CN113922992A - Attack detection method based on HTTP session - Google Patents
Attack detection method based on HTTP session Download PDFInfo
- Publication number
- CN113922992A CN113922992A CN202111103051.3A CN202111103051A CN113922992A CN 113922992 A CN113922992 A CN 113922992A CN 202111103051 A CN202111103051 A CN 202111103051A CN 113922992 A CN113922992 A CN 113922992A
- Authority
- CN
- China
- Prior art keywords
- data
- http
- request
- client
- engine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 59
- ZPUCINDJVBIVPJ-LJISPDSOSA-N cocaine Chemical compound O([C@H]1C[C@@H]2CC[C@@H](N2C)[C@H]1C(=O)OC)C(=O)C1=CC=CC=C1 ZPUCINDJVBIVPJ-LJISPDSOSA-N 0.000 claims abstract description 51
- 230000004044 response Effects 0.000 claims abstract description 39
- 241000700605 Viruses Species 0.000 claims abstract description 16
- 238000012545 processing Methods 0.000 claims description 8
- 238000004458 analytical method Methods 0.000 claims description 7
- 238000007781 pre-processing Methods 0.000 claims description 7
- 230000000903 blocking effect Effects 0.000 claims description 6
- 238000000605 extraction Methods 0.000 claims description 5
- 239000000284 extract Substances 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000000034 method Methods 0.000 description 25
- 238000004891 communication Methods 0.000 description 7
- 238000011161 development Methods 0.000 description 7
- 238000012360 testing method Methods 0.000 description 6
- 238000011160 research Methods 0.000 description 5
- 230000002155 anti-virotic effect Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005259 measurement Methods 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000007430 reference method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/34—Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters
Abstract
The invention relates to the technical field of computer detection, and discloses an attack detection method based on HTTP session, which comprises the following steps: s1, importing real-time data through a DAQ module; s2, extracting request information of the HTTP client data according to the SNORT engine to obtain information of a request head in the request information of the client; s3, extracting HTTP server data according to the SNORT engine, restoring the extracted HTTP server response data, and identifying; s4, judging whether the request data type required by the client is consistent with the response data type of the HTTP server through an HTTP anomaly detection plug-in the SNORT engine, if so, returning to the step S1, otherwise, carrying out virus scanning on the response data restored by the server to detect whether an attack exists, if so, entering the step S5, otherwise, returning to the step S1; and S5, carrying out attack detection on the response data restored by the server side through the CLAMAV engine again, and outputting a result of the attack detection condition.
Description
Technical Field
The invention relates to the technical field of computer detection, in particular to an attack detection method based on HTTP session, which can solve the problems of inaccurate, low-efficiency and incomplete detection of the current HTTP response attack detection. Meanwhile, the method has certain reference use value for security research developers or security system designers such as security engine or WEB firewall development.
Background
With the development of internet technology, the use of HTTP protocol as data carrying protocol communication has become a normal state, which is a network protocol most widely used on the internet, and browsers on the market at present all support HTTP protocol analysis. Because the HTTP protocol is a stateless, connectionless, request-and-response-based and plaintext communication mode, it also has many security vulnerabilities, more and more HTTP servers and user hosts are exposed on the network, and various attacks against HTTP services or clients are on the fly. In order to cope with various network attacks, many professional WEB firewalls and the like appear. Many attacks based on the communication protocol format are effectively protected, but many malicious attacks are mixed in the load data of HTTP communication, so that real-time protection of HTTP client or server attacks is difficult. With the development of IPv6 and the internet of things, targets available for HTTP attacks are increasing, and attack means are becoming more and more clear, so that the HTTP attack resistance of a WEB firewall or a system firewall becomes more difficult and important.
At present, a plurality of HTTP attack detection methods are provided in the market, for example, an HTTP request is intercepted, a request is simulated and sent to a server again, whether an attack exists or not is judged by comparing data responded twice before and after, even in order to improve the identification accuracy, an HTML DOM tree is constructed by responding to the data, and the change of the HTML DOM tree is compared twice before and after to improve the attack identification accuracy. Although the methods can identify some attacks, the methods only aim at that the response data are HTML contents, and for other non-HTML response data, the methods have certain defects, and the methods are not accurate enough, are not comprehensive in detection and are low in efficiency.
Therefore, the above problems are addressed. A technical scheme is urgently needed, and the problems of inaccurate detection, low efficiency and incomplete detection of the current HTTP response attack can be solved. Meanwhile, the method has certain reference use value for security research developers or security system designers such as security engine or WEB firewall development.
Disclosure of Invention
The invention aims to provide an attack detection method based on HTTP session, which can solve the problems of inaccurate, low-efficiency and incomplete detection of the current HTTP response attack. Meanwhile, the method has certain reference use value for security research developers or security system designers such as security engine or WEB firewall development.
The invention is realized by the following technical scheme: an attack detection method based on HTTP session comprises the following steps:
step S1, importing real-time data through a DAQ module, carrying out stream session processing on the real-time data by using a SNORT engine, judging whether the real-time data is HTTP client data or HTTP server data in a preprocessing plug-in of an HTTP session when the SNORT engine identifies that the real-time data after the stream session processing is the HTTP session, if the real-time data is the HTTP client data, entering step S2, and if the real-time data is the HTTP server data, entering step S3;
s2, extracting request information of the HTTP client data according to the SNORT engine to obtain information of a request head in the request information of the client;
s3, extracting HTTP server data according to the SNORT engine, restoring the extracted HTTP server response data, and identifying the data type of the restored HTTP server response data;
s4, judging whether the request data type required by the client is consistent with the response data type of the HTTP server side or not through the HTTP anomaly detection plug-in the SNORT engine, if so, returning to the step S1, if not, carrying out virus scanning on the response data restored by the server side, detecting whether an attack exists, if so, entering the step S5, and if not, returning to the step S1;
and S5, carrying out attack detection on the response data restored by the server side through the CLAMAV engine again, and outputting a result on the attack detection condition through the SNORT engine.
In the present technical solution, in step S1, a SNORT engine is used to perform streaming session processing on real-time data, the real-time data is processed into a data stream, the SNORT engine can automatically determine that the data stream is an HTTP session, the previous and subsequent data are not changed, and we do not change the original content of the data, so the data is the original real-time data, in step S2, the SNORT engine extracts request header information of the request information, the SNORT engine can create a data structure of an HTTP client, the structure has corresponding fields corresponding to a header format of the HTTP, according to the format of the request header, the SNORT engine creates a data structure corresponding to the data structure, and copies the data from the original data, that is, the real-time data, to the data structure created by the SNORT engine. The method comprises the steps of copying a part of data in a header format of HTTP, and acquiring request header information such as request extraction method types { GET, POST and HEAD } in client request information; domain name information: HOST field, ACCEPT field, content-type field, and ACCEPT-Encoding field.
According to the technical scheme, request information in the direction of an HTTP client side needs to be extracted, and the request type is recorded; data in the direction of the server side needs to be extracted, and response data is restored; performing data type identification on the response data type; judging whether the request type of the client side is consistent with the response type of the server side; and under the condition of inconsistency, carrying out virus scanning on the data to detect whether an attack exists.
In order to better implement the present invention, the method for determining whether the data is HTTP client data or HTTP server data in step S1 further includes:
s1.1, identifying the type of the data start according to load data in an HTTP protocol standard, and judging the data as HTTP client data when identifying the data start conforming to the client data;
s1.2, when the data are identified to be HTTP client data, carrying out identification and information extraction on the HTTP client data to obtain information of the HTTP client data;
and S1.3, judging whether the reintroduced data is HTTP client data or HTTP server data according to the extracted client data information.
In the technical scheme, when the data is identified to be the HTTP client data, the HTTP client data is identified and information extraction is carried out, and detailed information of the HTTP client data, including information such as quintuple session, request method, request type and the like, is obtained.
In order to better implement the present invention, step S2 further includes:
and acquiring corresponding request data according to the HTTP request type, judging whether the head of the acquired request data can extract corresponding key information, if so, acquiring the information of the request header in the client request information, and if not, returning to the step S1.
In the technical scheme, corresponding request data is acquired according to the HTTP request Type, for example, the request method is GET, the ACCEPT field key information is acquired, the request method is POST, the Content-Type field key information is acquired, and the like, if the corresponding key information is not extracted, for example, the request Type of the HTTP client is not extracted, and the request of the client is to upload or download the key information such as data, and the like, the corresponding request data is not acquired, and the step S1 is returned.
In order to better implement the present invention, step S3 further includes:
the data type of the HTTP request acquired in step S1 is compared with the response data type that has been identified in step S3.
In the present technical solution, corresponding request data is obtained according to the HTTP request Type, if the request method is GET, ACCEPT field key information is obtained, the request method is POST, Content-Type field key information is obtained, and the like, it is determined whether the beginning of the obtained request data is GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, or CONNECT, and if no corresponding key information is extracted, if no request Type of the HTTP client is extracted, and the request of the client is for key information such as upload or download data, the process returns to step S1.
In order to better implement the present invention, the method for determining whether the request data type required by the client and the response data type of the HTTP server are consistent in step S4 further includes:
extracting HTTP information through a SNORT engine, and restoring the HTTP information;
and acquiring the corresponding type of the data according to the restored HTTP information.
In the technical scheme, the HTTP server data is extracted to obtain the request data required by the client in the server, and the request data required by the client is restored to obtain the response data of the HTTP server.
To better implement the present invention, further, the SNORT engine includes:
the SNORT engine starts a TCP (transmission control protocol), an HTTP plug-in, a file restoration plug-in, an HTTP anomaly analysis plug-in and a log plug-in; and coding and decoding the acquired data and preprocessing the plug-in through the plug-in started by the SNORT engine.
In the technical scheme, the realization of the invention needs a DAQ package module, a SNORT detection engine and a CLAMAV antivirus engine, wherein the SNORT engine can start a TCP (transmission control protocol), an HTTP plug-in, start a file recovery plug-in, close the operation of a data write disk, start an HTTP abnormal analysis plug-in and start a log function.
In order to better implement the present invention, step S5 further includes:
s5.1, adding a CLAMAV engine into the SNORT engine, and returning scanning data information to the SNORT engine in real time when the CLAMAV engine finishes scanning data;
s5.2, presetting an offline single-packet mode in the DAQ module, and configuring the offline single-packet mode into an online acquisition mode;
and S5.3, acquiring the detection condition on line according to an offline single-packet mode preset in the SNORT engine, the CLAMAV engine and the DAQ module, and outputting a log or blocking a session according to the detection condition.
In the technical scheme, offline or real-time data needs to be imported through the DAQ module, an offline packet reading mode is configured, the method is very useful for development and testing, and the method is configured into an online acquisition mode, can be used for blocking sessions in real time and protecting WEB, and has a certain protection effect. And secondly, coding and decoding the data through a SNORT detection engine, then preprocessing a plug-in, analyzing the session, extracting HTTP information, restoring HTTP communication content, and identifying the data type. And judging whether the response is abnormal or not through HTTP abnormity detection analysis. If the abnormality exists, carrying out attack detection on the data again through a CLAMAV antivirus engine; and finally, outputting a result according to the detection condition, and outputting log alarm or blocking conversation and other operations.
At present, as for a plurality of virus searching and killing modes of a network application layer, our patent is specific to HTTP session, and uses a function of importing offline or real-time data through a DAQ module to configure an offline packet reading mode, that is, importing data, DAQ is already a very common calculation measurement hardware, and it is our common steps to first specify a DAQ start directory and then test a configuration start to a packet reading mode.
Compared with the prior art, the invention has the following advantages and beneficial effects:
(1) the attack detection method based on the HTTP session does not send a secondary request to the server any more, so that the bearing bandwidth required by the server or the network is reduced;
(2) the attack detection method based on the HTTP session does not need to construct an HTML DOM tree, improves the detection efficiency and the detection range, can quickly and efficiently identify the attack of the HTTP load, can dynamically upgrade a virus library in real time, has millions of virus libraries, is comprehensive in detection, and comprises data detection of HTML and other formats;
(3) the attack detection method based on the HTTP session provided by the invention does not detect a single message header any more, but detects a load, thereby improving the accuracy;
(4) the attack detection method based on the HTTP session provides an efficient, easy-to-use and rapidly deployable HTTP attack detection scheme, is simple in research/test deployment, and provides a reference method for rapidly deploying and testing HTTP attacks for safety research personnel or system designers.
Drawings
The invention is further described in connection with the following figures and examples, all of which are intended to be open ended and within the scope of the invention.
Fig. 1 is a flowchart of an attack detection method based on HTTP session according to the present invention.
Detailed Description
Example 1:
an attack detection method based on HTTP session in this embodiment, as shown in fig. 1, includes the following steps:
step S1, importing real-time data through a DAQ module, carrying out stream session processing on the real-time data by using a SNORT engine, judging whether the real-time data is HTTP client data or HTTP server data in a preprocessing plug-in of an HTTP session when the SNORT engine identifies that the real-time data after the stream session processing is the HTTP session, if the real-time data is the HTTP client data, entering step S2, and if the real-time data is the HTTP server data, entering step S3;
s2, extracting request information of the HTTP client data according to the SNORT engine to obtain information of a request head in the request information of the client;
s3, extracting HTTP server data according to the SNORT engine, restoring the extracted HTTP server response data, and identifying the data type of the restored HTTP server response data;
s4, judging whether the request data type required by the client is consistent with the response data type of the HTTP server side or not through the HTTP anomaly detection plug-in the SNORT engine, if so, returning to the step S1, if not, carrying out virus scanning on the response data restored by the server side, detecting whether an attack exists, if so, entering the step S5, and if not, returning to the step S1;
and S5, carrying out attack detection on the response data restored by the server side through the CLAMAV engine again, and outputting a result on the attack detection condition through the SNORT engine.
In step S1 of this embodiment, a SNORT engine is used to perform streaming session processing on real-time data, the real-time data is processed into a data stream, the SNORT engine automatically determines that the data stream is an HTTP session, the previous and subsequent data are not changed, and we do not change the original of the data, so the data is the original real-time data, in step S2 of this embodiment, the SNORT engine extracts request header information of the request information, the SNORT engine creates a data structure of an HTTP client, corresponding fields in the structure correspond to the header format of the HTTP, and according to the format of the request header, the SNORT engine creates a data structure corresponding to the request header information, and copies the data from the original data, that is, the real-time data, into the data structure created by the SNORT engine. The method comprises the steps that a copy of HTTP header format data is obtained, and request header information such as request extraction method types { GET, POST, HEAD } in client request information is obtained; domain name information: HOST field, ACCEPT field, content-type field, and ACCEPT-Encoding field.
In this embodiment, request information in the HTTP client direction needs to be extracted, and the request type is recorded; data in the direction of the server side needs to be extracted, and response data is restored; performing data type identification on the response data type; judging whether the request type of the client side is consistent with the response type of the server side; and under the condition of inconsistency, carrying out virus scanning on the data to detect whether an attack exists.
Example 2:
the embodiment is further optimized on the basis of embodiment 1, and when the data is identified to be HTTP client data, the HTTP client data is identified and information is extracted to obtain detailed information of the HTTP client data, including information such as a quintuple session, a request method, a request type, and the like.
In this embodiment, how to determine whether HTTP is client direction or server direction is as follows: firstly, identifying types according to load data according to an HTTP (hyper text transport protocol) standard; if the data of the HTTP is the client direction; its load data must begin with the following types GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, CONNECT; for example, a client GET request type of data, the first line of its payload data format is as follows: "request method + request data + HTTP version number"; when data in the direction of the HTTP client is identified, a session IP and a port are recorded, so that srCport + srcPort are the data in the direction of the client, dstIP + dstPort are the data in the direction of the server, and the following message can determine whether the communication content is the data in the direction of the client or the server according to the IP and the port.
Other parts of this embodiment are the same as embodiment 1, and thus are not described again.
Example 3:
in this embodiment, corresponding request data is obtained according to the HTTP request Type, for example, the request method is GET, the ACCEPT field key information is obtained, the request method is POST, the Content-Type field key information is obtained, and the like, if the corresponding key information is not extracted, for example, the request Type of the HTTP client is not extracted, and the request of the client is to upload or download the key information, and the like.
In this embodiment, the type of the request first, via the HTTP protocol standard, has a field "ACCEPT" that identifies the type of data requested. After restoring the data of the server, it is unknown to the program what data it is, which may be arbitrary data, which may not be a picture, which may be a virus file or an executable program with an attack, and which is not a picture wanted by the client anyway, so at this time, we need to identify what the restored data is, and the specific identification manner is as follows: because the files which can be opened by us all have certain file format characteristics, such as: the picture, doc, exe, executable program and the like all have certain characteristics, so that the characteristic is a data characteristic prepared in advance, the type of the restored data is identified and compared with the type of a client request recorded by the client, for example, the client clearly requests the picture, but the server gives an executable virus file to the client instead of the picture, so that the problem is solved, and then the server can restore the data, so that the restored data cannot be determined whether to be the data with the threat or not, at the moment, the data needs to be searched and killed through a virus library, the virus library is open, and the related information and the library of the virus can be added, modified and manufactured conveniently, namely, whether the restored data has the threat or not is further judged through virus searching and killing.
Other parts of this embodiment are the same as embodiment 1, and thus are not described again.
Example 4:
in this embodiment, whether the beginning of the obtained request data is GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, or CONNECT is determined according to the identification text ACCEPT, if so, the corresponding request data is obtained according to the HTTP request Type, if the request method is GET, the key information of the ACCEPT field is obtained, if the request method is POST, the key information of the Content-Type field is obtained, and if not, the beginning of the obtained request data is GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, or CONNECT is determined, if not, the corresponding key information is not extracted, if not, the request Type of the HTTP client is not extracted, and the request purpose of the client is to upload or download key information such as data.
Other parts of this embodiment are the same as embodiment 1, and thus are not described again.
Example 5:
in this embodiment, the HTTP server is extracted to obtain request data required by a client in the server, and the request data required by the client is restored to obtain response data of the HTTP server. In this embodiment, load data responded by the server is restored and extracted, the data that the client wants to request is restored, if the client requests a picture, the server responds to the picture data, the picture is restored and extracted, and the data that the client wants to request is restored and extracted, if the client requests a picture, the server responds to the picture data.
Other parts of this embodiment are the same as embodiment 1, and thus are not described again.
Example 6:
in this embodiment, the implementation of the present invention needs a DAQ package module, a snoop detection engine, and a CLAMAV antivirus engine, where the snoop engine can start TCP and HTTP plug-ins, start a file recovery plug-in, close operations of writing data to a disk, start an HTTP exception analysis plug-in, and start a log function.
Other parts of this embodiment are the same as any of embodiments 1 to 5, and thus are not described again.
Example 7:
in this embodiment, offline or real-time data needs to be imported through the DAQ module, and an offline packet reading mode is configured, which is very useful for development and testing, and configured as an online acquisition mode, and can be used for blocking sessions in real time and protecting WEB, and has a certain protection effect. And secondly, coding and decoding the data through a SNORT detection engine, then preprocessing a plug-in, analyzing the session, extracting HTTP information, restoring HTTP communication content, and identifying the data type. And judging whether the response is abnormal or not through HTTP abnormity detection analysis. If the abnormality exists, carrying out attack detection on the data again through a CLAMAV antivirus engine; and finally, outputting a result according to the detection condition, and outputting log alarm or blocking conversation and other operations. At present, as for a plurality of virus searching and killing modes of a network application layer, our patent is specific to HTTP session, and uses a function of importing offline or real-time data through a DAQ module to configure an offline packet reading mode, that is, importing data, DAQ is already a very common calculation measurement hardware, and it is our common steps to first specify a DAQ start directory and then test a configuration start to a packet reading mode.
Other parts of this embodiment are the same as embodiment 1, and thus are not described again.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and all simple modifications and equivalent variations of the above embodiments according to the technical spirit of the present invention are included in the scope of the present invention.
Claims (7)
1. An attack detection method based on HTTP session is characterized by comprising the following steps: step S1, importing real-time data through a DAQ module, carrying out stream session processing on the real-time data by using a SNORT engine, judging whether the real-time data is HTTP client data or HTTP server data in a preprocessing plug-in of an HTTP session when the SNORT engine identifies that the real-time data after the stream session processing is the HTTP session, if the real-time data is the HTTP client data, entering step S2, and if the real-time data is the HTTP server data, entering step S3;
s2, extracting request information of the HTTP client data according to the SNORT engine to obtain information of a request head in the request information of the client;
s3, extracting HTTP server data according to the SNORT engine, restoring the extracted HTTP server response data, and identifying the data type of the restored HTTP server response data; s4, judging whether the request data type required by the client is consistent with the response data type of the HTTP server side or not through the HTTP anomaly detection plug-in the SNORT engine, if so, returning to the step S1, if not, carrying out virus scanning on the response data restored by the server side, detecting whether an attack exists, if so, entering the step S5, and if not, returning to the step S1; and S5, carrying out attack detection on the response data restored by the server side through the CLAMAV engine again, and outputting a result on the attack detection condition through the SNORT engine.
2. The HTTP session-based attack detection method according to claim 1, wherein the step S1 of determining whether the data is HTTP client data or HTTP server data includes: s1.1, identifying the type of the data start according to load data in an HTTP protocol standard, and judging the data as HTTP client data when identifying the data start conforming to the client data;
s1.2, when the data are identified to be HTTP client data, carrying out identification and information extraction on the HTTP client data to obtain information of the HTTP client data; and S1.3, judging whether the reintroduced data is HTTP client data or HTTP server data according to the extracted client data information.
3. The HTTP session based attack detection method as recited in claim 1, wherein the step S2 includes:
and acquiring corresponding request data according to the HTTP request type, judging whether the head of the acquired request data can extract corresponding key information or not, if so, acquiring the information of the request header in the client request information, and if not, returning to the step S1.
4. The HTTP session based attack detection method as recited in claim 1, wherein the step S3 includes: the data type of the HTTP request acquired in step S1 is compared with the response data type that has been identified in step S3.
5. The attack detection method based on HTTP session as recited in claim 1, wherein the step S4, for determining whether the request data type required by the client and the response data type of the HTTP server are consistent, comprises: extracting HTTP information through a SNORT engine, and restoring the HTTP information; and acquiring the corresponding type of the data according to the restored HTTP information.
6. An attack detection method based on HTTP session according to any of claims 1 to 5, wherein the SNORT engine comprises:
the SNORT engine starts a TCP (transmission control protocol), an HTTP plug-in, a file restoration plug-in, an HTTP anomaly analysis plug-in and a log plug-in; and coding and decoding the acquired data and preprocessing the plug-in through the plug-in started by the SNORT engine.
7. The HTTP session based attack detection method as recited in claim 1, wherein the step S5 includes: s5.1, adding a CLAMAV engine into the SNORT engine, and returning scanning data information to the SNORT engine in real time when the CLAMAV engine finishes scanning data; s5.2, presetting an offline single-packet mode in the DAQ module, and configuring the offline single-packet mode into an online acquisition mode;
and S5.3, acquiring the detection condition on line according to an offline single-packet mode preset in the SNORT engine, the CLAMAV engine and the DAQ module, and outputting a log or blocking a session according to the detection condition.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111103051.3A CN113922992A (en) | 2021-09-18 | 2021-09-18 | Attack detection method based on HTTP session |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111103051.3A CN113922992A (en) | 2021-09-18 | 2021-09-18 | Attack detection method based on HTTP session |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113922992A true CN113922992A (en) | 2022-01-11 |
Family
ID=79235483
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111103051.3A Pending CN113922992A (en) | 2021-09-18 | 2021-09-18 | Attack detection method based on HTTP session |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113922992A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115941363A (en) * | 2023-03-08 | 2023-04-07 | 广东广宇科技发展有限公司 | Network communication security analysis method based on http protocol |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070214504A1 (en) * | 2004-03-30 | 2007-09-13 | Paolo Milani Comparetti | Method And System For Network Intrusion Detection, Related Network And Computer Program Product |
| CN101060492A (en) * | 2007-05-29 | 2007-10-24 | 杭州华三通信技术有限公司 | Talk detection method and talk detection system |
| CN101888312A (en) * | 2009-05-15 | 2010-11-17 | 北京启明星辰信息技术股份有限公司 | Attack detection and response method and device of WEB page |
| CN103428195A (en) * | 2012-12-27 | 2013-12-04 | 北京安天电子设备有限公司 | Unknown virus detecting method |
-
2021
- 2021-09-18 CN CN202111103051.3A patent/CN113922992A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070214504A1 (en) * | 2004-03-30 | 2007-09-13 | Paolo Milani Comparetti | Method And System For Network Intrusion Detection, Related Network And Computer Program Product |
| CN101060492A (en) * | 2007-05-29 | 2007-10-24 | 杭州华三通信技术有限公司 | Talk detection method and talk detection system |
| CN101888312A (en) * | 2009-05-15 | 2010-11-17 | 北京启明星辰信息技术股份有限公司 | Attack detection and response method and device of WEB page |
| CN103428195A (en) * | 2012-12-27 | 2013-12-04 | 北京安天电子设备有限公司 | Unknown virus detecting method |
Non-Patent Citations (1)
| Title |
|---|
| 肖梓航;桑胜田;肖新光;: "反病毒引擎硬件加速技术研究", 信息网络安全, no. 01, pages 42 - 45 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115941363A (en) * | 2023-03-08 | 2023-04-07 | 广东广宇科技发展有限公司 | Network communication security analysis method based on http protocol |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10200384B1 (en) | Distributed systems and methods for automatically detecting unknown bots and botnets | |
| US7752662B2 (en) | Method and apparatus for high-speed detection and blocking of zero day worm attacks | |
| US8095983B2 (en) | Platform for analyzing the security of communication protocols and channels | |
| US7302480B2 (en) | Monitoring the flow of a data stream | |
| CN112468360A (en) | Asset discovery identification and detection method and system based on fingerprint | |
| US20050021791A1 (en) | Communication gateway apparatus, communication gateway method, and program product | |
| US20110289583A1 (en) | Correlation engine for detecting network attacks and detection method | |
| US20080229419A1 (en) | Automated identification of firewall malware scanner deficiencies | |
| US11647037B2 (en) | Penetration tests of systems under test | |
| CN105592017B (en) | The defence method and system of cross-site scripting attack | |
| EP3021550A1 (en) | System and method for identifying internet attacks | |
| US8490173B2 (en) | Unauthorized communication detection method | |
| CN111464526A (en) | Network intrusion detection method, device, equipment and readable storage medium | |
| US20030172155A1 (en) | Cracker tracing system and method, and authentification system and method of using the same | |
| CN111314301A (en) | Website access control method and device based on DNS (Domain name Server) analysis | |
| CN110636076B (en) | Host attack detection method and system | |
| CN113922992A (en) | Attack detection method based on HTTP session | |
| CN108259416B (en) | Method for detecting malicious webpage and related equipment | |
| JP6007308B1 (en) | Information processing apparatus, information processing method, and program | |
| JP5966076B1 (en) | Information processing apparatus, information processing method, and program | |
| US9049170B2 (en) | Building filter through utilization of automated generation of regular expression | |
| JP6105797B1 (en) | Information processing apparatus, information processing method, and program | |
| Xu et al. | Identifying malware with HTTP content type inconsistency via header-payload comparison | |
| JP2012150658A (en) | Information processing device, system, communication monitoring method and program | |
| Patel et al. | Analyzing network traffic data using Hive queries |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |