CN113329032B - Attack detection method, device, equipment and medium - Google Patents
Attack detection method, device, equipment and medium Download PDFInfo
- Publication number
- CN113329032B CN113329032B CN202110700489.3A CN202110700489A CN113329032B CN 113329032 B CN113329032 B CN 113329032B CN 202110700489 A CN202110700489 A CN 202110700489A CN 113329032 B CN113329032 B CN 113329032B
- Authority
- CN
- China
- Prior art keywords
- attack
- behavior
- uploading
- network traffic
- network flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application discloses an attack detection method, device, equipment and medium, which are used for acquiring network traffic meeting the requirement of an attack language and solving the problem that an attacker deforms the network traffic in the modes of coding, character splicing and the like by setting the requirement of the attack language. And acquiring the network flow which accords with the uploading attack behavior based on the attack language requirement. In order to realize identification of whether uploading attack behavior is successful or not, attack conditions can be set by depending on a file uploading path and/or an access rule, and the behavior of the network traffic is judged to be successful uploading attack under the condition that the network traffic meets the set attack conditions. The network flow is obtained based on the attack language, the problem of network flow deformation is solved, and the network flow containing the uploading attack behavior in the initial network flow can be screened out. Whether the uploading attack behavior contained in the attack flow is successfully uploaded or not can be effectively detected based on the set attack conditions, and the detection rate of the successful uploading attack behavior is improved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to an attack detection method, apparatus, device, and computer-readable storage medium.
Background
A script attack tool (webshell) for internet (World Wide Web, web) intrusion is a code execution environment in the form of a Web page file. After a hacker invades a website, a dynamic Server page (ASP) or Hypertext Preprocessor (PHP) backdoor file is mixed with a normal WEB page file in a WEB directory of the website Server, and then the hacker can use a browser to access the ASP or PHP backdoor to obtain a command execution environment, so as to achieve the purpose of controlling the website Server. Since the webshell is mostly in the form of dynamic scripts, the webshell can also be called a backdoor tool of a website. At present, the webshell uploading success detection technology is mainly used for matching the acquired network flow with the feature words extracted based on the webshell attack behaviors.
The PAYLOAD (PAYLOAD) refers to a data segment that plays a decisive role in attacking network traffic, and generally, the data segment has functions of destroying system integrity, acquiring system authority, and the like. In practical application, in order to bypass detection of security devices, an attacker often processes the PAYLOAD in modes of encoding, character splicing and the like, so that the expression form of the PAYLOAD is more complex and irregular, the security devices cannot find matched feature words and then release the feature words, and the detection rate of successful uploading of webshell is low.
Therefore, how to improve the detection rate of the uploading attack behavior is a problem to be solved by those skilled in the art.
Disclosure of Invention
The embodiment of the application aims to provide an attack detection method, an attack detection device, attack detection equipment and a computer readable storage medium, which can improve the detection rate of uploading attack behaviors.
In order to solve the foregoing technical problem, an embodiment of the present application provides an attack detection method, including:
acquiring network flow meeting the requirement of attack language;
under the condition that the network flow meets the set attack condition, judging that the behavior of the network flow is successful in uploading attack; wherein the attack condition comprises a file uploading path and/or an access rule.
Optionally, when the network traffic satisfies the set attack condition, determining that the behavior of the network traffic is that the upload attack is successful includes:
judging whether the network traffic has attack traffic of a file uploading path containing a static resource directory;
and under the condition that a file uploading path in the network flow contains the attack flow of the static resource directory, judging the behavior of the attack flow as successful uploading attack.
Optionally, when the network traffic satisfies the set attack condition, determining that the behavior of the network traffic is that the upload attack is successful includes:
matching the access behavior of the network flow with a set access rule;
and under the condition that the access behavior of the network flow is matched with a set access rule, judging that the behavior of the network flow is successful in uploading attack.
Optionally, when the access behavior of the network traffic is matched with a set access rule, determining that the behavior of the network traffic is successful in an upload attack includes:
judging whether source address information of a specific script file in the access history attacked device exists in the network flow;
and if the source address information of the specific script file in the access history attacked device exists in the network flow, judging that the behavior of the network flow is successful in uploading attack.
Optionally, the obtaining network traffic meeting the attack language requirement includes:
and screening out the network traffic matched with the feature lexicon in the initial network traffic.
Optionally, the acquiring network traffic meeting the attack language requirement includes:
deleting interference characters in initial network flow, and splicing the initial network flow after the interference characters are deleted to obtain filtered initial network flow;
and extracting the network traffic meeting the attack language coding specification from the filtered initial network traffic.
Optionally, the extracting network traffic meeting the attack language coding specification from the filtered initial network traffic includes:
selecting a target attack language coding specification matched with the attack type based on the attack type to be identified by the filtered initial network flow;
and taking the network flow meeting the target attack language coding specification in the filtered initial network flow as the network flow meeting the attack language requirement.
The embodiment of the application also provides an attack detection device, which comprises an acquisition unit and a matching unit;
the acquiring unit is used for acquiring network traffic meeting the requirement of attack language;
the matching unit is used for judging that the behavior of the network flow is successful in uploading attack under the condition that the network flow meets the set attack condition; wherein the attack condition comprises a file uploading path and/or an access rule.
Optionally, the matching unit includes a judging subunit and a determining subunit;
the judging subunit is configured to judge whether an attack traffic in which a file upload path includes a static resource directory exists in the network traffic;
the judging subunit is configured to, when there is an attack traffic in which the file upload path includes a static resource directory in the network traffic, judge that a behavior of the attack traffic is that an upload attack is successful.
Optionally, the matching unit comprises a comparison subunit and a behavior matching subunit;
the comparison subunit is configured to match an access behavior of the network traffic with a set access rule;
and the behavior matching subunit is used for judging that the behavior of the network flow is successful in uploading attack under the condition that the access behavior of the network flow is matched with a set access rule.
Optionally, the behavior matching subunit is configured to determine whether source address information of a specific script file in an access history attacked device exists in the network traffic; and if the source address information of the specific script file in the access history attacked device exists in the network flow, judging that the behavior of the network flow is successful in uploading attack.
Optionally, the obtaining unit is configured to filter out network traffic matched with the feature lexicon from the initial network traffic.
Optionally, the obtaining unit includes a deleting subunit, a splicing subunit, and an extracting subunit;
the deleting subunit is configured to delete an interference character in the initial network traffic;
the splicing subunit is configured to splice the initial network traffic from which the interference characters are deleted to obtain filtered initial network traffic;
and the extraction subunit is used for extracting the network traffic which meets the attack language coding specification from the filtered initial network traffic.
Optionally, extracting a sub-unit element, configured to select a target attack language coding specification matched with the attack type based on the attack type to be identified by the filtered initial network traffic; and taking the network flow meeting the target attack language coding specification in the filtered initial network flow as the network flow meeting the attack language requirement.
An embodiment of the present application further provides an attack detection device, including:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the attack detection method as claimed in any one of the above.
An embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the steps of the attack detection method are implemented as any one of the above.
According to the technical scheme, the network flow meeting the attack language requirement is obtained, and the problem that an attacker deforms the network flow in the modes of coding, character splicing and the like can be effectively solved by setting the attack language requirement. And the network flow meeting the attack language requirement shows that the network flow accords with the uploading attack behavior. In order to realize the identification of whether the uploading attack behavior is successful or not, attack conditions can be set by depending on a file uploading path and/or an access rule, and the behavior of the attack flow can be judged to be successful in uploading attack under the condition that the network flow meets the set attack conditions. In the technical scheme, the network flow is acquired based on the attack language requirement, and the problem of network flow deformation is solved, so that the network flow of which the initial network flow contains the uploading attack behavior can be screened out. Whether uploading of the attack behaviors contained in the attack flow is successful or not can be effectively detected based on the set attack conditions, and the detection rate of the successful uploading attack behaviors is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a schematic view of a scenario for detecting an upload attack behavior according to an embodiment of the present application;
fig. 2 is a flowchart of an attack detection method according to an embodiment of the present application;
FIG. 3 is a flowchart of a method for multi-angle attack detection according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an attack detection apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an attack detection device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
In order that those skilled in the art will better understand the disclosure, the following detailed description is given with reference to the accompanying drawings.
Currently, the webshell uploading success detection technology mainly matches the acquired network traffic with the feature words. In order to bypass detection of the security device, an attacker often performs deformation processing on the effective attack load in the modes of coding, character splicing and the like, so that the expression form of the effective attack load is more complex and irregular, the security device cannot find matched feature words and then releases the words, and the detection rate of successful webshell uploading is low.
Therefore, the embodiment of the application provides an attack detection method, an attack detection device, an attack detection apparatus and a computer-readable storage medium, which can obtain network traffic meeting the attack language requirement, and can effectively solve the problem that an attacker deforms the network traffic in the modes of coding, character splicing and the like by setting the attack language requirement. The data format of the network flow meeting the attack language requirement is a data format which can be identified by a system. And the network flow meeting the requirement of the attack language accords with the uploading attack behavior. However, if the uploading attack behavior is successful, the network traffic needs to be compared with the attack condition, and the behavior of the attack traffic can be determined as successful uploading attack when the network traffic meets the set attack condition.
As shown in fig. 1, which is a scene schematic diagram for detecting an upload attack behavior provided in an embodiment of the present application, in order to effectively solve a problem that an attacker deforms network traffic through encoding, character splicing, and the like, an attack language requirement may be set, and after obtaining an initial network traffic, a network traffic meeting the attack language requirement is further obtained. And under the condition that the network flow meets the requirement of the attack language, the network flow is shown to contain an uploading attack behavior. In order to identify whether the uploading attack is successful, the network traffic may be matched with a set attack condition, where the attack condition may include a file uploading path and/or an access rule. And under the condition that the network flow meets the set attack condition, judging that the behavior of the attack flow is successful uploading attack. In the technical scheme, the network traffic of which the initial network traffic contains the uploading attack behavior can be screened out depending on the attack language requirement. Based on the set attack conditions, whether the uploading attack behavior contained in the attack flow is successfully uploaded or not can be effectively detected, and the detection rate of the successful uploading attack behavior is improved
Next, an attack detection method provided in the embodiments of the present application is described in detail. Fig. 2 is a flowchart of an attack detection method provided in an embodiment of the present application, where the method includes:
s201: and acquiring network traffic meeting the attack language requirement.
In order to effectively solve the problem that an attacker deforms the network traffic in the modes of coding, character splicing and the like, the attack language requirement can be set.
In the embodiment of the present application, the attack language requirement may include a traditional feature word library, and may also include an attack language coding specification.
Taking a traditional feature word bank as an example, in the embodiment of the present application, feature words corresponding to successful uploading of an uploading attack behavior may be recorded in a feature word bank manner, and a network traffic matched with the feature word bank in the initial network traffic is screened out.
Taking the coding specification of the attack language as an example, each language has its corresponding coding specification. In the embodiment of the present application, in order to detect whether the uploading attack is successful, a network traffic meeting the uploading attack needs to be screened first.
The attack language coding specification may include a coding specification of an upload attack behavior, and when there is network traffic satisfying the attack language coding specification in the network traffic, it is indicated that the network traffic satisfying the attack language coding specification is most likely to include an upload attack behavior.
In consideration of practical application, in order to bypass detection of the security device, an attacker often performs deformation processing on an effective attack load in network traffic in a coding mode, a character splicing mode and the like.
In order to effectively solve the problem that an attacker deforms the network traffic in the modes of coding, character splicing and the like, the initial network traffic can be filtered after being acquired. In the embodiment of the application, the filtering mode of the network traffic can be set based on the interference characters. The filtered initial network flow can be obtained by deleting the interference characters in the initial network flow and splicing the initial network flow after the interference characters are deleted.
In order to extract the network traffic meeting the uploading attack behavior, an attack language coding specification can be set, and the network traffic meeting the attack language coding specification in the filtered initial network traffic is extracted. When the network traffic meets the attack language coding specification, the network traffic is most likely to include an uploading attack behavior.
The interference characters may be meaningless characters interspersed between normal characters, e.g.,%, #,? And the like.
The occurrence of the interference characters can cause the condition that the normal network flow has messy codes, and the messy code phenomenon in the network flow can be effectively solved by deleting the interference characters, so that the system can conveniently realize the subsequent analysis of the network flow.
It should be noted that, in the embodiment of the present application, network traffic is acquired by relying on a traditional feature thesaurus alone or acquiring network traffic based on an attack language coding specification alone. The network traffic can also be acquired based on the feature lexicon and the attack language coding specification, and the sequence of acquiring the network traffic based on the feature lexicon and the sequence of acquiring the network traffic based on the attack language coding specification are not limited, for example, the network traffic can be filtered after the network traffic matched with the feature lexicon in the initial network traffic is screened out, and the network traffic meeting the attack language coding specification in the filtered network traffic is extracted. Or filtering the initial network flow, and further screening the network flow matched with the feature word library from the network flow after extracting the network flow which meets the attack language coding specification from the filtered initial network flow.
S202: and under the condition that the network flow meets the set attack condition, judging that the behavior of the network flow is successful in uploading attack.
And under the condition that the network flow meets the set attack condition, judging the behavior of the attack flow as successful uploading attack.
The attack condition may be a characteristic exhibited when the upload attack behavior is successful in the upload. In order to detect whether the uploading attack is successful, the network traffic may be compared with the set attack condition. And under the condition that the network flow meets the set attack condition, judging that the behavior of the attack flow is successful uploading attack.
In the embodiment of the present application, the attack condition may include a file upload path and/or an access rule.
Taking the file uploading path as an example, considering that most unknown business systems in the network are secondary development projects based on known components, the components are realized by using rich text editor plug-ins in the uploading function because of high availability and high flexibility. However, the number of currently known rich text editors is limited (ebebeditor, kingeditor, etc.), so in the embodiment of the present application, the path feature may be set based on the traffic feature of the add-on uploaded by the rich text editor plug-in.
The uploading attack behavior refers to the access to the static resource directory in the path of uploading the attack attachment to the server, so that in practical application, whether the attack traffic of the static resource directory exists in the file uploading path can be judged. Under the condition that the file uploading path contains the attack traffic of the static resource directory in the network traffic, the behavior of the attack traffic can be judged to be successful uploading attack.
Taking the access rule as an example, when the network traffic contains an upload attack behavior, the network traffic often relates to access to a specific file, and therefore in the embodiment of the present application, the access rule may be set based on the specific file accessed by the upload attack behavior.
In practical application, the access behavior of the network flow can be matched with a set access rule; and under the condition that the access behavior of the network flow is matched with the set access rule, judging that the behavior of the network flow is successful in uploading attack.
It should be noted that, in the embodiment of the present application, whether the behavior of the attack traffic is successful in the upload attack may be identified based on the file upload path, or whether the behavior of the attack traffic is successful in the upload attack may be identified based on the access rule. In addition, the file uploading path and the access rule can be combined to identify whether the behavior of the attack traffic is successful in uploading attack. In practical application, when the two identification modes are combined, the execution sequence of the two identification modes is not limited, for example, whether the behavior of the attack flow is successful in uploading attack or not can be identified based on the file uploading path; when the target network traffic of which the file uploading path does not contain the static resource directory exists in the network traffic, the access behavior of the target network traffic can be further matched with the set access rule. Or the access behavior of the network flow can be matched with the set access rule; and under the condition that the access behavior of the network flow is not matched with the set access rule, judging whether the attack flow of the file uploading path containing the static resource directory exists in the network flow.
In the embodiment of the application, after the behavior of the attack flow is judged to be successful uploading attack, the alarm information can be generated, so that a manager can find the uploading attack behavior in time, thereby taking effective measures and reducing the adverse effect of the uploading attack behavior on a network system to the maximum extent.
According to the technical scheme, the network flow meeting the attack language requirement is obtained, and the problem that an attacker deforms the network flow in the modes of coding, character splicing and the like can be effectively solved by setting the attack language requirement. And the network flow meeting the attack language requirement shows that the network flow accords with the uploading attack behavior. In order to realize the identification of whether the uploading attack behavior is successful or not, attack conditions can be set by depending on a file uploading path and/or an access rule, and the behavior of the attack flow can be judged to be successful in uploading attack under the condition that the network flow meets the set attack conditions. In the technical scheme, the network flow is acquired based on the attack language requirement, and the problem of network flow deformation is solved, so that the network flow of which the initial network flow contains the uploading attack behavior can be screened out. Whether the uploading attack behavior contained in the attack flow is successfully uploaded or not can be effectively detected based on the set attack conditions, and the detection rate of the successful uploading attack behavior is improved.
In the embodiment of the application, when the attack detection is performed on the network traffic, the file uploading path and the access rule belong to different analysis angles, and in order to improve the detection rate of the successful uploading attack behavior, the file uploading path and the access rule can be combined to identify whether the behavior of the attack traffic is successful in uploading attack. Fig. 3 is a flowchart of a method for multi-angle attack detection according to an embodiment of the present application, where the method includes:
s301: and acquiring network traffic meeting the attack language requirement.
The implementation of S301 may participate in the introduction of S201, and is not described herein again.
S302: and judging whether the network flow has attack flow of a file uploading path containing a static resource directory.
If there is an attack traffic in which the file upload path includes a static resource directory in the network traffic, S303 is executed. If there is a target network traffic in which the file upload path does not include the static resource directory in the network traffic, S304 is executed.
S303: and judging the behavior of the attack traffic as successful uploading attack.
S304: and matching the access behavior of the target network flow with the set access rule.
When the network traffic contains the uploading attack behavior, the network traffic often relates to access to a specific file, so in the embodiment of the application, the access rule may be set based on the specific file accessed by the uploading attack behavior. The specific file can be an important file affecting system security under the static resource directory.
When there is a target network traffic in which the file upload path does not include the static resource directory in the network traffic, in order to further confirm whether the upload attack behavior in the target network traffic is successfully uploaded, the access behavior of the target network traffic may be matched with the set access rule.
S305: and under the condition that the access behavior of the target network flow is matched with the set access rule, judging that the behavior of the target network flow is successful in uploading attack.
In practical application, whether source address information of a specific script file in an access history attacked device exists in target network traffic can be judged.
Wherein, the specific script file can be a file in a static resource directory in the historical attacked device. For example, an executable script file under a static resource directory, such as a PHP (Hypertext Preprocessor) file.
If the source address information of the specific script file in the access history attacked device exists in the target network flow, the behavior of the target network flow can be judged to be successful uploading attack.
In the embodiment of the application, the problem of network flow deformation is solved by acquiring the network flow meeting the requirement of the attack language. Depending on the attack language requirements, network traffic whose initial network traffic contains upload attacks may be screened out. Based on the file uploading path, whether the uploading attack behavior contained in the network flow is successful or not can be detected. Under the condition that the file uploading path contains the attack traffic of the static resource directory in the network traffic, the behavior of the attack traffic can be judged to be successful uploading attack. When the target network traffic of which the file uploading path does not contain the static resource directory exists in the network traffic, the access behavior of the target network traffic can be matched with the set access rule. And under the condition that the access behavior of the target network flow is matched with the set access rule, judging that the behavior of the target network flow is successful in uploading attack. In the technical scheme, whether the uploading attack behavior is successful or not is detected based on the file uploading path and the set access rule, the uploading attack behavior can be analyzed from different angles, and the detection rate of the successful uploading attack behavior is further improved.
The types of the uploading attack behaviors can be various, and the language coding specifications corresponding to different uploading attack types are different, so in the embodiment of the application, in order to realize the detection of various types of attacks, the attack language coding specification corresponding to each attack type can be set.
In practical application, a target attack language coding specification matched with an attack type can be selected based on the attack type to be identified for the filtered initial network flow; and taking the network traffic meeting the target attack language coding specification in the filtered initial network traffic as the network traffic meeting the attack language requirement.
By setting attack language coding specifications corresponding to various attack behavior types, the application range of uploading attack behavior detection is widened, and different types of attack detection are realized.
Fig. 4 is a schematic structural diagram of an attack detection apparatus provided in the embodiment of the present application, including an obtaining unit 41 and a matching unit 42;
an obtaining unit 41, configured to obtain network traffic meeting an attack language requirement;
the matching unit 42 is configured to determine that the behavior of the network traffic is successful in uploading attack when the network traffic meets the set attack condition; wherein the attack condition comprises a file uploading path and/or an access rule.
Optionally, the matching unit includes a judging subunit and a judging subunit;
the judging subunit is used for judging whether the attack traffic of the file uploading path including the static resource directory exists in the network traffic;
and the judging subunit is used for judging that the behavior of the attack flow is successful in uploading attack under the condition that the attack flow of which the file uploading path contains the static resource directory exists in the network flow.
Optionally, the matching unit comprises a comparison subunit and a behavior matching subunit;
the comparison subunit is used for matching the access behavior of the network flow with the set access rule;
and the behavior matching subunit is used for judging that the behavior of the network flow is successful in uploading attack under the condition that the access behavior of the network flow is matched with the set access rule.
Optionally, the behavior matching subunit is configured to determine whether source address information of a specific script file in the access history attacked device exists in the network traffic; and if the source address information of the specific script file in the access history attacked device exists in the network flow, judging that the behavior of the network flow is successful uploading attack.
Optionally, the obtaining unit is configured to filter out network traffic matched with the feature lexicon from the initial network traffic.
Optionally, the obtaining unit includes a deleting subunit, a splicing subunit and an extracting subunit;
a deleting subunit, configured to delete an interference character in the initial network traffic;
the splicing subunit is used for splicing the initial network traffic after the interference characters are deleted to obtain the filtered initial network traffic;
and the extraction subunit is used for extracting the network traffic which meets the attack language coding specification from the filtered initial network traffic.
Optionally, the extracting subunit is configured to select a target attack language coding specification matched with the attack type based on the attack type to be identified for the filtered initial network traffic; and taking the network traffic meeting the target attack language coding specification in the filtered initial network traffic as the network traffic meeting the attack language requirement.
For the description of the features in the embodiment corresponding to fig. 4, reference may be made to the related description of the embodiments corresponding to fig. 2 and fig. 3, which is not repeated here.
According to the technical scheme, the network flow meeting the attack language requirement is obtained, and the problem that an attacker deforms the network flow in the modes of coding, character splicing and the like can be effectively solved by setting the attack language requirement. And the network flow meeting the requirement of the attack language shows that the network flow accords with the uploading attack behavior. In order to realize the identification of whether the uploading attack behavior is successful or not, attack conditions can be set by depending on a file uploading path and/or an access rule, and the behavior of the attack flow can be judged to be successful in uploading attack under the condition that the network flow meets the set attack conditions. In the technical scheme, the network flow is acquired based on the attack language requirement, and the problem of network flow deformation is solved, so that the network flow of which the initial network flow contains the uploading attack behavior can be screened out. Whether uploading of the attack behaviors contained in the attack flow is successful or not can be effectively detected based on the set attack conditions, and the detection rate of the successful uploading attack behaviors is improved.
Fig. 5 is a schematic structural diagram of an attack detection device 50 provided in an embodiment of the present application, including:
a memory 51 for storing a computer program;
a processor 52 for executing a computer program for carrying out the steps of any of the attack detection methods described above.
An embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of any one of the above attack detection methods are implemented.
The attack detection method, the attack detection device, the attack detection equipment and the computer-readable storage medium provided by the embodiment of the application are described in detail above. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Claims (7)
1. An attack detection method, comprising:
acquiring network flow meeting the requirement of attack language;
the attack condition comprises a file uploading path and an access rule;
under the condition that the attack condition is an access rule, judging whether source address information of a specific script file in the access history attacked device exists in the network flow;
if the source address information of a specific script file in the access history attacked device exists in the network flow, judging that the behavior of the network flow is successful in uploading attack;
under the condition that the attack condition is a file uploading path, judging whether the network flow has the attack flow that the file uploading path comprises a static resource directory;
and under the condition that the file uploading path in the network flow contains the attack flow of the static resource directory, judging that the behavior of the attack flow is uploading attack success.
2. The attack detection method according to claim 1, wherein the obtaining network traffic satisfying the attack language requirement comprises:
and screening out the network traffic matched with the feature lexicon in the initial network traffic.
3. The attack detection method according to claim 1, wherein the obtaining network traffic meeting the attack language requirement comprises:
deleting interference characters in initial network flow, and splicing the initial network flow after the interference characters are deleted to obtain filtered initial network flow;
and extracting the network traffic meeting the attack language coding specification from the filtered initial network traffic.
4. The attack detection method according to claim 3, wherein the extracting the network traffic satisfying the attack language coding specification from the filtered initial network traffic comprises:
selecting a target attack language coding specification matched with the attack type based on the attack type to be identified by the filtered initial network flow;
and taking the network flow meeting the target attack language coding specification in the filtered initial network flow as the network flow meeting the attack language requirement.
5. An attack detection device is characterized by comprising an acquisition unit and a matching unit;
the acquiring unit is used for acquiring network traffic meeting the requirement of attack language;
the attack condition comprises a file uploading path and an access rule;
under the condition that the attack condition is an access rule, the matching unit comprises a comparison subunit and a behavior matching subunit;
the comparison subunit is configured to match an access behavior of the network traffic with a set access rule;
the behavior matching subunit is configured to determine whether source address information of a specific script file in the access history attacked device exists in the network traffic; if the source address information of a specific script file in the access history attacked device exists in the network flow, judging that the behavior of the network flow is successful in uploading attack;
under the condition that the attack condition is a file uploading path, the matching unit comprises a judging subunit and a judging subunit;
the judging subunit is configured to judge whether an attack traffic in which a file upload path includes a static resource directory exists in the network traffic;
the judging subunit is configured to, when there is an attack traffic in which the file upload path includes a static resource directory in the network traffic, judge that a behavior of the attack traffic is that an upload attack is successful.
6. An attack detection device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the attack detection method according to any one of claims 1 to 4.
7. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the attack detection method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110700489.3A CN113329032B (en) | 2021-06-23 | 2021-06-23 | Attack detection method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110700489.3A CN113329032B (en) | 2021-06-23 | 2021-06-23 | Attack detection method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113329032A CN113329032A (en) | 2021-08-31 |
| CN113329032B true CN113329032B (en) | 2023-02-03 |
Family
ID=77424534
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110700489.3A Active CN113329032B (en) | 2021-06-23 | 2021-06-23 | Attack detection method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113329032B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108268774A (en) * | 2017-01-04 | 2018-07-10 | 阿里巴巴集团控股有限公司 | The determination method and device of query-attack |
| CN109040071A (en) * | 2018-08-06 | 2018-12-18 | 杭州安恒信息技术股份有限公司 | A kind of confirmation method of WEB backdoor attack event |
| CN111163095A (en) * | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Network attack analysis method, network attack analysis device, computing device, and medium |
| CN111614599A (en) * | 2019-02-25 | 2020-09-01 | 北京金睛云华科技有限公司 | Webshell detection method and device based on artificial intelligence |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101834866B (en) * | 2010-05-05 | 2013-06-26 | 北京来安科技有限公司 | CC (Communication Center) attack protective method and system thereof |
| CN103312692B (en) * | 2013-04-27 | 2016-09-14 | 深信服网络科技(深圳)有限公司 | Chained address safety detecting method and device |
| CN104935609A (en) * | 2015-07-17 | 2015-09-23 | 北京京东尚科信息技术有限公司 | Network attack detection method and detection apparatus |
| CN105959335B (en) * | 2016-07-19 | 2019-11-19 | 腾讯科技(深圳)有限公司 | A kind of attack detection method and relevant apparatus |
-
2021
- 2021-06-23 CN CN202110700489.3A patent/CN113329032B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108268774A (en) * | 2017-01-04 | 2018-07-10 | 阿里巴巴集团控股有限公司 | The determination method and device of query-attack |
| CN109040071A (en) * | 2018-08-06 | 2018-12-18 | 杭州安恒信息技术股份有限公司 | A kind of confirmation method of WEB backdoor attack event |
| CN111614599A (en) * | 2019-02-25 | 2020-09-01 | 北京金睛云华科技有限公司 | Webshell detection method and device based on artificial intelligence |
| CN111163095A (en) * | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Network attack analysis method, network attack analysis device, computing device, and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113329032A (en) | 2021-08-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109743315B (en) | Behavior identification method, behavior identification device, behavior identification equipment and readable storage medium for website | |
| CN105553917B (en) | Method and system for detecting webpage bugs | |
| CN111401416B (en) | Abnormal website identification method and device and abnormal countermeasure identification method | |
| CN110135160B (en) | Software detection method, device and system | |
| CN110782374A (en) | Electronic evidence obtaining method and system based on block chain | |
| CN111628990A (en) | Attack recognition method and device and server | |
| CN108470126B (en) | Data processing method, device and storage medium | |
| US10742668B2 (en) | Network attack pattern determination apparatus, determination method, and non-transitory computer readable storage medium thereof | |
| CN109492403B (en) | Vulnerability detection method and device | |
| CN113378161A (en) | Security detection method, device, equipment and storage medium | |
| CN113329032B (en) | Attack detection method, device, equipment and medium | |
| US10250626B2 (en) | Attacking node detection apparatus, method, and non-transitory computer readable storage medium thereof | |
| CN113810375A (en) | Webshell detection method, device and equipment and readable storage medium | |
| CN115225328B (en) | Page access data processing method and device, electronic equipment and storage medium | |
| CN113138913A (en) | Java code injection detection method, device, equipment and storage medium | |
| CN113923039B (en) | Attack equipment identification method and device, electronic equipment and readable storage medium | |
| CN116015777A (en) | Document detection method, device, equipment and storage medium | |
| CN106487771B (en) | Network behavior acquisition method and device | |
| CN113360902B (en) | shellcode detection method and device, computer equipment and computer storage medium | |
| CN109995605A (en) | A kind of method for recognizing flux and device and computer readable storage medium | |
| CN113779564A (en) | Security event prediction method and device | |
| CN112995168A (en) | Web server safety protection method, system and computer storage medium | |
| CN113014601A (en) | Communication detection method, device, equipment and medium | |
| CN114024651A (en) | Method, device and equipment for identifying coding type and readable storage medium | |
| CN113810342A (en) | Intrusion detection method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |