CN113922992B - Attack detection method based on HTTP session - Google Patents
Attack detection method based on HTTP session Download PDFInfo
- Publication number
- CN113922992B CN113922992B CN202111103051.3A CN202111103051A CN113922992B CN 113922992 B CN113922992 B CN 113922992B CN 202111103051 A CN202111103051 A CN 202111103051A CN 113922992 B CN113922992 B CN 113922992B
- Authority
- CN
- China
- Prior art keywords
- data
- http
- request
- client
- engine
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 54
- 230000004044 response Effects 0.000 claims abstract description 39
- ZPUCINDJVBIVPJ-LJISPDSOSA-N cocaine Chemical compound O([C@H]1C[C@@H]2CC[C@@H](N2C)[C@H]1C(=O)OC)C(=O)C1=CC=CC=C1 ZPUCINDJVBIVPJ-LJISPDSOSA-N 0.000 claims abstract description 38
- 241000700605 Viruses Species 0.000 claims abstract description 16
- 238000000034 method Methods 0.000 claims description 29
- 238000007781 pre-processing Methods 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 6
- 239000000284 extract Substances 0.000 claims description 4
- 238000000605 extraction Methods 0.000 claims description 4
- 238000011161 development Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 6
- 238000011160 research Methods 0.000 description 5
- 230000005856 abnormality Effects 0.000 description 4
- 230000000903 blocking effect Effects 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000007430 reference method Methods 0.000 description 1
- 238000004659 sterilization and disinfection Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/34—Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to the technical field of computer detection, and discloses an attack detection method based on HTTP session, which comprises the following steps: s1, importing real-time data through a DAQ module; s2, extracting request information of the HTTP client data according to a SNORT engine, and acquiring information of a request header in the client request information; s3, extracting HTTP server data according to the SNORT engine, restoring response data of the extracted HTTP server, and identifying; s4, judging whether the type of the request data required by the client is consistent with the type of the response data of the HTTP server through an HTTP anomaly detection plug-in the SNORT engine, if so, returning to the step S1, otherwise, carrying out virus scanning on the response data restored by the server, detecting whether an attack exists, if so, entering the step S5, otherwise, returning to the step S1; and S5, carrying out attack detection on the response data restored by the server through CLAMAV engine, and outputting a result on the attack detection condition.
Description
Technical Field
The invention relates to the technical field of computer detection, in particular to an attack detection method based on HTTP session, which can solve the problems of inaccurate, low efficiency and incomplete detection of the current HTTP response attack detection. Meanwhile, the method has certain reference use value for safety research developers or safety system designers, such as development of safety engines or WEB firewalls.
Background
With the development of internet technology, the use of HTTP protocol as a data bearer protocol has become a normal state, which is a network protocol most widely used on the internet, and currently, the browser on the market supports HTTP protocol parsing. Since the HTTP protocol is a stateless, connectionless, request and response based communication mode that uses plaintext, meaning that it also has many security holes, more and more HTTP servers and user hosts are exposed on the network, and various attacks against HTTP services or clients are endless. In order to cope with various network attacks, many specialized WEB firewalls and the like have appeared. Many attacks based on the communication protocol format are effectively protected, but many malicious attacks are confused in the load data of HTTP communication, so that the attacks on the HTTP client or the server are difficult to protect in real time. With the development of IPv6 and the Internet of things, the targets for HTTP attack are increasingly larger, and the attack means are also increasingly higher and more obvious, so that the HTTP attack resistance of a WEB firewall or a system firewall becomes more difficult and important.
At present, a plurality of methods for detecting HTTP attacks are also provided on the market, such as intercepting HTTP requests, simulating requests to send requests to a server again, judging whether attacks exist by comparing data responded before and after, and even constructing an HTML DOM tree by responding to the data so as to improve the recognition accuracy, and improving the recognition accuracy of the attacks by comparing changes of the HTML DOM tree twice before and after. Although the methods can identify some attacks, only the response data is HTML content, and other response data which is not HTML are provided with certain defects, and the methods are not accurate enough, are not comprehensive in detection and have low efficiency.
Thus, the above problems are addressed. A technical scheme is needed to solve the problems of inaccurate, low efficiency and incomplete detection of the conventional HTTP response attack detection. Meanwhile, the method has certain reference use value for safety research developers or safety system designers, such as development of safety engines or WEB firewalls.
Disclosure of Invention
The invention aims to provide an attack detection method based on HTTP session, which can solve the problems of inaccurate, low efficiency and incomplete detection of the current HTTP response attack detection. Meanwhile, the method has certain reference use value for safety research developers or safety system designers, such as development of safety engines or WEB firewalls.
The invention is realized by the following technical scheme: an attack detection method based on HTTP session comprises the following steps:
s1, importing real-time data through a DAQ module, performing streaming session processing on the real-time data by using an SNORT engine, judging whether the real-time data is HTTP client data or HTTP server data in a preprocessing plug-in of the HTTP session when the SNORT engine recognizes that the real-time data after the streaming session processing is HTTP session, if the real-time data is HTTP client data, entering step S2, and if the real-time data is HTTP server data, entering step S3;
S2, extracting request information of the HTTP client data according to a SNORT engine, and acquiring information of a request header in the client request information;
s3, extracting HTTP server data according to the SNORT engine, restoring the response data of the extracted HTTP server, and identifying the data type of the restored response data;
S4, judging whether the type of the request data required by the client is consistent with the type of the response data of the HTTP server through an HTTP anomaly detection plug-in the SNORT engine, if so, returning to the step S1, if not, carrying out virus scanning on the response data restored by the server, detecting whether an attack exists, if so, entering the step S5, and if not, returning to the step S1;
and S5, carrying out attack detection on the response data restored by the server through CLAMAV engine, and outputting a result on the attack detection condition through SNORT engine.
In this technical solution, in step S1, a real-time data is processed into a data stream by using a port engine, the port engine automatically determines that the data stream is an HTTP session, and the former and latter data are unchanged, so that the former data are original real-time data, in step S2, the port engine extracts the request header information of the request information, the port engine builds a data structure of an HTTP client, corresponding fields in the structure correspond to the HTTP header format, and according to the format of the request header, the port engine builds a data structure corresponding to the data structure, and copies the data from the original data, that is, the real-time data, into the data structure built by the port engine. The method is equivalent to copying data in the header format of an HTTP, and acquiring information of a request header in the request information of a client, such as extraction request method type { GET, POST, HEAD }; domain name information: HOST field, ACCEPT field, content-type field, ACCEPT-Encoding field, etc.
The technical scheme includes that request information of HTTP client side direction needs to be extracted, and request types are recorded; the data of the direction of the server needs to be extracted, and the response data is restored; carrying out data type identification on the response data type; judging whether the request type of the client is consistent with the response type of the server or not; and under the condition of inconsistency, carrying out virus scanning on the data, and detecting whether an attack exists.
In order to better implement the present invention, further, the method for determining whether the data is HTTP client data or HTTP server data in step S1 includes:
s1.1, identifying the type of the data head according to load data in an HTTP protocol standard, and judging the data as HTTP client data when the data head conforming to the client data is identified;
s1.2, when the data are identified as HTTP client data, carrying out identification and information extraction on the HTTP client data to obtain information of the HTTP client data;
S1.3, judging whether the reintroduced data is HTTP client data or HTTP server data according to the extracted client data information.
In the technical scheme, when the data is identified as HTTP client data, the HTTP client data is identified and information is extracted, and detailed information of the HTTP client data, including five-tuple session, request method, request type and the like, is obtained.
In order to better implement the present invention, further, step S2 includes:
and acquiring corresponding request data according to the HTTP request type, judging whether the head of the acquired request data can extract corresponding key information, if so, acquiring information of a request head in the client request information, and if not, returning to the step S1.
In the technical scheme, corresponding request data are acquired according to the HTTP request Type, if the request method is GET, the key information of the ACCEPT field is acquired, the request method is POST, the key information of the Content-Type field is acquired, and if the corresponding key information is not extracted, if the request Type of the HTTP client is not extracted, and the key information of the client, such as uploading or downloading data, is not acquired, the step S1 is returned.
In order to better implement the present invention, further, step S3 includes:
The data type of the HTTP request acquired in step S1 is compared with the response data type already identified in step S3.
In the technical scheme, corresponding request data are acquired, the corresponding request data are acquired according to the HTTP request Type, if the request method is GET, the key information of the ACCEPT field is acquired, the request method is POST, the key information of the Content-Type field is acquired, whether the head of the acquired request data is GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS or CONNECT is judged, if the corresponding key information is not extracted, if the request Type of the HTTP client is not extracted, and the request purpose of the client is uploading or downloading the key information of the data, and the like, the step S1 is returned.
In order to better implement the present invention, further, the method for determining in step S4 whether the request data type required by the client is consistent with the response data type of the HTTP server includes:
extracting HTTP information through the SNORT engine, and restoring the HTTP information;
And acquiring the corresponding type of the data according to the restored HTTP information.
In the technical scheme, request data required by a client in an HTTP server data acquisition server are extracted, the request data required by the client is restored, and response data of the HTTP server are acquired.
To better implement the present invention, further, the SNORT engine includes:
the SNORT engine starts a TCP, an HTTP plug-in, a file restore plug-in, an HTTP anomaly analysis plug-in and a log plug-in; and performing encoding and decoding and plug-in preprocessing on the acquired data through a plug-in started by the SNORT engine.
In the technical scheme, the DAQ packet-guiding module, the SNORT detection engine, the CLAMAV virus-killing engine are needed for implementation, and the SNORT engine can start TCP, HTTP plug-in, start file restoration plug-in, close the operation of a data writing disk, start HTTP exception analysis plug-in and start log function.
In order to better implement the present invention, further, step S5 includes:
S5.1, adding CLAMAV engines into the SNORT engines, and returning scanned data information to the SNORT engines in real time when the CLAMAV engines scan data;
S5.2, presetting an offline single-package mode in a DAQ module, and configuring the offline single-package mode into an online acquisition mode;
S5.3, online acquisition of detection conditions is carried out according to an SNORT engine, a CLAMAV engine and a DAQ module which are preset in an offline single-packet mode, and a log is output or conversation is blocked according to the detection conditions.
In the technical scheme, offline or real-time data is imported through the DAQ module, an offline package reading mode is configured, the method is very useful for development and test, and the method is configured into an online acquisition mode, can be used for blocking sessions in real time, protects WEB and has a certain protection effect. And secondly, encoding and decoding the data through an SNORT detection engine, preprocessing a plug-in, analyzing a session, extracting HTTP information, restoring HTTP communication content and identifying the data type. And judging whether the response is abnormal or not through HTTP abnormality detection analysis. If the abnormality exists, carrying out attack detection on the data again through CLAMAV antivirus engine; and finally, outputting a result according to the detection condition, and outputting operations such as log alarming or session blocking.
At present, many virus searching and killing modes of a network application layer are provided, and the patent is specific to HTTP session, offline or real-time data is imported through a DAQ module, an offline packet reading mode is configured, namely, the function of importing data is achieved, DAQ is very common computing and measuring hardware, a DAQ starting catalog is firstly designated, and then the configuration is tested, and the starting into the packet reading mode is the common step of the user.
Compared with the prior art, the invention has the following advantages:
(1) The attack detection method based on the HTTP session does not send a secondary request to the server any more, and reduces the bearing bandwidth required by the server or the network;
(2) The attack detection method based on the HTTP session provided by the invention does not need to construct an HTML DOM tree, improves the detection efficiency and the detection range, can rapidly and efficiently identify the attack of the HTTP load, can dynamically upgrade a virus library in real time, has millions of virus libraries and comprehensively detects data in HTML formats and the like;
(3) The attack detection method based on the HTTP session does not detect a single message header any more, but detects a load, so that the accuracy is improved;
(4) The HTTP session-based attack detection method provided by the invention provides an efficient, easy-to-use and quick-to-deploy HTTP attack detection scheme, is simple in research, development, test and deployment, and provides a reference method for quick deployment and test of HTTP attack for security research personnel or system designers.
Drawings
The invention is further described with reference to the following drawings and examples, and all inventive concepts of the invention are to be considered as being disclosed and claimed.
Fig. 1 is a flowchart of an attack detection method based on HTTP session provided by the present invention.
Detailed Description
Example 1:
An attack detection method based on HTTP session in this embodiment, as shown in fig. 1, includes the following steps:
s1, importing real-time data through a DAQ module, performing streaming session processing on the real-time data by using an SNORT engine, judging whether the real-time data is HTTP client data or HTTP server data in a preprocessing plug-in of the HTTP session when the SNORT engine recognizes that the real-time data after the streaming session processing is HTTP session, if the real-time data is HTTP client data, entering step S2, and if the real-time data is HTTP server data, entering step S3;
S2, extracting request information of the HTTP client data according to a SNORT engine, and acquiring information of a request header in the client request information;
s3, extracting HTTP server data according to the SNORT engine, restoring the response data of the extracted HTTP server, and identifying the data type of the restored response data;
S4, judging whether the type of the request data required by the client is consistent with the type of the response data of the HTTP server through an HTTP anomaly detection plug-in the SNORT engine, if so, returning to the step S1, if not, carrying out virus scanning on the response data restored by the server, detecting whether an attack exists, if so, entering the step S5, and if not, returning to the step S1;
and S5, carrying out attack detection on the response data restored by the server through CLAMAV engine, and outputting a result on the attack detection condition through SNORT engine.
In step S1 of this embodiment, a real-time data is processed into a data stream by using a port engine, the port engine automatically determines that the data stream is an HTTP session, and the former and latter data are unchanged, and we will not change what is originally the data, so the data is the original real-time data, in step S2 of this embodiment, the port engine extracts the request header information of the request information, the port engine creates a data structure of an HTTP client, and the structure has a corresponding field corresponding to the HTTP header format, and according to the format of the request header, the port engine creates a data structure corresponding to the HTTP header format, and copies the data from the original data, that is, the real-time data, into the data structure created by the port engine. The method is equivalent to copying data in the header format of an HTTP, and acquiring information of a request header in client request information, such as extraction request method type { GET, POST, HEAD }; domain name information: HOST field, ACCEPT field, content-type field, ACCEPT-Encoding field, etc.
In this embodiment, the request information of the HTTP client needs to be extracted, and the request type is recorded; the data of the direction of the server needs to be extracted, and the response data is restored; carrying out data type identification on the response data type; judging whether the request type of the client is consistent with the response type of the server or not; and under the condition of inconsistency, carrying out virus scanning on the data, and detecting whether an attack exists.
Example 2:
The embodiment is further optimized based on embodiment 1, when the data is identified as HTTP client data, the HTTP client data is identified and information is extracted, and detailed information of the HTTP client data including information such as five-tuple session, request method, request type, etc. is obtained.
In this embodiment, how to determine whether HTTP is a client direction or a server direction is exemplified as follows: firstly, according to HTTP protocol standard, according to load data to identify type; if the HTTP data is the client direction; its load data header must be of the following types GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, CONNECT; for example, a client GET request type of data, its first line of payload data format is as follows: "request method+request data+http version number"; when the data in the HTTP client direction is identified, the session IP and the port are recorded, srcIP + srcPORT is the data in the client direction, dstIP + dstPort is the data in the server direction, and the following message can determine whether the communication content is the client or the server direction data according to the IP and the port.
Other portions of this embodiment are the same as those of embodiment 1, and thus will not be described in detail.
Example 3:
In this embodiment, corresponding request data is obtained according to the HTTP request Type, for example, the request method is GET, the ACCEPT field key information is obtained, the request method is POST, the Content-Type field key information is obtained, and if no corresponding key information is extracted, for example, the request Type of the HTTP client is not extracted, and the request purpose of the client is to upload or download key information such as data.
In this embodiment, the type of request is first, and there is a field "ACCEPT" that identifies the type of data requested, by HTTP protocol standards. After restoring the data of the server, it is not known to the program what data it is, it may be any data, it may not be a picture, it may be a virus file or an attacked executable program, etc., and in any case, it is not a picture that the client wants, so at this time, we need to identify what the restored data is, specifically in the following manner: because we can open files it has certain file format characteristics such as: the image, doc, exe, executable program and the like are all certain characteristics, and the characteristics are data characteristics prepared in advance, the type of the restored data is identified and compared with the type of a client request recorded by the user, for example, the client clearly requests the image, but the server gives I an executable virus file instead of the image, the image is problematic, and then when the server restores him, the user cannot determine whether the restored data is the data with threat or not, at the moment, the restored data needs to be searched and killed once through a virus library, the virus library is open-source, and related information and library of the virus can be added, modified and manufactured at random, namely, whether the restored data has threat or not is further judged through the searching and killing of the virus.
Other portions of this embodiment are the same as those of embodiment 1, and thus will not be described in detail.
Example 4:
In this embodiment, whether the acquired request data has a beginning of GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS or CONNECT is determined according to the identifier text ACCEPT, if yes, corresponding request data is acquired according to the HTTP request Type, if the request method is GET, key information of an ACCEPT field is acquired, the request method is POST, key information of a Content-Type field is acquired, and the like, whether the acquired request data has a beginning of GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS or CONNECT is determined, if no corresponding key information is extracted, if no request Type of the HTTP client is extracted, and the request purpose of the client is to upload or download key information such as data.
Other portions of this embodiment are the same as those of embodiment 1, and thus will not be described in detail.
Example 5:
The present embodiment is further optimized based on embodiment 1, in this embodiment, request data required by a client in an HTTP server data acquisition server is extracted, and the request data required by the client is restored to obtain response data of the HTTP server. In this embodiment, the load data responded by the server is restored and extracted, and the restored data is the data that the client wants to request, for example, the client requests a picture, then the server responds to a picture data, and the restored picture is restored and extracted, and the restored data that the client wants to request, for example, the client requests a picture, then the server responds to a picture data.
Other portions of this embodiment are the same as those of embodiment 1, and thus will not be described in detail.
Example 6:
The present embodiment is further optimized based on any one of the foregoing embodiments 1 to 5, where in the implementation of the present invention requires a DAQ packet-guiding module, a port detection engine, CLAMAV a disinfection engine, where the port engine can start TCP, HTTP plug-ins, start file restore plug-ins, close operations of a data write disk, start HTTP exception analysis plug-ins, and start log functions.
Other portions of this embodiment are the same as those of any of embodiments 1 to 5, and thus will not be described again.
Example 7:
In this embodiment, offline or real-time data needs to be imported through the DAQ module, and an offline package reading mode is configured, so that the method is very useful for development and testing, and an online collection mode is configured, so that the method can be used for blocking sessions in real time, protecting WEB and having a certain protection effect. And secondly, encoding and decoding the data through an SNORT detection engine, preprocessing a plug-in, analyzing a session, extracting HTTP information, restoring HTTP communication content and identifying the data type. And judging whether the response is abnormal or not through HTTP abnormality detection analysis. If the abnormality exists, carrying out attack detection on the data again through CLAMAV antivirus engine; and finally, outputting a result according to the detection condition, and outputting operations such as log alarming or session blocking. At present, many virus searching and killing modes of a network application layer are provided, and the patent is specific to HTTP session, offline or real-time data is imported through a DAQ module, an offline packet reading mode is configured, namely, the function of importing data is achieved, DAQ is very common computing and measuring hardware, a DAQ starting catalog is firstly designated, and then the configuration is tested, and the starting into the packet reading mode is the common step of the user.
Other portions of this embodiment are the same as those of embodiment 1, and thus will not be described in detail.
The foregoing description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and any simple modification and equivalent variation of the above embodiment according to the technical matter of the present invention falls within the scope of the present invention.
Claims (5)
1. An attack detection method based on HTTP session is characterized by comprising the following steps: s1, importing real-time data through a DAQ module, performing streaming session processing on the real-time data by using an SNORT engine, judging whether the real-time data is HTTP client data or HTTP server data in a preprocessing plug-in of the HTTP session when the SNORT engine recognizes that the real-time data after the streaming session processing is HTTP session, if the real-time data is HTTP client data, entering step S2, and if the real-time data is HTTP server data, entering step S3;
S2, extracting request information of the HTTP client data according to a SNORT engine, and acquiring information of a request header in the client request information;
S3, extracting HTTP server data according to the SNORT engine, restoring the response data of the extracted HTTP server, and identifying the data type of the restored response data; s4, judging whether the type of the request data required by the client is consistent with the type of the response data of the HTTP server through an HTTP anomaly detection plug-in the SNORT engine, if so, returning to the step S1, if not, carrying out virus scanning on the response data restored by the server, detecting whether an attack exists, if so, entering the step S5, and if not, returning to the step S1; s5, carrying out attack detection on the response data restored by the server through CLAMAV engine, and outputting a result on the attack detection condition through SNORT engine;
The method for judging whether the data is the HTTP client data or the HTTP server data in the step S1 includes: s1.1, identifying the type of the data head according to load data in an HTTP protocol standard, and judging the data as HTTP client data when the data head conforming to the client data is identified;
S1.2, when the data are identified as HTTP client data, carrying out identification and information extraction on the HTTP client data to obtain information of the HTTP client data; s1.3, judging whether the reintroduced data is HTTP client data or HTTP server data according to the extracted client data information;
The step S5 includes: s5.1, adding CLAMAV engines into the SNORT engines, and returning scanned data information to the SNORT engines in real time when the CLAMAV engines scan data; s5.2, presetting an offline single-package mode in a DAQ module, and configuring the offline single-package mode into an online acquisition mode;
S5.3, online acquisition of detection conditions is carried out according to an SNORT engine, a CLAMAV engine and a DAQ module which are preset in an offline single-packet mode, and a log is output or conversation is blocked according to the detection conditions.
2. The HTTP session-based attack detection method according to claim 1, wherein the step S2 includes:
And acquiring corresponding request data according to the HTTP request type, judging whether the head of the acquired request data can extract corresponding key information, if so, acquiring information of a request head in the client request information, and if not, returning to the step S1.
3. The HTTP session-based attack detection method according to claim 1, wherein the step S3 includes: the data type of the HTTP request acquired in step S1 is compared with the response data type already identified in step S3.
4. The method for detecting an attack based on an HTTP session according to claim 1, wherein the determining in step S4 whether the request data type required by the client and the response data type of the HTTP server are identical includes: extracting HTTP information through the SNORT engine, and restoring the HTTP information; and acquiring the corresponding type of the data according to the restored HTTP information.
5. The HTTP session-based attack detection method according to any of claims 1-4, wherein the port engine comprises:
the SNORT engine starts a TCP, an HTTP plug-in, a file restore plug-in, an HTTP anomaly analysis plug-in and a log plug-in; and performing encoding and decoding and plug-in preprocessing on the acquired data through a plug-in started by the SNORT engine.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111103051.3A CN113922992B (en) | 2021-09-18 | 2021-09-18 | Attack detection method based on HTTP session |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111103051.3A CN113922992B (en) | 2021-09-18 | 2021-09-18 | Attack detection method based on HTTP session |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113922992A CN113922992A (en) | 2022-01-11 |
| CN113922992B true CN113922992B (en) | 2024-06-07 |
Family
ID=79235483
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111103051.3A Active CN113922992B (en) | 2021-09-18 | 2021-09-18 | Attack detection method based on HTTP session |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113922992B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115941363B (en) * | 2023-03-08 | 2023-08-01 | 广东广宇科技发展有限公司 | Network communication security analysis method based on http protocol |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1996892A (en) * | 2006-12-25 | 2007-07-11 | 杭州华为三康技术有限公司 | Detection method and device for network attack |
| CN101060492A (en) * | 2007-05-29 | 2007-10-24 | 杭州华三通信技术有限公司 | Talk detection method and talk detection system |
| CN101888312A (en) * | 2009-05-15 | 2010-11-17 | 北京启明星辰信息技术股份有限公司 | Attack detection and response method and device of WEB page |
| CN103428195A (en) * | 2012-12-27 | 2013-12-04 | 北京安天电子设备有限公司 | Unknown virus detecting method |
| CN106911637A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | Cyberthreat treating method and apparatus |
| CN110708278A (en) * | 2019-08-13 | 2020-01-17 | 深圳开源互联网安全技术有限公司 | Method, system, device and readable storage medium for detecting HTTP response header |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1730917A1 (en) * | 2004-03-30 | 2006-12-13 | Telecom Italia S.p.A. | Method and system for network intrusion detection, related network and computer program product |
-
2021
- 2021-09-18 CN CN202111103051.3A patent/CN113922992B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1996892A (en) * | 2006-12-25 | 2007-07-11 | 杭州华为三康技术有限公司 | Detection method and device for network attack |
| CN101060492A (en) * | 2007-05-29 | 2007-10-24 | 杭州华三通信技术有限公司 | Talk detection method and talk detection system |
| CN101888312A (en) * | 2009-05-15 | 2010-11-17 | 北京启明星辰信息技术股份有限公司 | Attack detection and response method and device of WEB page |
| CN103428195A (en) * | 2012-12-27 | 2013-12-04 | 北京安天电子设备有限公司 | Unknown virus detecting method |
| CN106911637A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | Cyberthreat treating method and apparatus |
| CN110708278A (en) * | 2019-08-13 | 2020-01-17 | 深圳开源互联网安全技术有限公司 | Method, system, device and readable storage medium for detecting HTTP response header |
Non-Patent Citations (1)
| Title |
|---|
| 反病毒引擎硬件加速技术研究;肖梓航;桑胜田;肖新光;;信息网络安全(第01期);第42-45页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113922992A (en) | 2022-01-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8024804B2 (en) | Correlation engine for detecting network attacks and detection method | |
| US10200384B1 (en) | Distributed systems and methods for automatically detecting unknown bots and botnets | |
| US7302480B2 (en) | Monitoring the flow of a data stream | |
| Rossow et al. | Sandnet: Network traffic analysis of malicious software | |
| CN109756512B (en) | Traffic application identification method, device, equipment and storage medium | |
| US7496962B2 (en) | Intrusion detection strategies for hypertext transport protocol | |
| US7752662B2 (en) | Method and apparatus for high-speed detection and blocking of zero day worm attacks | |
| US20080229419A1 (en) | Automated identification of firewall malware scanner deficiencies | |
| US20090178140A1 (en) | Network intrusion detection system | |
| CN111464526A (en) | Network intrusion detection method, device, equipment and readable storage medium | |
| CN111314301A (en) | Website access control method and device based on DNS (Domain name Server) analysis | |
| US20090055919A1 (en) | Unauthorized communication detection method | |
| CN113922992B (en) | Attack detection method based on HTTP session | |
| CN110636076B (en) | Host attack detection method and system | |
| US7587759B1 (en) | Intrusion prevention for active networked applications | |
| Kaushik et al. | Network forensic system for ICMP attacks | |
| CN114553513A (en) | Communication detection method, device and equipment | |
| Dayıoglu et al. | Use of passive network mapping to enhance signature quality of misuse network intrusion detection systems | |
| JP6007308B1 (en) | Information processing apparatus, information processing method, and program | |
| Xu et al. | Identifying malware with HTTP content type inconsistency via header-payload comparison | |
| US9049170B2 (en) | Building filter through utilization of automated generation of regular expression | |
| Pardomuan et al. | Server-Side Cross-Site Scripting Detection Powered by HTML Semantic Parsing Inspired by XSS Auditor. | |
| JP6105797B1 (en) | Information processing apparatus, information processing method, and program | |
| Patel et al. | Analyzing network traffic data using Hive queries | |
| CN117896175B (en) | Capturing method of malicious sample propagated through loopholes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |