CN113569238A - Mimicry defense arbitration method and system - Google Patents

Mimicry defense arbitration method and system Download PDF

Info

Publication number
CN113569238A
CN113569238A CN202110936555.7A CN202110936555A CN113569238A CN 113569238 A CN113569238 A CN 113569238A CN 202110936555 A CN202110936555 A CN 202110936555A CN 113569238 A CN113569238 A CN 113569238A
Authority
CN
China
Prior art keywords
target user
threat
information
user request
mimicry defense
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202110936555.7A
Other languages
Chinese (zh)
Inventor
韩首魁
张高举
蔡铭
李昂
潘传幸
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Angshi Information Technology Co ltd
Original Assignee
Zhengzhou Angshi Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Angshi Information Technology Co ltd filed Critical Zhengzhou Angshi Information Technology Co ltd
Priority to CN202110936555.7A priority Critical patent/CN113569238A/en
Publication of CN113569238A publication Critical patent/CN113569238A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Artificial Intelligence (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computer Security & Cryptography (AREA)
  • Quality & Reliability (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Evolutionary Biology (AREA)
  • Medical Informatics (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Hardware Design (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a mimicry defense arbitration method and a mimicry defense arbitration system, which are used for acquiring a mimicry defense log generated by a target user request accessing a mimicry defense system, extracting key feature information of error information from the mimicry defense log according to a preset feature extraction rule, gathering and fusing the key feature information under a corresponding target user request, simultaneously marking a log source, carrying out feature arbitration comparison on execution logs generated by heterogeneous components with the same function of different executors based on the key feature information according to a preset arbitration comparison rule, and carrying out alarm information classification and classification on threat degrees generated by the target user request and outputting the alarm information. The invention integrates the machine learning technology into the mimicry defense arbitration, and can fully consider the condition that the expression modes of the output results of normal requests among heterogeneous executors are different and the conditions of time delay, request errors and the like caused by the performance problems of the executors when extracting the key characteristic information, thereby being beneficial to reducing the conditions of false alarm and excessive warning by the mimicry defense system.

Description

Mimicry defense arbitration method and system
Technical Field
The invention relates to the technical field of network security and data analysis, in particular to a mimicry defense arbitration method and a mimicry defense arbitration system.
Background
In recent years, network active defense technology has become a hot research direction for network security researchers, and one of the technologies is dynamic heterogeneous redundancy technology, also called as mimicry defense technology. The mimicry defense technology judges the operation results of the user requests on a plurality of executors to find out whether the user initiates a malicious request aiming at a certain type of execution body vulnerability. Once the system finds the malicious request, the execution body with the abnormality is subjected to offline cleaning according to the scheduling strategy, and other normal execution bodies are online, so that the actual operation structure of the whole mimicry defense system is dynamic. In practical application, the implementation methods or the implementation structures of the execution bodies are different, that is, the execution bodies are heterogeneous; the executable may be a specific software and hardware component, such as a database, an X86 chip, or a combination of software and hardware components, such as server software under a web service architecture, a software operating environment, database software, and a hardware carrier on which these software devices are located.
The existing arbitration method is to compare the running results of user requests on different executives differently, however, the arbitration method is too strict, because the expression modes of output results of normal requests between heterogeneous executives are different, the performance problems of the executives bring time delay, request errors and the like, so the existing arbitration method easily causes the situations of false alarm and over-alarm of the mimicry defense system, and meanwhile, scheduling cleaning caused by the false alarm and the over-alarm also brings certain performance loss to the mimicry defense system.
Disclosure of Invention
In view of this, the invention discloses a mimicry defense arbitration method and a mimicry defense arbitration system, so as to effectively reduce the situations of false alarm and excessive alarm of the mimicry defense system, and further reduce the performance loss of the mimicry defense system caused by scheduling cleaning due to the false alarm and the excessive alarm.
A mimicry defense adjudication method, comprising:
acquiring a mimicry defense log generated by a target user requesting to access a mimicry defense system;
extracting key feature information of error information from the mimicry defense log according to a preset feature extraction rule, wherein the preset feature extraction rule is determined after machine learning is carried out on a mimicry defense log sample and key feature information of the error information generated by each execution component is extracted;
and summarizing and fusing the key feature information under the corresponding target user request, and simultaneously marking a log source, wherein the log source comprises: the execution body of the mimicry defense log and the corresponding execution component in the execution body;
based on the key feature information, performing feature arbitration comparison on execution logs generated by heterogeneous components with the same function of different executives according to a preset arbitration comparison rule, and performing alarm information classification on the threat degree generated by the target user request;
and outputting the classification and grading result of the alarm information of the threat degree generated by the target user request.
Optionally, the mimicry defense log comprises: the execution log generated by the execution component of each level of mimicry and the arbitration log of the arbitrator in the mimicry defense system.
Optionally, the preset adjudication comparison rule includes:
(1) if the key characteristic information represents that the operation information of the execution logs generated by the heterogeneous components with the same functions of different executors is inconsistent and influences the logs generated by the executors, determining the threat degree generated by the target user request as a high-level threat, and recording error information as that the execution components corresponding to the log sources have threats;
(2) if the key characteristic information represents any one or more of syntax, analysis error and operation inconsistency in the execution logs generated by the heterogeneous components with the same function of different executives and does not influence the logs generated by the executives, determining the threat degree generated by the target user request as a middle-level threat, and recording error information as that the execution component corresponding to the log source has the threat;
(3) if the key characteristic information only shows that the accessed file has no error, the key characteristic information indicates that the visitor sending the target user request is searching the file of the system or scanning the file, and has no influence on an executive body, the threat degree generated by the target user request is determined as a low-level threat, and the error information is recorded as the threat of the executive component corresponding to the log source;
(4) if the key characteristic information only has the overtime error of the target user request, determining the threat degree of the target user as no threat, and recording error information as the overtime error of the execution component corresponding to the log source;
(5) if the content of the key characteristic information is empty, determining the target user request as a normal request without threat and error record;
(6) and comparing all the heterogeneous components with the operation information based on the key characteristic information, if the multiple execution components have error requests, finding the last accessed execution component according to the access logic of the HTTP request, and recording the error information as the threat of the last accessed execution component.
Optionally, after the step of outputting the classification and ranking result of the warning information of the threat level generated by the request of the target user, the method further includes:
and when the target user request can generate a threat, intercepting the target user request.
Optionally, after the step of outputting the classification and ranking result of the warning information of the threat level generated by the request of the target user, the method further includes:
and if the target user requests to generate a high-level threat, sending a scheduling request to a scheduler, and performing offline and abnormal data elimination processing on the execution body generating the threat by the scheduler.
Optionally, after the step of outputting the classification and ranking result of the warning information of the threat level generated by the request of the target user, the method further includes:
and if the target user request is normal, directly responding the normal request to the user client aiming at the target user request.
A mimicry defense arbitration system, comprising:
the acquisition unit is used for acquiring a mimicry defense log generated by a target user requesting to access the mimicry defense system;
the extraction unit is used for extracting key feature information of the error information from the mimicry defense log according to a preset feature extraction rule, wherein the preset feature extraction rule is used for performing machine learning on a mimicry defense log sample and extracting and then determining the key feature information of the error information generated by each execution component;
and the fusion unit is used for gathering and fusing the key feature information under the corresponding target user request and marking a log source, wherein the log source comprises: the execution body of the mimicry defense log and the corresponding execution component in the execution body;
the judgment comparison unit is used for carrying out characteristic judgment comparison on execution logs generated by heterogeneous components with the same function of different executives according to a preset judgment comparison rule based on the key characteristic information and carrying out alarm information classification on the threat degree generated by the target user request;
and the output unit is used for outputting the classification and grading result of the warning information of the threat degree generated by the target user request.
Optionally, the mimicry defense log comprises: the execution log generated by the execution component of each level of mimicry and the arbitration log of the arbitrator in the mimicry defense system.
Optionally, the preset adjudication comparison rule includes:
(1) if the key characteristic information represents that the operation information of the execution logs generated by the heterogeneous components with the same functions of different executors is inconsistent and influences the logs generated by the executors, determining the threat degree generated by the target user request as a high-level threat, and recording error information as that the execution components corresponding to the log sources have threats;
(2) if the key characteristic information represents any one or more of syntax, analysis error and operation inconsistency in the execution logs generated by the heterogeneous components with the same function of different executives and does not influence the logs generated by the executives, determining the threat degree generated by the target user request as a middle-level threat, and recording error information as that the execution component corresponding to the log source has the threat;
(3) if the key characteristic information only shows that the accessed file has no error, the key characteristic information indicates that the visitor sending the target user request is searching the file of the system or scanning the file, and has no influence on an executive body, the threat degree generated by the target user request is determined as a low-level threat, and the error information is recorded as the threat of the executive component corresponding to the log source;
(4) if the key characteristic information only has the overtime error of the target user request, determining the threat degree of the target user as no threat, and recording error information as the overtime error of the execution component corresponding to the log source;
(5) if the content of the key characteristic information is empty, determining the target user request as a normal request without threat and error record;
(6) and comparing all the heterogeneous components with the operation information based on the key characteristic information, if the multiple execution components have error requests, finding the last accessed execution component according to the access logic of the HTTP request, and recording the error information as the threat of the last accessed execution component.
Optionally, the method further includes:
and the intercepting unit is used for intercepting the target user request when the target user request can generate the threat after the output unit outputs the alarm information classification grading result of the threat degree generated by the target user request.
Optionally, the method further includes:
and the scheduling unit is used for sending a scheduling request to the scheduler if the target user request generates a high-level threat after the output unit outputs the classification and grading result of the alarm information of the threat degree generated by the target user request, and the scheduler carries out offline and abnormal data elimination processing on an execution body generating the threat.
Optionally, the method further includes:
and the request response unit is used for directly responding to the target user request to a user client if the target user request is normal after the output unit outputs the classification and grading result of the warning information of the threat degree generated by the target user request.
According to the technical scheme, the invention discloses a mimicry defense judging method and a mimicry defense judging system, which are used for acquiring a mimicry defense log generated by a target user request accessing a mimicry defense system, extracting key feature information of error information from the mimicry defense log according to a preset feature extraction rule, gathering and fusing the key feature information under a corresponding target user request, simultaneously marking a log source, carrying out feature judgment comparison on execution logs generated by heterogeneous components with the same function of different executors according to a preset judgment comparison rule based on the key feature information, carrying out alarm information classification and grading on threat degrees generated by the target user request, and outputting an alarm information classification and grading result. The invention integrates the machine learning technology into the mimicry defense decision, not only can trace the source of the attack behavior requested by the user, but also can fully consider the condition that the expression modes of the output results of normal requests among heterogeneous executors are different and the conditions of time delay, request errors and the like caused by the performance problems of the executors when extracting the key characteristic information of error information generated by each execution component, thereby being beneficial to reducing the conditions of false alarm and excessive warning of the mimicry defense system, further reducing the performance loss caused by scheduling and cleaning caused by the false alarm and the excessive alarm to the mimicry defense system and promoting the application of the mimicry defense technology in the real system.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the disclosed drawings without creative efforts.
FIG. 1 is a flowchart of a proposed defense arbitration method according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart illustrating generation and collection of a mimicry defense log according to an embodiment of the present invention;
FIG. 3 is a flow chart of an intelligent arbitration and voting according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a mimicry defense arbitration system according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention discloses a mimicry defense judging method and a mimicry defense judging system, which are used for acquiring a mimicry defense log generated by a target user requesting to access a mimicry defense system, extracting key feature information of error information from the mimicry defense log according to a preset feature extraction rule, gathering and fusing the key feature information under a corresponding target user request, simultaneously marking a log source, carrying out feature judgment comparison on execution logs generated by heterogeneous components with the same function of different executors according to a preset judgment comparison rule based on the key feature information, carrying out alarm information classification and grading on threat degrees generated by the target user request, and outputting an alarm information classification and grading result. The invention integrates the machine learning technology into the mimicry defense decision, not only can trace the source of the attack behavior requested by the user, but also can fully consider the condition that the expression modes of the output results of normal requests among heterogeneous executors are different and the conditions of time delay, request errors and the like caused by the performance problems of the executors when extracting the key characteristic information of error information generated by each execution component, thereby being beneficial to reducing the conditions of false alarm and excessive warning of the mimicry defense system, further reducing the performance loss caused by scheduling and cleaning caused by the false alarm and the excessive alarm to the mimicry defense system and promoting the application of the mimicry defense technology in the real system.
Referring to fig. 1, a flowchart of a proposed defense arbitration method disclosed in an embodiment of the present invention includes:
s101, acquiring a mimicry defense log generated by a target user requesting to access a mimicry defense system;
wherein the mimicry defense log comprises: the execution log generated by the execution component of each level of mimicry and the arbitration log of the arbitrator in the mimicry defense system.
In practical application, some functional virtual modules, such as a mimicry defense log pushing module and a log collecting module, may be arranged in the controller, and the mimicry defense log pushing module is configured to push the collected mimicry defense logs to the log collecting module according to a unified json format or other data formats.
The target user request may be an HTTP (Hypertext Transfer Protocol) request or an HTTPs (Hypertext Transfer Protocol over secure Layer) request.
In practical application, all the mimicry defense logs generated by each user requesting to access the mimicry defense system within a preset time period can be obtained, and all the mimicry defense logs corresponding to the same user request are subjected to log aggregation to be determined as the mimicry defense logs generated by the target user requesting to access the mimicry defense system.
To facilitate understanding of the generation and collection process of the mimicry defense log, referring to fig. 2, an embodiment of the invention discloses a mimicry defense logGenerating and collecting flow diagrams, wherein a to X in fig. 2 represent different execution components, such as in a web request, which may represent a software execution stack from server software to a web backend database, and n represents the number of different executives, such as the combination of the executives in fig. 2 includes: n executors, the 1 st executor includes A1~X1A 2 nd execution unit including A2~X2A 3 rd execution unit including A3~X3A different execution unit, the nth execution body including An~XnA different execution component. The solid line in fig. 2 represents a user request processing flow, the dotted line in fig. 2 represents a mimicry defense log collection flow, and the user request processing flow is: and distributing the assignment input by the user to different executives in the executor set for execution, and sending execution results of the different executives to the resolver, wherein the resolver can be a hardware device or a software device. The collection process of the mimicry defense log comprises the following steps: the execution logs generated by different execution components of each hierarchy and the arbitration logs of the arbitrator are simulated and pushed to the log collection module.
Step S102, extracting key characteristic information of error information from the mimicry defense log according to a preset characteristic extraction rule;
the preset feature extraction rule is to perform machine learning on the mimicry defense log sample, extract key feature information of error information generated by each execution component and determine the key feature information.
The extraction of the key characteristic information depends on the early-stage experience test of safety operation and maintenance personnel and the summary learning after the online operation of a defense system, wherein the early-stage experience test refers to the following steps: safety personnel preliminarily summarize the feature extraction rules in advance, then test is carried out by utilizing necessary safety and stability tests in a software development link, error information generated by each execution component is summarized according to a machine learning method, and key feature information of the error information is determined; the summary learning after the online operation of the system refers to: after the system is on line and handed to the user for use, the feature extraction and learning are continuously carried out as in the testing link.
The key feature information extraction aims at that the same components of different executors are heterogeneous, and even if the same components adopt equivalent functions, the implementation modes are different, so that the same error information and the same operation information generated by the heterogeneous components are different in expression form, at this time, feature extraction needs to be performed on the error information and the operation information generated by the heterogeneous components, and the same error information and the same operation information are searched, so that the situation that misinformation is generated by subsequent judgment is avoided.
S103, summarizing and fusing the key feature information under a corresponding target user request, and marking a log source;
in fig. 2, execution logs generated by each execution component in the mimicry defense system for one HTTP request or HTTPs request of a user are collected, key feature information of error information is extracted from the execution logs, the extracted key feature information is gathered and fused under the current request, and a log source is marked, where the log source includes an execution body of the mimicry defense log and an execution component corresponding to the execution body.
Step S104, based on the key characteristic information, performing characteristic decision comparison on execution logs generated by heterogeneous components with the same function of different executives according to a preset decision comparison rule, and performing alarm information classification and classification on threat degrees generated by target user requests;
the preset adjudication comparison rule, namely the classification and classification conditions of the alarm information of the threat degree generated by the target user request are as follows:
(1) if the key characteristic information of the error information represents that the operation information of the execution logs generated by the heterogeneous components with the same functions of different executors is inconsistent and influences the logs generated by the executors, determining the threat degree generated by the target user request as a high-level threat, and recording the error information as the threat of the execution component corresponding to the log source of the key characteristic information.
(2) If the key characteristic information of the error information represents any one or more of syntax, analysis error and operation inconsistency in the execution logs generated by the same-function heterogeneous components of different executors and does not influence the logs generated by the executors, determining the threat degree generated by the target user request as a middle-level threat, and recording the error information as the threat of the execution component corresponding to the log source of the key characteristic information.
(3) If the key characteristic information of the error information does not have the two conditions shown in the above (1) and (2), and only the accessed file has no error, the fact that the visitor sending the target user request is probing the file of the system or scanning is indicated, and no influence is caused on an executive body, the threat degree of the corresponding target user request is determined as a low-level threat, and the error information is recorded as the threat of the executive component corresponding to the log source of the key characteristic information.
(4) If the key feature information of the error information does not have the three conditions shown in the above (1), (2) and (3), and only the target user request timeout error is found, the threat degree of the corresponding target user is determined to be no threat, and the error information is recorded as the timeout error of the execution component corresponding to the log source of the key feature information.
(5) And if the key characteristic information content of the error information is empty, namely the error information or the operation is inconsistent, determining the corresponding target user request as a normal request without threat and error record.
(6) And comparing all the heterogeneous components according to the operation information based on the key characteristic information of the error information, if the plurality of execution components have errors, finding the last accessed execution component according to the access logic of the HTTP request, and recording the error information as the threat of the last accessed execution component.
And step S105, outputting a classification and grading result of the warning information of the threat degree generated by the target user request.
In practical application, the user request can be classified into a normal request and an abnormal request according to whether the user request generates a threat, the abnormal request comprises the self abnormality of the system and the abnormality caused by the user attack, and the abnormality caused by the user attack comprises the attack type used by the user.
The invention carries out self-learning according to the resource accessed by the user, the position of the original with abnormality and the classification of the alarm information, and intelligently carries out alarm grade classification on the abnormal request.
Referring to fig. 3, in the intelligent arbitration and voting flow chart disclosed in the embodiment of the present invention, when each executive body responds to a resolver, the resolver arbitrates a user response according to a arbitration algorithm and intelligent information, and the arbitration method compares relevant contents as in the arbitration. The intelligent information query module in fig. 3 intelligently arbitrates the user request according to the arbitration request sent by the arbitrator, and returns arbitration result information to the arbitrator. The arbitrator intercepts or releases the user request according to the cooperation of the arbitrating algorithm and the alarm information classification and grading.
In summary, the invention discloses a mimicry defense arbitration method, which includes the steps of obtaining a mimicry defense log generated by a target user requesting to access a mimicry defense system, extracting key feature information of error information from the mimicry defense log according to a preset feature extraction rule, gathering and fusing the key feature information under a corresponding target user request, marking a log source, performing feature arbitration comparison on execution logs generated by heterogeneous components with the same function of different executors according to a preset arbitration comparison rule based on the key feature information, performing alarm information classification and classification on threat degrees generated by the target user request, and outputting an alarm information classification and classification result. The invention integrates the machine learning technology into the mimicry defense decision, can trace the source of the attack behavior requested by the user, and can fully consider the condition that the expression modes of the output results of normal requests among heterogeneous executors are different and the conditions of time delay, request error and the like caused by the performance problems of the executors when extracting the key characteristic information of error information generated by each execution component, thereby being beneficial to reducing false alarm and excessive warning of the mimicry defense system, further reducing the performance loss caused by scheduling and cleaning caused by the false alarm and the excessive alarm to the mimicry defense system and promoting the application of the mimicry defense technology in the real system.
To further optimize the above embodiment, after step S105, the method may further include:
and if the target user request can generate a threat, intercepting the target user request.
To further optimize the above embodiment, after step S105, the method may further include:
and if the target user requests to generate a high-level threat, sending a scheduling request to a scheduler, and performing offline and abnormal data elimination processing on the execution body generating the threat by the scheduler.
To further optimize the above embodiment, after step S105, the method may further include:
and if the target user request is normal, directly responding the normal request to the user client aiming at the target user request.
Corresponding to the embodiment of the method, the invention also discloses a mimicry defense arbitration system.
Referring to fig. 4, a schematic structural diagram of a mimicry defense arbitration system disclosed in the embodiment of the present invention includes:
an obtaining unit 201, configured to obtain a mimicry defense log generated by a target user requesting to access a mimicry defense system;
wherein the mimicry defense log comprises: the execution log generated by the execution component of each level of mimicry and the arbitration log of the arbitrator in the mimicry defense system.
In practical application, some functional virtual modules, such as a mimicry defense log pushing module and a log collecting module, may be arranged in the controller, and the mimicry defense log pushing module is configured to push the collected mimicry defense logs to the log collecting module according to a unified json format or other data formats.
An extracting unit 202, configured to extract key feature information of the error information from the mimicry defense log according to a preset feature extraction rule;
the preset feature extraction rule is used for performing machine learning on the mimicry defense log samples, extracting key feature information of error information generated by each execution component and then determining the key feature information.
The key feature information extraction aims at that the same components of different executors are heterogeneous, and even if the same components adopt equivalent functions, the implementation modes are different, so that the same error information and the same operation information generated by the heterogeneous components are different in expression form, at this time, feature extraction needs to be performed on the error information and the operation information generated by the heterogeneous components, and the same error information and the same operation information are searched, so that the situation that misinformation is generated by subsequent judgment is avoided.
The merging unit 203 is configured to aggregate and merge the key feature information under the corresponding target user request, and mark a log source at the same time, where the log source includes: the execution body of the mimicry defense log and the corresponding execution component in the execution body;
a decision comparison unit 204, configured to perform feature decision comparison on execution logs generated by heterogeneous components with the same function in different executives according to a preset decision comparison rule based on the key feature information, and perform classification and classification on alarm information on threat degrees generated by the target user request;
the preset adjudication comparison rule, namely the classification and classification conditions of the alarm information of the threat degree generated by the target user request are as follows:
(1) if the key characteristic information of the error information represents that the operation information of the execution logs generated by the heterogeneous components with the same functions of different executors is inconsistent and influences the logs generated by the executors, determining the threat degree generated by the target user request as a high-level threat, and recording the error information as the threat of the execution component corresponding to the log source of the key characteristic information.
(2) If the key characteristic information of the error information represents any one or more of syntax, analysis error and operation inconsistency in the execution logs generated by the same-function heterogeneous components of different executors and does not influence the logs generated by the executors, determining the threat degree generated by the target user request as a middle-level threat, and recording the error information as the threat of the execution component corresponding to the log source of the key characteristic information.
(3) If the key characteristic information of the error information does not have the two conditions shown in the above (1) and (2), and only the accessed file has no error, the fact that the visitor sending the target user request is probing the file of the system or scanning is indicated, and no influence is caused on an executive body, the threat degree of the corresponding target user request is determined as a low-level threat, and the error information is recorded as the threat of the executive component corresponding to the log source of the key characteristic information.
(4) If the key feature information of the error information does not have the three conditions shown in the above (1), (2) and (3), and only the target user request timeout error is found, the threat degree of the corresponding target user is determined to be no threat, and the error information is recorded as the timeout error of the execution component corresponding to the log source of the key feature information.
(5) And if the key characteristic information content of the error information is empty, namely the error information or the operation is inconsistent, determining the corresponding target user request as a normal request without threat and error record.
(6) And comparing all the heterogeneous components according to the operation information based on the key characteristic information of the error information, if the plurality of execution components have errors, finding the last accessed execution component according to the access logic of the HTTP request, and recording the error information as the threat of the last accessed execution component.
And the output unit 205 is configured to output a classification and ranking result of the warning information of the threat level requested by the target user.
In practical application, the user request can be classified into a normal request and an abnormal request according to whether the user request generates a threat, the abnormal request comprises the self abnormality of the system and the abnormality caused by the user attack, and the abnormality caused by the user attack comprises the attack type used by the user.
The invention carries out self-learning according to the resource accessed by the user, the position of the original with abnormality and the classification of the alarm information, and intelligently carries out alarm grade classification on the abnormal request.
In summary, the invention discloses a mimicry defense arbitration system, which is used for acquiring a mimicry defense log generated by a target user requesting to access the mimicry defense system, extracting key feature information of error information from the mimicry defense log according to a preset feature extraction rule, gathering and fusing the key feature information under a corresponding target user request, simultaneously marking a log source, performing feature arbitration comparison on execution logs generated by heterogeneous components with the same function of different executors according to a preset arbitration comparison rule based on the key feature information, performing alarm information classification and classification on threat degrees generated by the target user request, and outputting an alarm information classification and classification result. The invention integrates the machine learning technology into the mimicry defense decision, can trace the source of the attack behavior requested by the user, and can fully consider the condition that the expression modes of the output results of normal requests among heterogeneous executors are different and the conditions of time delay, request error and the like caused by the performance problems of the executors when extracting the key characteristic information of error information generated by each execution component, thereby being beneficial to reducing false alarm and excessive warning of the mimicry defense system, further reducing the performance loss caused by scheduling and cleaning caused by the false alarm and the excessive alarm to the mimicry defense system and promoting the application of the mimicry defense technology in the real system.
To further optimize the above embodiment, the mimicry defense arbitration system may further include:
an intercepting unit, configured to, after the output unit 205 outputs the classification and classification result of the warning information of the threat level generated by the target user request, intercept the target user request when the target user request can generate a threat.
To further optimize the above embodiment, the mimicry defense arbitration system may further include:
and a scheduling unit, configured to, after the output unit 205 outputs the classification result of the alarm information of the threat level generated by the target user request, send a scheduling request to a scheduler if the target user request generates a high-level threat, and perform offline and abnormal data elimination processing on an execution entity generating the threat by the scheduler.
To further optimize the above embodiment, the mimicry defense arbitration system may further include:
and a request response unit, configured to, after the output unit 205 outputs the classification and ranking result of the warning information of the threat level generated by the target user request, if the target user request is normal, directly respond to a normal request to a user client for the target user request.
It should be noted that, for the specific working principle of each component in the system embodiment, please refer to the corresponding part of the method embodiment, which is not described herein again.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (12)

1. A mimicry defense arbitration method, comprising:
acquiring a mimicry defense log generated by a target user requesting to access a mimicry defense system;
extracting key feature information of error information from the mimicry defense log according to a preset feature extraction rule, wherein the preset feature extraction rule is determined after machine learning is carried out on a mimicry defense log sample and key feature information of the error information generated by each execution component is extracted;
and summarizing and fusing the key feature information under the corresponding target user request, and simultaneously marking a log source, wherein the log source comprises: the execution body of the mimicry defense log and the corresponding execution component in the execution body;
based on the key feature information, performing feature arbitration comparison on execution logs generated by heterogeneous components with the same function of different executives according to a preset arbitration comparison rule, and performing alarm information classification on the threat degree generated by the target user request;
and outputting the classification and grading result of the alarm information of the threat degree generated by the target user request.
2. The mimicry defense arbitration method of claim 1, wherein the mimicry defense log comprises: the execution log generated by the execution component of each level of mimicry and the arbitration log of the arbitrator in the mimicry defense system.
3. The mimicry defense arbitration method according to claim 1, wherein the preset arbitration comparison rule comprises:
(1) if the key characteristic information represents that the operation information of the execution logs generated by the heterogeneous components with the same functions of different executors is inconsistent and influences the logs generated by the executors, determining the threat degree generated by the target user request as a high-level threat, and recording error information as that the execution components corresponding to the log sources have threats;
(2) if the key characteristic information represents any one or more of syntax, analysis error and operation inconsistency in the execution logs generated by the heterogeneous components with the same function of different executives and does not influence the logs generated by the executives, determining the threat degree generated by the target user request as a middle-level threat, and recording error information as that the execution component corresponding to the log source has the threat;
(3) if the key characteristic information only shows that the accessed file has no error, the key characteristic information indicates that the visitor sending the target user request is searching the file of the system or scanning the file, and has no influence on an executive body, the threat degree generated by the target user request is determined as a low-level threat, and the error information is recorded as the threat of the executive component corresponding to the log source;
(4) if the key characteristic information only has the overtime error of the target user request, determining the threat degree of the target user as no threat, and recording error information as the overtime error of the execution component corresponding to the log source;
(5) if the content of the key characteristic information is empty, determining the target user request as a normal request without threat and error record;
(6) and comparing all the heterogeneous components with the operation information based on the key characteristic information, if the multiple execution components have error requests, finding the last accessed execution component according to the access logic of the HTTP request, and recording the error information as the threat of the last accessed execution component.
4. The mimicry defense arbitration method according to claim 1, wherein after the outputting the classification and ranking result of the warning information of the threat level requested by the target user, the method further comprises:
and when the target user request can generate a threat, intercepting the target user request.
5. The mimicry defense arbitration method according to claim 1, wherein after the outputting the classification and ranking result of the warning information of the threat level requested by the target user, the method further comprises:
and if the target user requests to generate a high-level threat, sending a scheduling request to a scheduler, and performing offline and abnormal data elimination processing on the execution body generating the threat by the scheduler.
6. The mimicry defense arbitration method according to claim 1, wherein after the outputting the classification and ranking result of the warning information of the threat level requested by the target user, the method further comprises:
and if the target user request is normal, directly responding the normal request to the user client aiming at the target user request.
7. A mimicry defense arbitration system, comprising:
the acquisition unit is used for acquiring a mimicry defense log generated by a target user requesting to access the mimicry defense system;
the extraction unit is used for extracting key feature information of the error information from the mimicry defense log according to a preset feature extraction rule, wherein the preset feature extraction rule is used for performing machine learning on a mimicry defense log sample and extracting and then determining the key feature information of the error information generated by each execution component;
and the fusion unit is used for gathering and fusing the key feature information under the corresponding target user request and marking a log source, wherein the log source comprises: the execution body of the mimicry defense log and the corresponding execution component in the execution body;
the judgment comparison unit is used for carrying out characteristic judgment comparison on execution logs generated by heterogeneous components with the same function of different executives according to a preset judgment comparison rule based on the key characteristic information and carrying out alarm information classification on the threat degree generated by the target user request;
and the output unit is used for outputting the classification and grading result of the warning information of the threat degree generated by the target user request.
8. The mimicry defense arbitration system of claim 7, wherein the mimicry defense log comprises: the execution log generated by the execution component of each level of mimicry and the arbitration log of the arbitrator in the mimicry defense system.
9. The mimicry defense arbitration system according to claim 7, wherein the preset arbitration comparison rule comprises:
(1) if the key characteristic information represents that the operation information of the execution logs generated by the heterogeneous components with the same functions of different executors is inconsistent and influences the logs generated by the executors, determining the threat degree generated by the target user request as a high-level threat, and recording error information as that the execution components corresponding to the log sources have threats;
(2) if the key characteristic information represents any one or more of syntax, analysis error and operation inconsistency in the execution logs generated by the heterogeneous components with the same function of different executives and does not influence the logs generated by the executives, determining the threat degree generated by the target user request as a middle-level threat, and recording error information as that the execution component corresponding to the log source has the threat;
(3) if the key characteristic information only shows that the accessed file has no error, the key characteristic information indicates that the visitor sending the target user request is searching the file of the system or scanning the file, and has no influence on an executive body, the threat degree generated by the target user request is determined as a low-level threat, and the error information is recorded as the threat of the executive component corresponding to the log source;
(4) if the key characteristic information only has the overtime error of the target user request, determining the threat degree of the target user as no threat, and recording error information as the overtime error of the execution component corresponding to the log source;
(5) if the content of the key characteristic information is empty, determining the target user request as a normal request without threat and error record;
(6) and comparing all the heterogeneous components with the operation information based on the key characteristic information, if the multiple execution components have error requests, finding the last accessed execution component according to the access logic of the HTTP request, and recording the error information as the threat of the last accessed execution component.
10. The mimicry defense arbitration system of claim 7, further comprising:
and the intercepting unit is used for intercepting the target user request when the target user request can generate the threat after the output unit outputs the alarm information classification grading result of the threat degree generated by the target user request.
11. The mimicry defense arbitration system of claim 7, further comprising:
and the scheduling unit is used for sending a scheduling request to the scheduler if the target user request generates a high-level threat after the output unit outputs the classification and grading result of the alarm information of the threat degree generated by the target user request, and the scheduler carries out offline and abnormal data elimination processing on an execution body generating the threat.
12. The mimicry defense arbitration system of claim 7, further comprising:
and the request response unit is used for directly responding to the target user request to a user client if the target user request is normal after the output unit outputs the classification and grading result of the warning information of the threat degree generated by the target user request.
CN202110936555.7A 2021-08-16 2021-08-16 Mimicry defense arbitration method and system Withdrawn CN113569238A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110936555.7A CN113569238A (en) 2021-08-16 2021-08-16 Mimicry defense arbitration method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110936555.7A CN113569238A (en) 2021-08-16 2021-08-16 Mimicry defense arbitration method and system

Publications (1)

Publication Number Publication Date
CN113569238A true CN113569238A (en) 2021-10-29

Family

ID=78171688

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110936555.7A Withdrawn CN113569238A (en) 2021-08-16 2021-08-16 Mimicry defense arbitration method and system

Country Status (1)

Country Link
CN (1) CN113569238A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113992431A (en) * 2021-12-24 2022-01-28 北京微步在线科技有限公司 Linkage blocking method and device, electronic equipment and storage medium
CN114363048A (en) * 2021-12-31 2022-04-15 河南信大网御科技有限公司 Mimicry unknown threat discovery system
CN114490193A (en) * 2022-04-14 2022-05-13 网络通信与安全紫金山实验室 Recovery method and device for heterogeneous redundant system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113992431A (en) * 2021-12-24 2022-01-28 北京微步在线科技有限公司 Linkage blocking method and device, electronic equipment and storage medium
CN113992431B (en) * 2021-12-24 2022-03-25 北京微步在线科技有限公司 Linkage blocking method and device, electronic equipment and storage medium
CN114363048A (en) * 2021-12-31 2022-04-15 河南信大网御科技有限公司 Mimicry unknown threat discovery system
CN114490193A (en) * 2022-04-14 2022-05-13 网络通信与安全紫金山实验室 Recovery method and device for heterogeneous redundant system
CN114490193B (en) * 2022-04-14 2022-09-02 网络通信与安全紫金山实验室 Recovery method and device for heterogeneous redundant system

Similar Documents

Publication Publication Date Title
CN113569238A (en) Mimicry defense arbitration method and system
US10135936B1 (en) Systems and methods for web analytics testing and web development
CN107087001B (en) distributed internet important address space retrieval system
CN112866023B (en) Network detection method, model training method, device, equipment and storage medium
US10721245B2 (en) Method and device for automatically verifying security event
Cao et al. Machine learning to detect anomalies in web log analysis
CN111274095B (en) Log data processing method, device, equipment and computer readable storage medium
US20100162350A1 (en) Security system of managing irc and http botnets, and method therefor
US8041710B2 (en) Automatic diagnosis of search relevance failures
CN109167794B (en) Attack detection method for network system security measurement
EA038063B1 (en) Intelligent control system for cyberthreats
CN104144142A (en) Web vulnerability discovery method and system
CN113987504A (en) Vulnerability detection method for network asset management
CN114679292A (en) Honeypot identification method, device, equipment and medium based on network space mapping
CN111726351B (en) Bagging-improved GRU parallel network flow abnormity detection method
CN110740125A (en) method for implementing vulnerability library used for vulnerability detection of video monitoring equipment
JP2016192185A (en) Spoofing detection system and spoofing detection method
RU2659482C1 (en) Protection of web applications with intelligent network screen with automatic application modeling
CN105320711B (en) Mass data access method and system using the same
RU180789U1 (en) DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS
US11665185B2 (en) Method and apparatus to detect scripted network traffic
CN110674008A (en) Problem disk log information collection method, device, equipment and medium of SSD
CN113360313B (en) Behavior analysis method based on massive system logs
CN112200549B (en) Block chain link point verification method and payment verification platform applied to block chain payment
CN112291085B (en) Fault positioning method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20211029

WW01 Invention patent application withdrawn after publication