CN113569238A - Mimicry defense arbitration method and system - Google Patents
Mimicry defense arbitration method and system Download PDFInfo
- Publication number
- CN113569238A CN113569238A CN202110936555.7A CN202110936555A CN113569238A CN 113569238 A CN113569238 A CN 113569238A CN 202110936555 A CN202110936555 A CN 202110936555A CN 113569238 A CN113569238 A CN 113569238A
- Authority
- CN
- China
- Prior art keywords
- target user
- threat
- information
- user request
- mimicry defense
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Computer Security & Cryptography (AREA)
- Quality & Reliability (AREA)
- Life Sciences & Earth Sciences (AREA)
- Evolutionary Biology (AREA)
- Medical Informatics (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Hardware Design (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a mimicry defense arbitration method and a mimicry defense arbitration system, which are used for acquiring a mimicry defense log generated by a target user request accessing a mimicry defense system, extracting key feature information of error information from the mimicry defense log according to a preset feature extraction rule, gathering and fusing the key feature information under a corresponding target user request, simultaneously marking a log source, carrying out feature arbitration comparison on execution logs generated by heterogeneous components with the same function of different executors based on the key feature information according to a preset arbitration comparison rule, and carrying out alarm information classification and classification on threat degrees generated by the target user request and outputting the alarm information. The invention integrates the machine learning technology into the mimicry defense arbitration, and can fully consider the condition that the expression modes of the output results of normal requests among heterogeneous executors are different and the conditions of time delay, request errors and the like caused by the performance problems of the executors when extracting the key characteristic information, thereby being beneficial to reducing the conditions of false alarm and excessive warning by the mimicry defense system.
Description
Technical Field
The invention relates to the technical field of network security and data analysis, in particular to a mimicry defense arbitration method and a mimicry defense arbitration system.
Background
In recent years, network active defense technology has become a hot research direction for network security researchers, and one of the technologies is dynamic heterogeneous redundancy technology, also called as mimicry defense technology. The mimicry defense technology judges the operation results of the user requests on a plurality of executors to find out whether the user initiates a malicious request aiming at a certain type of execution body vulnerability. Once the system finds the malicious request, the execution body with the abnormality is subjected to offline cleaning according to the scheduling strategy, and other normal execution bodies are online, so that the actual operation structure of the whole mimicry defense system is dynamic. In practical application, the implementation methods or the implementation structures of the execution bodies are different, that is, the execution bodies are heterogeneous; the executable may be a specific software and hardware component, such as a database, an X86 chip, or a combination of software and hardware components, such as server software under a web service architecture, a software operating environment, database software, and a hardware carrier on which these software devices are located.
The existing arbitration method is to compare the running results of user requests on different executives differently, however, the arbitration method is too strict, because the expression modes of output results of normal requests between heterogeneous executives are different, the performance problems of the executives bring time delay, request errors and the like, so the existing arbitration method easily causes the situations of false alarm and over-alarm of the mimicry defense system, and meanwhile, scheduling cleaning caused by the false alarm and the over-alarm also brings certain performance loss to the mimicry defense system.
Disclosure of Invention
In view of this, the invention discloses a mimicry defense arbitration method and a mimicry defense arbitration system, so as to effectively reduce the situations of false alarm and excessive alarm of the mimicry defense system, and further reduce the performance loss of the mimicry defense system caused by scheduling cleaning due to the false alarm and the excessive alarm.
A mimicry defense adjudication method, comprising:
acquiring a mimicry defense log generated by a target user requesting to access a mimicry defense system;
extracting key feature information of error information from the mimicry defense log according to a preset feature extraction rule, wherein the preset feature extraction rule is determined after machine learning is carried out on a mimicry defense log sample and key feature information of the error information generated by each execution component is extracted;
and summarizing and fusing the key feature information under the corresponding target user request, and simultaneously marking a log source, wherein the log source comprises: the execution body of the mimicry defense log and the corresponding execution component in the execution body;
based on the key feature information, performing feature arbitration comparison on execution logs generated by heterogeneous components with the same function of different executives according to a preset arbitration comparison rule, and performing alarm information classification on the threat degree generated by the target user request;
and outputting the classification and grading result of the alarm information of the threat degree generated by the target user request.
Optionally, the mimicry defense log comprises: the execution log generated by the execution component of each level of mimicry and the arbitration log of the arbitrator in the mimicry defense system.
Optionally, the preset adjudication comparison rule includes:
(1) if the key characteristic information represents that the operation information of the execution logs generated by the heterogeneous components with the same functions of different executors is inconsistent and influences the logs generated by the executors, determining the threat degree generated by the target user request as a high-level threat, and recording error information as that the execution components corresponding to the log sources have threats;
(2) if the key characteristic information represents any one or more of syntax, analysis error and operation inconsistency in the execution logs generated by the heterogeneous components with the same function of different executives and does not influence the logs generated by the executives, determining the threat degree generated by the target user request as a middle-level threat, and recording error information as that the execution component corresponding to the log source has the threat;
(3) if the key characteristic information only shows that the accessed file has no error, the key characteristic information indicates that the visitor sending the target user request is searching the file of the system or scanning the file, and has no influence on an executive body, the threat degree generated by the target user request is determined as a low-level threat, and the error information is recorded as the threat of the executive component corresponding to the log source;
(4) if the key characteristic information only has the overtime error of the target user request, determining the threat degree of the target user as no threat, and recording error information as the overtime error of the execution component corresponding to the log source;
(5) if the content of the key characteristic information is empty, determining the target user request as a normal request without threat and error record;
(6) and comparing all the heterogeneous components with the operation information based on the key characteristic information, if the multiple execution components have error requests, finding the last accessed execution component according to the access logic of the HTTP request, and recording the error information as the threat of the last accessed execution component.
Optionally, after the step of outputting the classification and ranking result of the warning information of the threat level generated by the request of the target user, the method further includes:
and when the target user request can generate a threat, intercepting the target user request.
Optionally, after the step of outputting the classification and ranking result of the warning information of the threat level generated by the request of the target user, the method further includes:
and if the target user requests to generate a high-level threat, sending a scheduling request to a scheduler, and performing offline and abnormal data elimination processing on the execution body generating the threat by the scheduler.
Optionally, after the step of outputting the classification and ranking result of the warning information of the threat level generated by the request of the target user, the method further includes:
and if the target user request is normal, directly responding the normal request to the user client aiming at the target user request.
A mimicry defense arbitration system, comprising:
the acquisition unit is used for acquiring a mimicry defense log generated by a target user requesting to access the mimicry defense system;
the extraction unit is used for extracting key feature information of the error information from the mimicry defense log according to a preset feature extraction rule, wherein the preset feature extraction rule is used for performing machine learning on a mimicry defense log sample and extracting and then determining the key feature information of the error information generated by each execution component;
and the fusion unit is used for gathering and fusing the key feature information under the corresponding target user request and marking a log source, wherein the log source comprises: the execution body of the mimicry defense log and the corresponding execution component in the execution body;
the judgment comparison unit is used for carrying out characteristic judgment comparison on execution logs generated by heterogeneous components with the same function of different executives according to a preset judgment comparison rule based on the key characteristic information and carrying out alarm information classification on the threat degree generated by the target user request;
and the output unit is used for outputting the classification and grading result of the warning information of the threat degree generated by the target user request.
Optionally, the mimicry defense log comprises: the execution log generated by the execution component of each level of mimicry and the arbitration log of the arbitrator in the mimicry defense system.
Optionally, the preset adjudication comparison rule includes:
(1) if the key characteristic information represents that the operation information of the execution logs generated by the heterogeneous components with the same functions of different executors is inconsistent and influences the logs generated by the executors, determining the threat degree generated by the target user request as a high-level threat, and recording error information as that the execution components corresponding to the log sources have threats;
(2) if the key characteristic information represents any one or more of syntax, analysis error and operation inconsistency in the execution logs generated by the heterogeneous components with the same function of different executives and does not influence the logs generated by the executives, determining the threat degree generated by the target user request as a middle-level threat, and recording error information as that the execution component corresponding to the log source has the threat;
(3) if the key characteristic information only shows that the accessed file has no error, the key characteristic information indicates that the visitor sending the target user request is searching the file of the system or scanning the file, and has no influence on an executive body, the threat degree generated by the target user request is determined as a low-level threat, and the error information is recorded as the threat of the executive component corresponding to the log source;
(4) if the key characteristic information only has the overtime error of the target user request, determining the threat degree of the target user as no threat, and recording error information as the overtime error of the execution component corresponding to the log source;
(5) if the content of the key characteristic information is empty, determining the target user request as a normal request without threat and error record;
(6) and comparing all the heterogeneous components with the operation information based on the key characteristic information, if the multiple execution components have error requests, finding the last accessed execution component according to the access logic of the HTTP request, and recording the error information as the threat of the last accessed execution component.
Optionally, the method further includes:
and the intercepting unit is used for intercepting the target user request when the target user request can generate the threat after the output unit outputs the alarm information classification grading result of the threat degree generated by the target user request.
Optionally, the method further includes:
and the scheduling unit is used for sending a scheduling request to the scheduler if the target user request generates a high-level threat after the output unit outputs the classification and grading result of the alarm information of the threat degree generated by the target user request, and the scheduler carries out offline and abnormal data elimination processing on an execution body generating the threat.
Optionally, the method further includes:
and the request response unit is used for directly responding to the target user request to a user client if the target user request is normal after the output unit outputs the classification and grading result of the warning information of the threat degree generated by the target user request.
According to the technical scheme, the invention discloses a mimicry defense judging method and a mimicry defense judging system, which are used for acquiring a mimicry defense log generated by a target user request accessing a mimicry defense system, extracting key feature information of error information from the mimicry defense log according to a preset feature extraction rule, gathering and fusing the key feature information under a corresponding target user request, simultaneously marking a log source, carrying out feature judgment comparison on execution logs generated by heterogeneous components with the same function of different executors according to a preset judgment comparison rule based on the key feature information, carrying out alarm information classification and grading on threat degrees generated by the target user request, and outputting an alarm information classification and grading result. The invention integrates the machine learning technology into the mimicry defense decision, not only can trace the source of the attack behavior requested by the user, but also can fully consider the condition that the expression modes of the output results of normal requests among heterogeneous executors are different and the conditions of time delay, request errors and the like caused by the performance problems of the executors when extracting the key characteristic information of error information generated by each execution component, thereby being beneficial to reducing the conditions of false alarm and excessive warning of the mimicry defense system, further reducing the performance loss caused by scheduling and cleaning caused by the false alarm and the excessive alarm to the mimicry defense system and promoting the application of the mimicry defense technology in the real system.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the disclosed drawings without creative efforts.
FIG. 1 is a flowchart of a proposed defense arbitration method according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart illustrating generation and collection of a mimicry defense log according to an embodiment of the present invention;
FIG. 3 is a flow chart of an intelligent arbitration and voting according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a mimicry defense arbitration system according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention discloses a mimicry defense judging method and a mimicry defense judging system, which are used for acquiring a mimicry defense log generated by a target user requesting to access a mimicry defense system, extracting key feature information of error information from the mimicry defense log according to a preset feature extraction rule, gathering and fusing the key feature information under a corresponding target user request, simultaneously marking a log source, carrying out feature judgment comparison on execution logs generated by heterogeneous components with the same function of different executors according to a preset judgment comparison rule based on the key feature information, carrying out alarm information classification and grading on threat degrees generated by the target user request, and outputting an alarm information classification and grading result. The invention integrates the machine learning technology into the mimicry defense decision, not only can trace the source of the attack behavior requested by the user, but also can fully consider the condition that the expression modes of the output results of normal requests among heterogeneous executors are different and the conditions of time delay, request errors and the like caused by the performance problems of the executors when extracting the key characteristic information of error information generated by each execution component, thereby being beneficial to reducing the conditions of false alarm and excessive warning of the mimicry defense system, further reducing the performance loss caused by scheduling and cleaning caused by the false alarm and the excessive alarm to the mimicry defense system and promoting the application of the mimicry defense technology in the real system.
Referring to fig. 1, a flowchart of a proposed defense arbitration method disclosed in an embodiment of the present invention includes:
s101, acquiring a mimicry defense log generated by a target user requesting to access a mimicry defense system;
wherein the mimicry defense log comprises: the execution log generated by the execution component of each level of mimicry and the arbitration log of the arbitrator in the mimicry defense system.
In practical application, some functional virtual modules, such as a mimicry defense log pushing module and a log collecting module, may be arranged in the controller, and the mimicry defense log pushing module is configured to push the collected mimicry defense logs to the log collecting module according to a unified json format or other data formats.
The target user request may be an HTTP (Hypertext Transfer Protocol) request or an HTTPs (Hypertext Transfer Protocol over secure Layer) request.
In practical application, all the mimicry defense logs generated by each user requesting to access the mimicry defense system within a preset time period can be obtained, and all the mimicry defense logs corresponding to the same user request are subjected to log aggregation to be determined as the mimicry defense logs generated by the target user requesting to access the mimicry defense system.
To facilitate understanding of the generation and collection process of the mimicry defense log, referring to fig. 2, an embodiment of the invention discloses a mimicry defense logGenerating and collecting flow diagrams, wherein a to X in fig. 2 represent different execution components, such as in a web request, which may represent a software execution stack from server software to a web backend database, and n represents the number of different executives, such as the combination of the executives in fig. 2 includes: n executors, the 1 st executor includes A1~X1A 2 nd execution unit including A2~X2A 3 rd execution unit including A3~X3A different execution unit, the nth execution body including An~XnA different execution component. The solid line in fig. 2 represents a user request processing flow, the dotted line in fig. 2 represents a mimicry defense log collection flow, and the user request processing flow is: and distributing the assignment input by the user to different executives in the executor set for execution, and sending execution results of the different executives to the resolver, wherein the resolver can be a hardware device or a software device. The collection process of the mimicry defense log comprises the following steps: the execution logs generated by different execution components of each hierarchy and the arbitration logs of the arbitrator are simulated and pushed to the log collection module.
Step S102, extracting key characteristic information of error information from the mimicry defense log according to a preset characteristic extraction rule;
the preset feature extraction rule is to perform machine learning on the mimicry defense log sample, extract key feature information of error information generated by each execution component and determine the key feature information.
The extraction of the key characteristic information depends on the early-stage experience test of safety operation and maintenance personnel and the summary learning after the online operation of a defense system, wherein the early-stage experience test refers to the following steps: safety personnel preliminarily summarize the feature extraction rules in advance, then test is carried out by utilizing necessary safety and stability tests in a software development link, error information generated by each execution component is summarized according to a machine learning method, and key feature information of the error information is determined; the summary learning after the online operation of the system refers to: after the system is on line and handed to the user for use, the feature extraction and learning are continuously carried out as in the testing link.
The key feature information extraction aims at that the same components of different executors are heterogeneous, and even if the same components adopt equivalent functions, the implementation modes are different, so that the same error information and the same operation information generated by the heterogeneous components are different in expression form, at this time, feature extraction needs to be performed on the error information and the operation information generated by the heterogeneous components, and the same error information and the same operation information are searched, so that the situation that misinformation is generated by subsequent judgment is avoided.
S103, summarizing and fusing the key feature information under a corresponding target user request, and marking a log source;
in fig. 2, execution logs generated by each execution component in the mimicry defense system for one HTTP request or HTTPs request of a user are collected, key feature information of error information is extracted from the execution logs, the extracted key feature information is gathered and fused under the current request, and a log source is marked, where the log source includes an execution body of the mimicry defense log and an execution component corresponding to the execution body.
Step S104, based on the key characteristic information, performing characteristic decision comparison on execution logs generated by heterogeneous components with the same function of different executives according to a preset decision comparison rule, and performing alarm information classification and classification on threat degrees generated by target user requests;
the preset adjudication comparison rule, namely the classification and classification conditions of the alarm information of the threat degree generated by the target user request are as follows:
(1) if the key characteristic information of the error information represents that the operation information of the execution logs generated by the heterogeneous components with the same functions of different executors is inconsistent and influences the logs generated by the executors, determining the threat degree generated by the target user request as a high-level threat, and recording the error information as the threat of the execution component corresponding to the log source of the key characteristic information.
(2) If the key characteristic information of the error information represents any one or more of syntax, analysis error and operation inconsistency in the execution logs generated by the same-function heterogeneous components of different executors and does not influence the logs generated by the executors, determining the threat degree generated by the target user request as a middle-level threat, and recording the error information as the threat of the execution component corresponding to the log source of the key characteristic information.
(3) If the key characteristic information of the error information does not have the two conditions shown in the above (1) and (2), and only the accessed file has no error, the fact that the visitor sending the target user request is probing the file of the system or scanning is indicated, and no influence is caused on an executive body, the threat degree of the corresponding target user request is determined as a low-level threat, and the error information is recorded as the threat of the executive component corresponding to the log source of the key characteristic information.
(4) If the key feature information of the error information does not have the three conditions shown in the above (1), (2) and (3), and only the target user request timeout error is found, the threat degree of the corresponding target user is determined to be no threat, and the error information is recorded as the timeout error of the execution component corresponding to the log source of the key feature information.
(5) And if the key characteristic information content of the error information is empty, namely the error information or the operation is inconsistent, determining the corresponding target user request as a normal request without threat and error record.
(6) And comparing all the heterogeneous components according to the operation information based on the key characteristic information of the error information, if the plurality of execution components have errors, finding the last accessed execution component according to the access logic of the HTTP request, and recording the error information as the threat of the last accessed execution component.
And step S105, outputting a classification and grading result of the warning information of the threat degree generated by the target user request.
In practical application, the user request can be classified into a normal request and an abnormal request according to whether the user request generates a threat, the abnormal request comprises the self abnormality of the system and the abnormality caused by the user attack, and the abnormality caused by the user attack comprises the attack type used by the user.
The invention carries out self-learning according to the resource accessed by the user, the position of the original with abnormality and the classification of the alarm information, and intelligently carries out alarm grade classification on the abnormal request.
Referring to fig. 3, in the intelligent arbitration and voting flow chart disclosed in the embodiment of the present invention, when each executive body responds to a resolver, the resolver arbitrates a user response according to a arbitration algorithm and intelligent information, and the arbitration method compares relevant contents as in the arbitration. The intelligent information query module in fig. 3 intelligently arbitrates the user request according to the arbitration request sent by the arbitrator, and returns arbitration result information to the arbitrator. The arbitrator intercepts or releases the user request according to the cooperation of the arbitrating algorithm and the alarm information classification and grading.
In summary, the invention discloses a mimicry defense arbitration method, which includes the steps of obtaining a mimicry defense log generated by a target user requesting to access a mimicry defense system, extracting key feature information of error information from the mimicry defense log according to a preset feature extraction rule, gathering and fusing the key feature information under a corresponding target user request, marking a log source, performing feature arbitration comparison on execution logs generated by heterogeneous components with the same function of different executors according to a preset arbitration comparison rule based on the key feature information, performing alarm information classification and classification on threat degrees generated by the target user request, and outputting an alarm information classification and classification result. The invention integrates the machine learning technology into the mimicry defense decision, can trace the source of the attack behavior requested by the user, and can fully consider the condition that the expression modes of the output results of normal requests among heterogeneous executors are different and the conditions of time delay, request error and the like caused by the performance problems of the executors when extracting the key characteristic information of error information generated by each execution component, thereby being beneficial to reducing false alarm and excessive warning of the mimicry defense system, further reducing the performance loss caused by scheduling and cleaning caused by the false alarm and the excessive alarm to the mimicry defense system and promoting the application of the mimicry defense technology in the real system.
To further optimize the above embodiment, after step S105, the method may further include:
and if the target user request can generate a threat, intercepting the target user request.
To further optimize the above embodiment, after step S105, the method may further include:
and if the target user requests to generate a high-level threat, sending a scheduling request to a scheduler, and performing offline and abnormal data elimination processing on the execution body generating the threat by the scheduler.
To further optimize the above embodiment, after step S105, the method may further include:
and if the target user request is normal, directly responding the normal request to the user client aiming at the target user request.
Corresponding to the embodiment of the method, the invention also discloses a mimicry defense arbitration system.
Referring to fig. 4, a schematic structural diagram of a mimicry defense arbitration system disclosed in the embodiment of the present invention includes:
an obtaining unit 201, configured to obtain a mimicry defense log generated by a target user requesting to access a mimicry defense system;
wherein the mimicry defense log comprises: the execution log generated by the execution component of each level of mimicry and the arbitration log of the arbitrator in the mimicry defense system.
In practical application, some functional virtual modules, such as a mimicry defense log pushing module and a log collecting module, may be arranged in the controller, and the mimicry defense log pushing module is configured to push the collected mimicry defense logs to the log collecting module according to a unified json format or other data formats.
An extracting unit 202, configured to extract key feature information of the error information from the mimicry defense log according to a preset feature extraction rule;
the preset feature extraction rule is used for performing machine learning on the mimicry defense log samples, extracting key feature information of error information generated by each execution component and then determining the key feature information.
The key feature information extraction aims at that the same components of different executors are heterogeneous, and even if the same components adopt equivalent functions, the implementation modes are different, so that the same error information and the same operation information generated by the heterogeneous components are different in expression form, at this time, feature extraction needs to be performed on the error information and the operation information generated by the heterogeneous components, and the same error information and the same operation information are searched, so that the situation that misinformation is generated by subsequent judgment is avoided.
The merging unit 203 is configured to aggregate and merge the key feature information under the corresponding target user request, and mark a log source at the same time, where the log source includes: the execution body of the mimicry defense log and the corresponding execution component in the execution body;
a decision comparison unit 204, configured to perform feature decision comparison on execution logs generated by heterogeneous components with the same function in different executives according to a preset decision comparison rule based on the key feature information, and perform classification and classification on alarm information on threat degrees generated by the target user request;
the preset adjudication comparison rule, namely the classification and classification conditions of the alarm information of the threat degree generated by the target user request are as follows:
(1) if the key characteristic information of the error information represents that the operation information of the execution logs generated by the heterogeneous components with the same functions of different executors is inconsistent and influences the logs generated by the executors, determining the threat degree generated by the target user request as a high-level threat, and recording the error information as the threat of the execution component corresponding to the log source of the key characteristic information.
(2) If the key characteristic information of the error information represents any one or more of syntax, analysis error and operation inconsistency in the execution logs generated by the same-function heterogeneous components of different executors and does not influence the logs generated by the executors, determining the threat degree generated by the target user request as a middle-level threat, and recording the error information as the threat of the execution component corresponding to the log source of the key characteristic information.
(3) If the key characteristic information of the error information does not have the two conditions shown in the above (1) and (2), and only the accessed file has no error, the fact that the visitor sending the target user request is probing the file of the system or scanning is indicated, and no influence is caused on an executive body, the threat degree of the corresponding target user request is determined as a low-level threat, and the error information is recorded as the threat of the executive component corresponding to the log source of the key characteristic information.
(4) If the key feature information of the error information does not have the three conditions shown in the above (1), (2) and (3), and only the target user request timeout error is found, the threat degree of the corresponding target user is determined to be no threat, and the error information is recorded as the timeout error of the execution component corresponding to the log source of the key feature information.
(5) And if the key characteristic information content of the error information is empty, namely the error information or the operation is inconsistent, determining the corresponding target user request as a normal request without threat and error record.
(6) And comparing all the heterogeneous components according to the operation information based on the key characteristic information of the error information, if the plurality of execution components have errors, finding the last accessed execution component according to the access logic of the HTTP request, and recording the error information as the threat of the last accessed execution component.
And the output unit 205 is configured to output a classification and ranking result of the warning information of the threat level requested by the target user.
In practical application, the user request can be classified into a normal request and an abnormal request according to whether the user request generates a threat, the abnormal request comprises the self abnormality of the system and the abnormality caused by the user attack, and the abnormality caused by the user attack comprises the attack type used by the user.
The invention carries out self-learning according to the resource accessed by the user, the position of the original with abnormality and the classification of the alarm information, and intelligently carries out alarm grade classification on the abnormal request.
In summary, the invention discloses a mimicry defense arbitration system, which is used for acquiring a mimicry defense log generated by a target user requesting to access the mimicry defense system, extracting key feature information of error information from the mimicry defense log according to a preset feature extraction rule, gathering and fusing the key feature information under a corresponding target user request, simultaneously marking a log source, performing feature arbitration comparison on execution logs generated by heterogeneous components with the same function of different executors according to a preset arbitration comparison rule based on the key feature information, performing alarm information classification and classification on threat degrees generated by the target user request, and outputting an alarm information classification and classification result. The invention integrates the machine learning technology into the mimicry defense decision, can trace the source of the attack behavior requested by the user, and can fully consider the condition that the expression modes of the output results of normal requests among heterogeneous executors are different and the conditions of time delay, request error and the like caused by the performance problems of the executors when extracting the key characteristic information of error information generated by each execution component, thereby being beneficial to reducing false alarm and excessive warning of the mimicry defense system, further reducing the performance loss caused by scheduling and cleaning caused by the false alarm and the excessive alarm to the mimicry defense system and promoting the application of the mimicry defense technology in the real system.
To further optimize the above embodiment, the mimicry defense arbitration system may further include:
an intercepting unit, configured to, after the output unit 205 outputs the classification and classification result of the warning information of the threat level generated by the target user request, intercept the target user request when the target user request can generate a threat.
To further optimize the above embodiment, the mimicry defense arbitration system may further include:
and a scheduling unit, configured to, after the output unit 205 outputs the classification result of the alarm information of the threat level generated by the target user request, send a scheduling request to a scheduler if the target user request generates a high-level threat, and perform offline and abnormal data elimination processing on an execution entity generating the threat by the scheduler.
To further optimize the above embodiment, the mimicry defense arbitration system may further include:
and a request response unit, configured to, after the output unit 205 outputs the classification and ranking result of the warning information of the threat level generated by the target user request, if the target user request is normal, directly respond to a normal request to a user client for the target user request.
It should be noted that, for the specific working principle of each component in the system embodiment, please refer to the corresponding part of the method embodiment, which is not described herein again.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (12)
1. A mimicry defense arbitration method, comprising:
acquiring a mimicry defense log generated by a target user requesting to access a mimicry defense system;
extracting key feature information of error information from the mimicry defense log according to a preset feature extraction rule, wherein the preset feature extraction rule is determined after machine learning is carried out on a mimicry defense log sample and key feature information of the error information generated by each execution component is extracted;
and summarizing and fusing the key feature information under the corresponding target user request, and simultaneously marking a log source, wherein the log source comprises: the execution body of the mimicry defense log and the corresponding execution component in the execution body;
based on the key feature information, performing feature arbitration comparison on execution logs generated by heterogeneous components with the same function of different executives according to a preset arbitration comparison rule, and performing alarm information classification on the threat degree generated by the target user request;
and outputting the classification and grading result of the alarm information of the threat degree generated by the target user request.
2. The mimicry defense arbitration method of claim 1, wherein the mimicry defense log comprises: the execution log generated by the execution component of each level of mimicry and the arbitration log of the arbitrator in the mimicry defense system.
3. The mimicry defense arbitration method according to claim 1, wherein the preset arbitration comparison rule comprises:
(1) if the key characteristic information represents that the operation information of the execution logs generated by the heterogeneous components with the same functions of different executors is inconsistent and influences the logs generated by the executors, determining the threat degree generated by the target user request as a high-level threat, and recording error information as that the execution components corresponding to the log sources have threats;
(2) if the key characteristic information represents any one or more of syntax, analysis error and operation inconsistency in the execution logs generated by the heterogeneous components with the same function of different executives and does not influence the logs generated by the executives, determining the threat degree generated by the target user request as a middle-level threat, and recording error information as that the execution component corresponding to the log source has the threat;
(3) if the key characteristic information only shows that the accessed file has no error, the key characteristic information indicates that the visitor sending the target user request is searching the file of the system or scanning the file, and has no influence on an executive body, the threat degree generated by the target user request is determined as a low-level threat, and the error information is recorded as the threat of the executive component corresponding to the log source;
(4) if the key characteristic information only has the overtime error of the target user request, determining the threat degree of the target user as no threat, and recording error information as the overtime error of the execution component corresponding to the log source;
(5) if the content of the key characteristic information is empty, determining the target user request as a normal request without threat and error record;
(6) and comparing all the heterogeneous components with the operation information based on the key characteristic information, if the multiple execution components have error requests, finding the last accessed execution component according to the access logic of the HTTP request, and recording the error information as the threat of the last accessed execution component.
4. The mimicry defense arbitration method according to claim 1, wherein after the outputting the classification and ranking result of the warning information of the threat level requested by the target user, the method further comprises:
and when the target user request can generate a threat, intercepting the target user request.
5. The mimicry defense arbitration method according to claim 1, wherein after the outputting the classification and ranking result of the warning information of the threat level requested by the target user, the method further comprises:
and if the target user requests to generate a high-level threat, sending a scheduling request to a scheduler, and performing offline and abnormal data elimination processing on the execution body generating the threat by the scheduler.
6. The mimicry defense arbitration method according to claim 1, wherein after the outputting the classification and ranking result of the warning information of the threat level requested by the target user, the method further comprises:
and if the target user request is normal, directly responding the normal request to the user client aiming at the target user request.
7. A mimicry defense arbitration system, comprising:
the acquisition unit is used for acquiring a mimicry defense log generated by a target user requesting to access the mimicry defense system;
the extraction unit is used for extracting key feature information of the error information from the mimicry defense log according to a preset feature extraction rule, wherein the preset feature extraction rule is used for performing machine learning on a mimicry defense log sample and extracting and then determining the key feature information of the error information generated by each execution component;
and the fusion unit is used for gathering and fusing the key feature information under the corresponding target user request and marking a log source, wherein the log source comprises: the execution body of the mimicry defense log and the corresponding execution component in the execution body;
the judgment comparison unit is used for carrying out characteristic judgment comparison on execution logs generated by heterogeneous components with the same function of different executives according to a preset judgment comparison rule based on the key characteristic information and carrying out alarm information classification on the threat degree generated by the target user request;
and the output unit is used for outputting the classification and grading result of the warning information of the threat degree generated by the target user request.
8. The mimicry defense arbitration system of claim 7, wherein the mimicry defense log comprises: the execution log generated by the execution component of each level of mimicry and the arbitration log of the arbitrator in the mimicry defense system.
9. The mimicry defense arbitration system according to claim 7, wherein the preset arbitration comparison rule comprises:
(1) if the key characteristic information represents that the operation information of the execution logs generated by the heterogeneous components with the same functions of different executors is inconsistent and influences the logs generated by the executors, determining the threat degree generated by the target user request as a high-level threat, and recording error information as that the execution components corresponding to the log sources have threats;
(2) if the key characteristic information represents any one or more of syntax, analysis error and operation inconsistency in the execution logs generated by the heterogeneous components with the same function of different executives and does not influence the logs generated by the executives, determining the threat degree generated by the target user request as a middle-level threat, and recording error information as that the execution component corresponding to the log source has the threat;
(3) if the key characteristic information only shows that the accessed file has no error, the key characteristic information indicates that the visitor sending the target user request is searching the file of the system or scanning the file, and has no influence on an executive body, the threat degree generated by the target user request is determined as a low-level threat, and the error information is recorded as the threat of the executive component corresponding to the log source;
(4) if the key characteristic information only has the overtime error of the target user request, determining the threat degree of the target user as no threat, and recording error information as the overtime error of the execution component corresponding to the log source;
(5) if the content of the key characteristic information is empty, determining the target user request as a normal request without threat and error record;
(6) and comparing all the heterogeneous components with the operation information based on the key characteristic information, if the multiple execution components have error requests, finding the last accessed execution component according to the access logic of the HTTP request, and recording the error information as the threat of the last accessed execution component.
10. The mimicry defense arbitration system of claim 7, further comprising:
and the intercepting unit is used for intercepting the target user request when the target user request can generate the threat after the output unit outputs the alarm information classification grading result of the threat degree generated by the target user request.
11. The mimicry defense arbitration system of claim 7, further comprising:
and the scheduling unit is used for sending a scheduling request to the scheduler if the target user request generates a high-level threat after the output unit outputs the classification and grading result of the alarm information of the threat degree generated by the target user request, and the scheduler carries out offline and abnormal data elimination processing on an execution body generating the threat.
12. The mimicry defense arbitration system of claim 7, further comprising:
and the request response unit is used for directly responding to the target user request to a user client if the target user request is normal after the output unit outputs the classification and grading result of the warning information of the threat degree generated by the target user request.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110936555.7A CN113569238A (en) | 2021-08-16 | 2021-08-16 | Mimicry defense arbitration method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110936555.7A CN113569238A (en) | 2021-08-16 | 2021-08-16 | Mimicry defense arbitration method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN113569238A true CN113569238A (en) | 2021-10-29 |
Family
ID=78171688
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110936555.7A Withdrawn CN113569238A (en) | 2021-08-16 | 2021-08-16 | Mimicry defense arbitration method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113569238A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113992431A (en) * | 2021-12-24 | 2022-01-28 | 北京微步在线科技有限公司 | Linkage blocking method and device, electronic equipment and storage medium |
CN114363048A (en) * | 2021-12-31 | 2022-04-15 | 河南信大网御科技有限公司 | Mimicry unknown threat discovery system |
CN114490193A (en) * | 2022-04-14 | 2022-05-13 | 网络通信与安全紫金山实验室 | Recovery method and device for heterogeneous redundant system |
-
2021
- 2021-08-16 CN CN202110936555.7A patent/CN113569238A/en not_active Withdrawn
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113992431A (en) * | 2021-12-24 | 2022-01-28 | 北京微步在线科技有限公司 | Linkage blocking method and device, electronic equipment and storage medium |
CN113992431B (en) * | 2021-12-24 | 2022-03-25 | 北京微步在线科技有限公司 | Linkage blocking method and device, electronic equipment and storage medium |
CN114363048A (en) * | 2021-12-31 | 2022-04-15 | 河南信大网御科技有限公司 | Mimicry unknown threat discovery system |
CN114490193A (en) * | 2022-04-14 | 2022-05-13 | 网络通信与安全紫金山实验室 | Recovery method and device for heterogeneous redundant system |
CN114490193B (en) * | 2022-04-14 | 2022-09-02 | 网络通信与安全紫金山实验室 | Recovery method and device for heterogeneous redundant system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113569238A (en) | Mimicry defense arbitration method and system | |
US10135936B1 (en) | Systems and methods for web analytics testing and web development | |
CN107087001B (en) | distributed internet important address space retrieval system | |
CN112866023B (en) | Network detection method, model training method, device, equipment and storage medium | |
US10721245B2 (en) | Method and device for automatically verifying security event | |
Cao et al. | Machine learning to detect anomalies in web log analysis | |
CN111274095B (en) | Log data processing method, device, equipment and computer readable storage medium | |
US20100162350A1 (en) | Security system of managing irc and http botnets, and method therefor | |
US8041710B2 (en) | Automatic diagnosis of search relevance failures | |
CN109167794B (en) | Attack detection method for network system security measurement | |
EA038063B1 (en) | Intelligent control system for cyberthreats | |
CN104144142A (en) | Web vulnerability discovery method and system | |
CN113987504A (en) | Vulnerability detection method for network asset management | |
CN114679292A (en) | Honeypot identification method, device, equipment and medium based on network space mapping | |
CN111726351B (en) | Bagging-improved GRU parallel network flow abnormity detection method | |
CN110740125A (en) | method for implementing vulnerability library used for vulnerability detection of video monitoring equipment | |
JP2016192185A (en) | Spoofing detection system and spoofing detection method | |
RU2659482C1 (en) | Protection of web applications with intelligent network screen with automatic application modeling | |
CN105320711B (en) | Mass data access method and system using the same | |
RU180789U1 (en) | DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS | |
US11665185B2 (en) | Method and apparatus to detect scripted network traffic | |
CN110674008A (en) | Problem disk log information collection method, device, equipment and medium of SSD | |
CN113360313B (en) | Behavior analysis method based on massive system logs | |
CN112200549B (en) | Block chain link point verification method and payment verification platform applied to block chain payment | |
CN112291085B (en) | Fault positioning method, device, equipment and medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20211029 |
|
WW01 | Invention patent application withdrawn after publication |