at least one third weight information, and the number of request parameters of the request packet corresponding to the second target weight information is smaller than or equal to the goodwill request parameter number threshold, the number of request parameters of the request packet corresponding to the third target weight information is smaller than or equal to the goodwill request parameter number threshold, and the number of request parameters of the request packet corresponding to the fourth target weight information is smaller than or equal to the goodwill request parameter number threshold, characterize that the request packet corresponding to the second target weight information, the third target weight information, and the fourth target weight information hit the second feature, and add the second target weight information, the third target weight information, and the fourth target weight information to obtain a fourth weighted result; or if second target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of first weight information, third target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of second weight information, and fourth target weight information smaller than or equal to the first malicious score threshold exists in the at least one piece of third weight information, acquiring the number of first request parameters of the request message corresponding to the second target weight information, the number of second request parameters of the request message corresponding to the third target weight information, and the number of third request parameters of the request message corresponding to the fourth target weight information; if a first target request message with the number larger than the threshold value of the number of the goodwill request parameters exists in the number of the first request parameters, and/or a second target request message with the number larger than the threshold value of the number of the goodwill request parameters exists, and/or a third target request message with the number larger than the threshold value of the number of the goodwill request parameters exists, then the first target request message, and/or the second target request message, and/or the third target request message does not hit the second feature, a first other request message except the first target request message in the request message corresponding to the second target weight information, and/or a second other request message except the second target request message in the request message corresponding to the third target weight information hits the second feature, a first other target weight information corresponding to the first other request message, and/or a second other target weight information corresponding to the second other request message, and/or a third target request message corresponding to the fourth target weight information, and/or other target request messages corresponding to the fourth target weight information are weighted and added to obtain a weighted sum.
In some embodiments of the present invention, the first weight information corresponding to each request packet includes: first sub-weight information and second sub-weight information.
The generating unit 806 is further configured to, if a conflict exists between the request method and the file type, obtain first sub-weight information corresponding to each request packet from a first preset conflict relationship; or, if a conflict exists between the information position directory and the file type, obtaining second sub-weight information corresponding to each request message from a second preset conflict relationship.
In some embodiments of the present invention, the generating unit 806 is further configured to, if there is a first target conflict relationship matching the first preset conflict relationship between the file type and the request method, characterize that the first sub-weight information corresponding to the first target conflict relationship is obtained from the preset conflict relationship.
In some embodiments of the present invention, the generating unit 806 is further configured to, if there is a second target conflict relationship matching the information location directory and the file type with a second preset conflict relationship, characterize that second sub-weight information corresponding to the second target conflict relationship is obtained from the preset conflict relationship.
In some embodiments of the present invention, the parsing unit 805 is further configured to count the number of types of the first risk file type corresponding to the first sub-weight information.
The determining unit 807 is further configured to, if the number of types of the first risk file type is greater than the first malicious type threshold, determine that a detection result of the request packet corresponding to the first risk file type is a malicious behavior.
In some embodiments of the present invention, the parsing unit 805 is further configured to count the number of types of the second risk file type corresponding to the second sub-weight information.
The determining unit 807 is further configured to, if the number of the types of the second risk file type is greater than the second malicious type threshold, determine that a detection result of the request packet corresponding to the second risk file type is a malicious behavior.
In some embodiments of the present invention, the apparatus for detecting malicious behavior 800 further comprises a processing unit 809, wherein:
the processing unit 809 is configured to discard the at least one request packet if the detection result of the at least one request packet is a malicious behavior; or if the detection result of the at least one request message is malicious behavior and the at least one response message for the at least one request message response has been received, discarding the at least one response message; or if the detection result of the at least one request message is normal behavior and the at least one response message for the at least one request message response has been received, feeding back the at least one response message.
In some embodiments of the present invention, the determining unit 807 is further configured to, if there is fourth target weight information greater than the second malicious score threshold in the at least one second weight information, characterize that the first feature is hit, and determine that a detection result of the request packet corresponding to the fifth target weight information is a malicious behavior; the first characteristic characterizes a risk condition.
In some embodiments of the present invention, the generating unit 806 is further configured to, if sixth target weight information that is less than or equal to the second malicious score threshold exists in the at least one piece of second weight information, characterize that the second feature is hit, and add the sixth target weight information to obtain a second weighting result; the second characteristic characterizes a risk condition; the risk of the second characteristic is lower than the first characteristic.
The determining unit 807 is further configured to determine that a detection result of the request packet corresponding to the sixth target weight information is a normal behavior if the second weighting result is less than or equal to the second malicious weighting threshold; and if the second weighting result is greater than the second malicious weighting threshold, the detection result of the request message corresponding to the sixth target weight information is a malicious behavior.
It should be noted that fig. 12 is an optional structural schematic diagram of the apparatus for detecting malicious behavior according to the embodiment of the present invention, and as shown in fig. 12, a hardware entity of the apparatus 800 for detecting malicious behavior includes: a processor 801, a communication interface 802, and a memory 803, wherein:
the processor 801 generally controls the overall operation of the apparatus 800 for detecting malicious behavior.
The communication interface 802 may enable the apparatus for detecting malicious behavior 800 to communicate with other apparatuses or devices over a network.
The Memory 803 is configured to store instructions and applications executable by the processor 801, and may also buffer data (e.g., image data, audio data, voice communication data, and video communication data) to be processed or already processed by each module in the apparatus 800 for detecting malicious behavior and the processor 801, and may be implemented by a FLASH Memory (FLASH) or a Random Access Memory (RAM).
It should be noted that, in the embodiment of the present invention, if the method for detecting malicious behavior is implemented in the form of a software functional module, and is sold or used as a standalone product, it may also be stored in a computer-readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present invention or portions thereof that contribute to the related art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions to enable an apparatus 800 (which may be a personal computer, a server, or a network device) for detecting malicious behaviors to execute all or part of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read Only Memory (ROM), a magnetic disk, or an optical disk. Thus, embodiments of the invention are not limited to any specific combination of hardware and software.
Correspondingly, the embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps in the above method.
Here, it should be noted that: the above description of the storage medium and device embodiments is similar to the description of the method embodiments above, with similar advantageous effects as the method embodiments. For technical details not disclosed in the embodiments of the storage medium and the apparatus according to the invention, reference is made to the description of the embodiments of the method according to the invention.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a component of' 8230; \8230;" does not exclude the presence of another like element in a process, method, article, or apparatus that comprises the element.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only one logical function division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units; can be located in one place or distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The above description is only an embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of changes or substitutions within the technical scope of the present invention, and all such changes or substitutions are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (15)

1. A method of detecting malicious behavior, comprising:
receiving at least one request message of an object to be detected;
analyzing each request message in the at least one request message to respectively obtain at least two of a corresponding information position directory, a corresponding file type and a corresponding request method;
if at least two of the request method, the information position directory and the file type conflict, obtaining first weight information corresponding to each request message from a preset conflict relationship;
and determining a detection result of the at least one request message based on at least one piece of first weight information corresponding to the at least one request message.
2. The method according to claim 1, wherein after receiving at least one request message for an object to be detected, the method further comprises:
screening whether the at least one request message contains special information, wherein the special information comprises: information location sensitive words or scanner fingerprints;
if each request message contains the special information, second weight information corresponding to each request message is obtained from a preset special information base, and therefore at least one piece of second weight information corresponding to at least one request message is obtained;
correspondingly, the determining a detection result of the at least one request packet based on the at least one first weight information corresponding to the at least one request packet includes:
and determining a detection result of the at least one request message according to the at least one first weight message and the at least one second weight message.
3. The method according to claim 1 or 2, wherein after receiving at least one request message of an object to be detected, the method further comprises:
receiving at least one response message responding to the at least one request message; the at least one response message is obtained by the server responding after receiving the at least one request message;
analyzing the at least one response message to obtain response information corresponding to each response message;
if the response information represents that the content to be requested is not found, obtaining third weight information corresponding to each request message from a preset abnormal response relation, thereby obtaining at least one third weight information corresponding to at least one request message;
correspondingly, the determining the detection result of the at least one request packet based on the at least one first weight information corresponding to the at least one request packet includes:
determining a detection result of the at least one request message according to the at least one first weight information and the at least one third weight information; alternatively, the first and second electrodes may be,
and determining a detection result of the at least one request message according to the at least one first weight information, the at least one second weight information and the at least one third weight information.
4. The method according to claim 1, wherein the determining the detection result of the at least one request packet based on the at least one first weight information corresponding to the at least one request packet comprises:
if first target weight information larger than a first malicious score threshold exists in at least one piece of first weight information corresponding to the at least one request message, determining that the detection result of the request message corresponding to the first target weight information is malicious behavior.
5. The method according to claim 1, wherein the determining the detection result of the at least one request packet based on the at least one first weight information corresponding to the at least one request packet comprises:
if second target weight information smaller than or equal to a first malicious score threshold exists in at least one first weight information corresponding to the at least one request message, adding the second target weight information to obtain a first weighting result;
if the first weighting result is smaller than or equal to a first malicious weighting threshold, the detection result of the request message corresponding to the second target weight information is a normal behavior;
and if the first weighting result is greater than a first malicious weighting threshold, the detection result of the request message corresponding to the second target weight information is a malicious behavior.
6. The method of claim 3, further comprising:
analyzing each request message in the at least one request message to respectively obtain one-to-one corresponding request parameters;
counting the number of the request parameters corresponding to each request message;
and determining a detection result of the at least one request message according to at least one of the at least one second weight information and the at least one third weight information, the at least one first weight information and the number of the request parameters.
7. The method according to claim 1, wherein the first weight information corresponding to each request packet comprises: first sub-weight information and second sub-weight information;
if there is a conflict between at least two of the request method, the information location directory, and the file type, obtaining first weight information corresponding to each request packet from a preset conflict relationship, including:
if the request method conflicts with the file type, first sub-weight information corresponding to each request message is obtained from a first preset conflict relationship; alternatively, the first and second electrodes may be,
and if the information position directory conflicts with the file types, second sub-weight information corresponding to each request message is obtained from a second preset conflict relationship.
8. The method according to claim 7, wherein if there is a conflict between the request method and the file type, obtaining the first sub-weight information corresponding to each request packet from a first preset conflict relationship includes:
if the file type and the request method have a matched first target conflict relationship with the first preset conflict relationship, characterizing that the first sub-weight information corresponding to the first target conflict relationship is obtained from the first preset conflict relationship.
9. The method according to claim 7, wherein if there is a conflict between the information location directory and the file type, obtaining second sub-weight information corresponding to each request packet from a second preset conflict relationship includes:
if the information position directory and the file type have a second target conflict relationship matched with the second preset conflict relationship, characterizing that the second sub-weight information corresponding to the second target conflict relationship is obtained from the second preset conflict relationship.
10. The method according to claim 7, wherein if there is a conflict between the request method and the file type, after obtaining the first sub-weight information corresponding to each request packet from a first preset conflict relationship, the method further comprises:
counting the number of the types of the first risk file corresponding to the first sub-weight information;
and if the number of the types of the first risk file types is greater than a first malicious type threshold value, determining that the detection result of the request message corresponding to the first risk file type is malicious behavior.
11. The method according to claim 7, wherein if there is a conflict between the information location directory and the file type, after obtaining second sub-weight information corresponding to each request packet from a second preset conflict relationship, the method further comprises:
counting the number of the types of the second risk files corresponding to the second sub-weight information;
and if the number of the types of the second risk file types is greater than a second malicious type threshold value, determining that the detection result of the request message corresponding to the second risk file types is malicious behavior.
12. The method according to any of claims 1, 2 or 4 to 11, wherein after determining the detection result of the at least one request message, the method further comprises:
if the detection result of the at least one request message is a malicious behavior, discarding the at least one request message; alternatively, the first and second liquid crystal display panels may be,
if the detection result of the at least one request message is malicious behavior and at least one response message for the at least one request message response has been received, discarding the at least one response message; alternatively, the first and second liquid crystal display panels may be,
and if the detection result of the at least one request message is normal behavior and at least one response message for responding to the at least one request message is received, feeding back the at least one response message.
13. An apparatus for detecting malicious behavior, comprising:
the receiving unit is used for receiving at least one request message of an object to be detected;
the analysis unit is used for analyzing each request message in the at least one request message to respectively obtain at least two of the corresponding information position directory, the file type and the request method;
a generating unit, configured to obtain, from a preset conflict relationship, first weight information corresponding to each request packet if a conflict exists between at least two of the request method, the information location directory, and the file type;
a determining unit, configured to determine a detection result of the at least one request packet based on at least one piece of weight information corresponding to the at least one request packet.
14. An apparatus for detecting malicious behavior, comprising:
a memory for storing executable instructions;
a processor for implementing the method of any one of claims 1 to 12 when executing executable instructions stored in the memory.
15. A storage medium having stored thereon executable instructions for causing a processor to, when executed, perform the method of any one of claims 1 to 12.
CN202110203939.8A 2021-02-23 2021-02-23 Method, device and storage medium for detecting malicious behaviors Active CN112887327B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110203939.8A CN112887327B (en) 2021-02-23 2021-02-23 Method, device and storage medium for detecting malicious behaviors

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110203939.8A CN112887327B (en) 2021-02-23 2021-02-23 Method, device and storage medium for detecting malicious behaviors

Publications (2)

Publication Number Publication Date
CN112887327A CN112887327A (en) 2021-06-01
CN112887327B true CN112887327B (en) 2022-11-22

Family

ID=76054185

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110203939.8A Active CN112887327B (en) 2021-02-23 2021-02-23 Method, device and storage medium for detecting malicious behaviors

Country Status (1)

Country Link
CN (1) CN112887327B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016119420A1 (en) * 2015-01-26 2016-08-04 中兴通讯股份有限公司 Method, apparatus and communication gateway for detecting malicious access to network resources
CN110336835A (en) * 2019-08-05 2019-10-15 深信服科技股份有限公司 Detection method, user equipment, storage medium and the device of malicious act
CN111404949A (en) * 2020-03-23 2020-07-10 深信服科技股份有限公司 Flow detection method, device, equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10122739B2 (en) * 2016-08-31 2018-11-06 Dell Products L.P. Rootkit detection system and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016119420A1 (en) * 2015-01-26 2016-08-04 中兴通讯股份有限公司 Method, apparatus and communication gateway for detecting malicious access to network resources
CN110336835A (en) * 2019-08-05 2019-10-15 深信服科技股份有限公司 Detection method, user equipment, storage medium and the device of malicious act
CN111404949A (en) * 2020-03-23 2020-07-10 深信服科技股份有限公司 Flow detection method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN112887327A (en) 2021-06-01

Similar Documents

Publication Publication Date Title
CN109951500B (en) Network attack detection method and device
US10715546B2 (en) Website attack detection and protection method and system
EP1682990B1 (en) Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data
EP2408166B1 (en) Filtering method, system and network device therefor
EP2863611B1 (en) Device for detecting cyber attack based on event analysis and method thereof
KR100800370B1 (en) Network attack signature generation
US20110107412A1 (en) Apparatus for detecting and filtering ddos attack based on request uri type
US20140047543A1 (en) Apparatus and method for detecting http botnet based on densities of web transactions
US20140196144A1 (en) Method and Apparatus for Detecting Malicious Websites
CA2478299A1 (en) Systems and methods for enhancing electronic communication security
KR102119718B1 (en) Technique for Detecting Suspicious Electronic Messages
CN110858831B (en) Safety protection method and device and safety protection equipment
CN113765846B (en) Intelligent detection and response method and device for network abnormal behaviors and electronic equipment
CN107426136B (en) Network attack identification method and device
US20230412591A1 (en) Traffic processing method and protection system
CN107968765A (en) A kind of network inbreak detection method and server
CN111917682B (en) Access behavior identification method, performance detection method, device, equipment and system
KR101473652B1 (en) Method and appratus for detecting malicious message
CN111314326B (en) Method, device, equipment and medium for confirming HTTP vulnerability scanning host
CN112887327B (en) Method, device and storage medium for detecting malicious behaviors
CN109257384B (en) Application layer DDoS attack identification method based on access rhythm matrix
JP2005157650A (en) Illegal access detecting system
CN110730165A (en) Data processing method and device
CN113037841B (en) Protection method for providing distributed denial of attack
KR101262845B1 (en) A web protection system using an URI content identification and the method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant