CN114338202A - Network attack result detection method and device, computing equipment and storage medium - Google Patents
Network attack result detection method and device, computing equipment and storage medium Download PDFInfo
- Publication number
- CN114338202A CN114338202A CN202111664312.9A CN202111664312A CN114338202A CN 114338202 A CN114338202 A CN 114338202A CN 202111664312 A CN202111664312 A CN 202111664312A CN 114338202 A CN114338202 A CN 114338202A
- Authority
- CN
- China
- Prior art keywords
- attack
- result
- traffic
- detected
- sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 58
- 230000004044 response Effects 0.000 claims abstract description 118
- 238000012549 training Methods 0.000 claims abstract description 64
- 238000000034 method Methods 0.000 claims abstract description 46
- 238000012545 processing Methods 0.000 claims abstract description 23
- 238000004891 communication Methods 0.000 claims description 15
- 238000000605 extraction Methods 0.000 claims description 3
- 238000010801 machine learning Methods 0.000 abstract description 9
- 238000010586 diagram Methods 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 239000013598 vector Substances 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a device for detecting a network attack result, a computing device and a storage medium, wherein the method comprises the following steps: identifying whether the network traffic to be detected is attack event traffic or not; if so, acquiring response data of the network traffic to be detected; extracting detection characteristics according to the response data, and inputting the detection characteristics into the trained attack result prediction model for processing to obtain an attack result of the network traffic to be detected; the attack result prediction model is obtained by training an attack flow sample. By the method, the attack result of the attack event is detected by using the machine learning algorithm, dependence on fixed characteristics is avoided, the detection accuracy of the attack result can be improved, and the attack event is prevented from being missed due to the fact that the attack result is diverse in form and cannot be identified.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a device for detecting a network attack result, computing equipment and a storage medium.
Background
A cyber attack refers to any type of offensive action directed to a computer information system, infrastructure, computer network, or personal computer device. For computers and computer networks, destroying, revealing, modifying, disabling software or services, stealing or accessing data from any computer without authorization, is considered an attack in computers and computer networks.
However, the inventor finds out in the process of implementing the invention that: in the related technology, the attack result state is detected and identified according to the signature, only known fixed characteristic responses can be matched, but the response of the network attack is relatively large in relation to the actual application service, a fixed mode or a uniform standard is not provided for defining the attack result, the response determined by a user often cannot be identified through the fixed characteristic, the accuracy of detecting the network attack result is low, and the network attack is also missed.
Disclosure of Invention
In view of the above, the present invention has been made to provide a method, an apparatus, a computing device and a storage medium for detecting a result of a network attack that overcome or at least partially solve the above problems.
According to an aspect of the present invention, a method for detecting a network attack result is provided, including:
identifying whether the network traffic to be detected is attack event traffic or not;
if so, acquiring response data of the network traffic to be detected;
extracting detection characteristics according to the response data, and inputting the detection characteristics into the trained attack result prediction model for processing to obtain an attack result of the network traffic to be detected;
the attack result prediction model is obtained by training an attack flow sample.
Optionally, before the method is executed, the method further includes:
acquiring an attack flow sample, and marking an attack result of the attack flow sample to obtain a marking result;
extracting the sample characteristics of the attack traffic sample, and constructing a training sample set according to the sample characteristics of the attack traffic sample and the marking result;
and training the training sample set to obtain an attack result prediction model.
Optionally, training the training sample set, and obtaining the attack result prediction model further includes:
extracting sample characteristics and a marking result of the attack flow sample from the training sample set;
inputting the sample characteristics of the attack flow sample into an initial prediction model for training to obtain a corresponding initial prediction result;
updating the weight parameters of the initial prediction model according to the initial prediction result and the marking result, and then training again;
and circularly and iteratively executing the steps until an iteration ending condition is met, and obtaining an attack result prediction model.
Optionally, the detection feature and the sample feature comprise at least one of: the length of the response body, whether the response header contains a specified field, the length of the specified field, http protocol response codes, and the frequency of the part of speech of a specific word in the response body.
Optionally, before the method is executed, the method further includes:
and acquiring the network traffic to be detected from the designated port in a traffic mirroring mode.
Optionally, identifying whether the network traffic to be detected is attack traffic further includes:
and determining whether the network traffic to be detected is attack event traffic or not according to a matching result by performing pattern string matching processing on the network traffic to be detected.
Optionally, the attack event comprises: weak password attack events and file upload attack events.
According to another aspect of the present invention, there is provided a network attack result detection apparatus, including:
the attack identification module is suitable for identifying whether the network traffic to be detected is attack event traffic or not;
the response extraction module is suitable for acquiring response data of the network traffic to be detected if the network traffic to be detected is attack event traffic;
the result detection module is suitable for extracting detection characteristics according to the response data and inputting the detection characteristics into the trained attack result prediction model for processing to obtain an attack result of the network traffic to be detected; the attack result prediction model is obtained by training an attack flow sample.
Optionally, the apparatus further comprises:
a sample acquisition module: the method is suitable for obtaining an attack flow sample, and marking an attack result of the attack flow sample to obtain a marking result; extracting the sample characteristics of the attack traffic sample, and constructing a training sample set according to the sample characteristics of the attack traffic sample and the marking result;
and the model training module is suitable for training the training sample set to obtain an attack result prediction model.
Optionally, the model training module is further adapted to:
extracting sample characteristics and a marking result of the attack flow sample from the training sample set;
inputting the sample characteristics of the attack flow sample into an initial prediction model for training to obtain a corresponding initial prediction result;
updating the weight parameters of the initial prediction model according to the initial prediction result and the marking result, and then training again;
and circularly and iteratively executing the steps until an iteration ending condition is met, and obtaining an attack result prediction model.
Optionally, the detection characteristics include at least one of the following characteristics of the response data of the network traffic to be detected: the length of the response body, whether the response head contains a specified field, the length of the specified field, an http protocol response code and the word part-of-speech frequency of a specific word in the response body;
the sample characteristics include at least one of the following in response data of the attack traffic sample: the length of the response body, whether the response header contains a specified field, the length of the specified field, http protocol response codes, and the frequency of the part of speech of a specific word in the response body.
Optionally, the traffic obtaining module is adapted to obtain the network traffic to be detected from the designated port in a traffic mirroring manner.
Optionally, the attack recognition module is further adapted to: and determining whether the network traffic to be detected is attack event traffic or not according to a matching result by performing pattern string matching processing on the network traffic to be detected.
Optionally, the attack event comprises: weak password attack events and file upload attack events.
According to yet another aspect of the present invention, there is provided a computing device comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the detection method of the network attack result.
According to still another aspect of the present invention, a computer storage medium is provided, where at least one executable instruction is stored in the storage medium, and the executable instruction causes a processor to perform an operation corresponding to the method for detecting a network attack result as described above.
According to the network attack result detection method, the network attack result detection device, the computing equipment and the storage medium, whether the network traffic to be detected is the attack event traffic or not is identified; if so, acquiring response data of the network traffic to be detected; extracting detection characteristics according to the response data, and inputting the detection characteristics into the trained attack result prediction model for processing to obtain an attack result of the network traffic to be detected; the attack result prediction model is obtained by training an attack flow sample. According to the method, the attack result of the attack event is detected by using a machine learning algorithm, dependence on fixed characteristics is avoided, the detection accuracy of the attack result can be improved, and the attack event is prevented from being missed due to the fact that the attack result is diverse in form and cannot be identified.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a flowchart illustrating a method for detecting a network attack result according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a method for detecting a network attack result according to another embodiment of the present invention;
fig. 3 is a schematic structural diagram illustrating a device for detecting a network attack result according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a computing device provided in an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Fig. 1 shows a flowchart of a method for detecting a network attack result according to an embodiment of the present invention, and as shown in fig. 1, the method includes the following steps:
step S110, identifying whether the network traffic to be detected is attack event traffic.
And acquiring the real network traffic to be detected from the specified network port, and preliminarily identifying whether the network traffic to be detected is attack event traffic.
Specifically, feature fields of different types of attack events are collected in advance, after the network traffic to be detected is obtained, whether the data of the network traffic to be detected contains the fields which accord with the attack features or not is identified in a mode of pattern string matching, and if yes, the data belong to the attack event traffic. For example, the network traffic is login request traffic, the login password is "888888", the password conforms to the weak password feature, and the network traffic can be determined to be attack event traffic.
The attack events include: weak password attack events, file upload attack events, and the like. Regarding the weak password attack event, the weak password is generally a system default password or a simple password, and is very easy to guess by an attacker who can easily enter a web background through the weak password, so that the purpose of controlling a website is achieved; the file uploading attack refers to a high-risk vulnerability that an attacker uploads a malicious executable file to a server for execution and finally obtains a website control authority. Of course, the present invention is not limited to a particular type of attack event.
Step S120, if the network traffic to be detected is attack event traffic, response data of the network traffic to be detected is obtained.
If the network traffic to be detected is identified as the attack event traffic, response data of the network traffic to be detected is obtained, for example, the network traffic to be detected is web request traffic, and the response data is response data responding to the web request.
And S130, extracting detection characteristics according to the response data, and inputting the detection characteristics into the trained attack result prediction model for processing to obtain an attack result of the network traffic to be detected.
The attack result prediction model is obtained by training attack flow samples, and is obtained by training in a machine learning mode in advance.
And carrying out protocol analysis on response data of the network traffic to be detected to obtain fields such as a response code, a response head, a response body and the like, extracting detection characteristics according to the fields, inputting the detection characteristics into an attack result prediction model obtained by pre-training for processing, and outputting an attack result of the network traffic to be detected, namely the attack result of the attack event.
According to the method for detecting the network attack result provided by the embodiment, an attack result prediction model is obtained by using an attack traffic sample to train in a machine learning mode, whether the network traffic to be detected is attack event traffic or not is identified, if yes, detection features are extracted according to response data of the network traffic to be detected, and the detection features are processed by using the pre-trained attack result prediction model. According to the method, the attack result of the attack event is detected by using a machine learning algorithm, dependence on fixed characteristics is avoided, the detection accuracy of the attack result can be improved, and the attack event is prevented from being missed due to the fact that the attack result is diverse in form and cannot be identified.
Fig. 2 is a flowchart illustrating a method for detecting a network attack result according to another embodiment of the present invention, and as shown in fig. 2, the method includes the following steps:
and step S210, acquiring an attack traffic sample, marking an attack result of the attack traffic sample to obtain a marking result, and extracting the sample characteristics of the attack traffic sample.
Acquiring a large number of attack traffic samples, marking attack results of the attack traffic samples, and specifically marking successful tags on attack traffic samples with successful attack results; marking a failure label for the attack flow sample with the failure attack result; for the attack flow sample with the unknown attack result, marking an unknown label on the sample; moreover, extracting the sample characteristics of the attack traffic sample specifically includes: the length of the response body, whether the response head contains a specified field, the value and the length of the specified field, http protocol response codes and the part-of-speech frequency of a specific word in the response body; the specific words in the response body refer to words or phrases which can directly or indirectly represent the success or failure of the request result, the frequency of the part of speech of the specific words includes the total frequency of words with parts of speech representing the success of the request and the total frequency of words with parts of speech representing the failure of the request, and the specific words such as "welcome back", "incorrect login name or login password", "failed login", "successful login", and the like in the login prompt information.
Wherein the attack traffic samples include: weak password attack event traffic samples and file upload attack event traffic samples; for weak password attack events, the sample features include: the length of the response body, whether the response header contains a field of 'Set-Cookie', the value length of the Set-Cookie, http protocol response codes (e.g. 200, 404, etc.), the frequency of certain word parts of the response body, such as the frequency of recognition words in the information of login status codes and login prompt information, etc., and the frequency of derotation words, the recognition words including words which characterize success of the request, and the derotation words including words which fail the request; for a file upload attack event, sample characteristics of attack traffic include: response body length, response code, frequency of word part of speech of specific word of response body, length of specific word. The following are examples.
For example, data of the request header of the weak password attack event traffic sample includes:
POST/user/Users/login.html HTTP/1.1
……
mobile=admin&password=888888
the login password is 888888, and the login password conforms to the weak password characteristic, that is, the weak password attack traffic, and the following table shows the response data of the traffic sample, the sample characteristic, and the value of the sample characteristic. And if the weak password attack is successful according to the response data, marking a successful label for the flow sample.
Watch 1
For another example, the data of the request header of the file upload attack traffic sample includes:
POST/sysweb/upload HTTP/1.1
……
Content-Disposition:form-data;name="file";
filename=../../applications/test.jsp
……
and a second table shows the response data, the sample characteristics and the values of the sample characteristics of the traffic sample, and if the attack result is that the file uploading fails according to the response data, a failed label is marked on the traffic sample.
Watch two
And S220, constructing a training sample set according to the sample characteristics and the marking result of the attack traffic sample, and training the training sample set to obtain an attack result prediction model.
The training step of the attack result prediction model may include: extracting sample characteristics and a marking result of the attack flow sample from the training sample set; inputting the sample characteristics of the attack flow sample into an initial prediction model for training to obtain a corresponding initial prediction result; updating the weight parameters of the initial prediction model according to the initial prediction result and the marking result, and then training again; and circularly and iteratively executing the steps until an iteration ending condition is met, and obtaining an attack result prediction model. Specifically, the loss between the initial prediction result and the marking result can be calculated to obtain a loss function, back propagation operation is performed according to the loss function, and the weight parameter of the initial prediction model is updated according to the operation result. The iteration end condition may include: the iteration times reach an iteration time threshold; and/or the output value of the loss function is less than a loss threshold; and/or the detection accuracy reaches a predetermined value. And after the iteration ending condition is met, stopping the iteration processing, thereby obtaining the trained attack result prediction model.
Step S230, obtaining the network traffic to be detected from the designated port in a traffic mirroring manner.
And forwarding the network traffic of the specified port through the traffic mirror image to obtain the to-be-detected network traffic of the specified port.
Step S240, performing pattern string matching processing on the network traffic to be detected, and determining whether the network traffic to be detected is attack event traffic according to a matching result.
Collecting the characteristic fields of different types of attack events in advance to form a characteristic field set, carrying out pattern string matching processing on the network traffic to be detected and the characteristic fields of the attack events to determine whether the network traffic to be detected contains the characteristic fields of the attack events, if so, judging that the network traffic to be detected belongs to the traffic of the attack events, and further determining the type of the attack events to which the network traffic to be detected belongs; on the contrary, if the network traffic to be detected does not contain the characteristic field of the attack event, the network traffic is not the attack event traffic.
And step S250, if the network traffic to be detected belongs to the attack event traffic, acquiring response data of the network traffic to be detected, extracting detection characteristics according to the response data, and inputting the detection characteristics into the trained attack result prediction model for processing to obtain an attack result of the network traffic to be detected.
And if the network traffic to be detected belongs to the attack event traffic, performing protocol analysis on response data of the network traffic to be detected to obtain fields such as a response code, a response head, a response body and the like, and extracting detection characteristics according to the fields, wherein the detection characteristics correspond to the sample characteristics.
For weak password attack events, the extracted detection features include: length of the response body, whether the response header contains a field of 'Set-Cookie', value length of the Set-Cookie, http protocol response code (e.g. 200, 404, etc.), frequency of part-of-speech of a specific word of the response body; for a file upload attack event, the extracted detection features include: response body length, response code, frequency of word part of speech of specific word of response body, length of specific word.
Then, the detection characteristics are input into an attack result prediction model for processing, and the attack result prediction model outputs the attack result of the attack event.
And step S260, if the attack result of the network traffic to be detected is successful, outputting alarm information.
If the attack result of the network traffic to be detected is successful, outputting the alarm information of successful attack for display, or outputting the alarm information to a corresponding early warning terminal so that related personnel can know the emergency in time.
In an optional manner, if the attack result of the network traffic to be detected is unknown, the prompt information is output, so that the relevant personnel can further review the network traffic to be detected.
In an example of a particular web weak password attack, the responder to attack event traffic specifically includes: the detection vectors of all dimensions are extracted from the response load of the attack event flow, the detection features are input into an attack result prediction model, the login failure of the attack result of the attack event flow can be identified, and the false alarm can be caused by identifying the fixed feature status:100 and not using 1006 as a complete unit in the conventional detection mode.
According to the method for detecting the network attack result, provided by the embodiment, the attack result is identified based on a machine learning algorithm, the attack result prediction model is obtained by utilizing the flow training of the attack sample, the attack result of the network flow to be detected is predicted through the attack result prediction model, the detection accuracy of the attack result can be improved, and the situation of missing report of the attack result caused by the fact that the attack result is diverse in form and cannot be accurately identified can be reduced.
Fig. 3 is a schematic structural diagram of a device for detecting a network attack result according to an embodiment of the present invention, and as shown in fig. 3, the device includes:
the attack identification module 31 is adapted to identify whether the network traffic to be detected is attack event traffic;
the response extraction module 32 is adapted to obtain response data of the network traffic to be detected if the network traffic to be detected is attack event traffic;
the result detection module 33 is adapted to extract detection features according to the response data, and input the detection features into the trained attack result prediction model for processing to obtain an attack result of the network traffic to be detected; the attack result prediction model is obtained by training an attack flow sample.
In an optional manner, the apparatus further comprises:
a sample acquisition module: acquiring an attack flow sample, and marking an attack result of the attack flow sample to obtain a marking result; extracting the sample characteristics of the attack traffic sample, and constructing a training sample set according to the sample characteristics of the attack traffic sample and the marking result;
and the model training module is suitable for training the training sample set to obtain an attack result prediction model.
In an alternative, the model training module is further adapted to:
extracting sample characteristics and a marking result of the attack flow sample from the training sample set;
inputting the sample characteristics of the attack flow sample into an initial prediction model for training to obtain a corresponding initial prediction result;
updating the weight parameters of the initial prediction model according to the initial prediction result and the marking result, and then training again;
and circularly and iteratively executing the steps until an iteration ending condition is met, and obtaining an attack result prediction model.
In an alternative mode, the detection characteristics include at least one of the following characteristics of the response data of the network traffic to be detected: the length of a response body, whether a response head contains a specified field, the length of the specified field, an http protocol response code and the part-of-speech frequency of a specific word in the response body;
the sample characteristics include at least one of the following in response data of the attack traffic sample: the length of the response body, whether the response header contains a specified field, the length of the specified field, http protocol response codes, and the frequency of the part of speech of a specific word in the response body.
In an optional manner, the traffic obtaining module is adapted to obtain the network traffic to be detected from the designated port in a traffic mirroring manner.
In an alternative way, the attack recognition module 31 is further adapted to:
and determining whether the network traffic to be detected is attack event traffic or not according to a matching result by performing pattern string matching processing on the network traffic to be detected.
In an alternative approach, the attack events include: weak password attack events and file upload attack events.
By the method, the attack result of the attack event is detected by using the machine learning algorithm, dependence on fixed characteristics is avoided, the detection accuracy of the attack result can be improved, and the attack event is prevented from being missed due to the fact that the attack result is diverse in form and cannot be identified.
The embodiment of the invention provides a nonvolatile computer storage medium, wherein at least one executable instruction is stored in the computer storage medium, and the computer executable instruction can execute the method for detecting the network attack result in any method embodiment.
The executable instructions may be specifically configured to cause the processor to:
identifying whether the network traffic to be detected is attack event traffic or not;
if so, acquiring response data of the network traffic to be detected;
extracting detection characteristics according to the response data, and inputting the detection characteristics into the trained attack result prediction model for processing to obtain an attack result of the network traffic to be detected;
the attack result prediction model is obtained by training an attack flow sample.
In an alternative, the executable instructions cause the processor to:
acquiring an attack flow sample, and marking an attack result of the attack flow sample to obtain a marking result;
extracting the sample characteristics of the attack traffic sample, and constructing a training sample set according to the sample characteristics of the attack traffic sample and the marking result;
and training the training sample set to obtain an attack result prediction model.
In an alternative, the executable instructions cause the processor to:
extracting sample characteristics and a marking result of the attack flow sample from the training sample set;
inputting the sample characteristics of the attack flow sample into an initial prediction model for training to obtain a corresponding initial prediction result;
updating the weight parameters of the initial prediction model according to the initial prediction result and the marking result, and then training again;
and circularly and iteratively executing the steps until an iteration ending condition is met, and obtaining an attack result prediction model.
In an optional manner, the detection characteristic includes at least one of the following characteristics of response data of the network traffic to be detected: the length of a response body, whether a response head contains a specified field, the length of the specified field, an http protocol response code and the part-of-speech frequency of a specific word in the response body;
the sample characteristics include at least one of the following in response data of the attack traffic sample: the length of the response body, whether the response head contains a specified field, the length of the specified field, http protocol response codes and the word part of speech frequency of a specific word in the response body.
In an alternative, the executable instructions cause the processor to: and acquiring the network traffic to be detected from the designated port in a traffic mirroring mode.
In an alternative, the executable instructions cause the processor to: and determining whether the network traffic to be detected is attack event traffic or not according to a matching result by performing pattern string matching processing on the network traffic to be detected.
In an alternative approach, the attack events include: weak password attack events and file upload attack events.
By the method, the attack result of the attack event is detected by using the machine learning algorithm, dependence on fixed characteristics is avoided, the detection accuracy of the attack result can be improved, and the attack event is prevented from being missed due to the fact that the attack result is diverse in form and cannot be identified.
Fig. 4 is a schematic structural diagram of an embodiment of a computing device according to the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computing device.
As shown in fig. 4, the computing device may include: a processor (processor)402, a Communications Interface 404, a memory 406, and a Communications bus 408.
Wherein: the processor 402, communication interface 404, and memory 406 communicate with each other via a communication bus 408. A communication interface 404 for communicating with network elements of other devices, such as clients or other servers. The processor 402 is configured to execute the program 410, and may specifically perform relevant steps in the above-described method for detecting a network attack result of a computing device.
In particular, program 410 may include program code comprising computer operating instructions.
The processor 402 may be a central processing unit CPU or an application Specific Integrated circuit asic or one or more Integrated circuits configured to implement embodiments of the present invention. The computing device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 406 for storing a program 410. Memory 406 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 410 may specifically be configured to cause the processor 402 to perform the following operations:
identifying whether the network traffic to be detected is attack event traffic or not;
if so, acquiring response data of the network traffic to be detected;
extracting detection characteristics according to the response data, and inputting the detection characteristics into the trained attack result prediction model for processing to obtain an attack result of the network traffic to be detected;
the attack result prediction model is obtained by training an attack flow sample.
In an alternative, the program 410 causes the processor 402 to:
acquiring an attack flow sample, and marking an attack result of the attack flow sample to obtain a marking result;
extracting the sample characteristics of the attack traffic sample, and constructing a training sample set according to the sample characteristics of the attack traffic sample and the marking result;
and training the training sample set to obtain an attack result prediction model.
In an alternative, the program 410 causes the processor 402 to:
extracting sample characteristics and a marking result of the attack flow sample from the training sample set;
inputting the sample characteristics of the attack flow sample into an initial prediction model for training to obtain a corresponding initial prediction result;
updating the weight parameters of the initial prediction model according to the initial prediction result and the marking result, and then training again;
and circularly and iteratively executing the steps until an iteration ending condition is met, and obtaining an attack result prediction model.
In an optional manner, the detection characteristic includes at least one of the following characteristics of response data of the network traffic to be detected: the length of a response body, whether a response head contains a specified field, the length of the specified field, an http protocol response code and the part-of-speech frequency of a specific word in the response body;
the sample characteristics include at least one of the following in response data of the attack traffic sample: the length of the response body, whether the response head contains a specified field, the length of the specified field, http protocol response codes and the word part of speech frequency of a specific word in the response body.
In an alternative, the program 410 causes the processor 402 to: and acquiring the network traffic to be detected from the designated port in a traffic mirroring mode.
In an alternative, the executable instructions cause the processor to: and determining whether the network traffic to be detected is attack event traffic or not according to a matching result by performing pattern string matching processing on the network traffic to be detected.
In an alternative approach, the attack events include: weak password attack events and file upload attack events.
By the method, the attack result of the attack event is detected by using the machine learning algorithm, dependence on fixed characteristics is avoided, the detection accuracy of the attack result can be improved, and the attack event is prevented from being missed due to the fact that the attack result is diverse in form and cannot be identified.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specified otherwise.
Claims (10)
1. A method for detecting a network attack result comprises the following steps:
identifying whether the network traffic to be detected is attack event traffic or not;
if so, acquiring response data of the network traffic to be detected;
extracting detection characteristics according to the response data, and inputting the detection characteristics into a trained attack result prediction model for processing to obtain an attack result of the network traffic to be detected;
the attack result prediction model is obtained by training an attack flow sample.
2. The method of claim 1, wherein prior to performing the method, further comprising:
acquiring an attack traffic sample, and marking an attack result of the attack traffic sample to obtain a marking result;
extracting the sample characteristics of the attack traffic sample, and constructing a training sample set according to the sample characteristics of the attack traffic sample and the marking result;
and training the training sample set to obtain the attack result prediction model.
3. The method of claim 2, wherein the training the set of training samples to obtain the attack outcome prediction model further comprises:
extracting sample characteristics and marking results of the attack traffic samples from the training sample set;
inputting the sample characteristics of the attack flow sample into an initial prediction model for training to obtain a corresponding initial prediction result;
according to the initial prediction result and the marking result, after updating the weight parameters of the initial prediction model, training again;
and circularly and iteratively executing the steps until an iteration ending condition is met, and obtaining the attack result prediction model.
4. The method of claim 3, wherein the detection characteristic comprises at least one of the following characteristics of the response data of the network traffic to be detected: the length of a response body, whether a response head contains a specified field, the length of the specified field, an http protocol response code and the part-of-speech frequency of a specific word in the response body;
the sample characteristics include at least one of the following in response data of the attack traffic sample: the length of the response body, whether the response head contains a specified field, the length of the specified field, http protocol response codes and the word part of speech frequency of a specific word in the response body.
5. The method of any of claims 1-4, wherein prior to performing the method, further comprising:
and acquiring the network traffic to be detected from the designated port in a traffic mirroring mode.
6. The method of claim 1, wherein the identifying whether the network traffic to be detected is attack traffic further comprises:
and determining whether the network traffic to be detected is attack event traffic or not according to a matching result by performing pattern string matching processing on the network traffic to be detected.
7. The method of claim 6, wherein the attack event comprises: weak password attack events and file upload attack events.
8. An apparatus for detecting a network attack result, comprising:
the attack identification module is suitable for identifying whether the network traffic to be detected is attack event traffic or not;
the response extraction module is suitable for acquiring response data of the network traffic to be detected if the network traffic to be detected is attack event traffic;
the result detection module is suitable for extracting detection characteristics according to the response data and inputting the detection characteristics into the trained attack result prediction model for processing to obtain the attack result of the network traffic to be detected; the attack result prediction model is obtained by training an attack flow sample.
9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the network attack result detection method according to any one of claims 1-7.
10. A computer storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to perform operations corresponding to the method for detecting a network attack result according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111664312.9A CN114338202A (en) | 2021-12-30 | 2021-12-30 | Network attack result detection method and device, computing equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111664312.9A CN114338202A (en) | 2021-12-30 | 2021-12-30 | Network attack result detection method and device, computing equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114338202A true CN114338202A (en) | 2022-04-12 |
Family
ID=81020477
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111664312.9A Pending CN114338202A (en) | 2021-12-30 | 2021-12-30 | Network attack result detection method and device, computing equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114338202A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107483458A (en) * | 2017-08-29 | 2017-12-15 | 杭州迪普科技股份有限公司 | The recognition methods of network attack and device, computer-readable recording medium |
| CN107666468A (en) * | 2016-07-29 | 2018-02-06 | 中国电信股份有限公司 | network security detection method and device |
| CN108683687A (en) * | 2018-06-29 | 2018-10-19 | 北京奇虎科技有限公司 | A kind of network attack identification method and system |
| CN108881265A (en) * | 2018-06-29 | 2018-11-23 | 北京奇虎科技有限公司 | A kind of network attack detecting method and system based on artificial intelligence |
| CN112953895A (en) * | 2021-01-26 | 2021-06-11 | 深信服科技股份有限公司 | Attack behavior detection method, device, equipment and readable storage medium |
| CN113472721A (en) * | 2020-03-31 | 2021-10-01 | 华为技术有限公司 | Network attack detection method and device |
-
2021
- 2021-12-30 CN CN202111664312.9A patent/CN114338202A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107666468A (en) * | 2016-07-29 | 2018-02-06 | 中国电信股份有限公司 | network security detection method and device |
| CN107483458A (en) * | 2017-08-29 | 2017-12-15 | 杭州迪普科技股份有限公司 | The recognition methods of network attack and device, computer-readable recording medium |
| CN108683687A (en) * | 2018-06-29 | 2018-10-19 | 北京奇虎科技有限公司 | A kind of network attack identification method and system |
| CN108881265A (en) * | 2018-06-29 | 2018-11-23 | 北京奇虎科技有限公司 | A kind of network attack detecting method and system based on artificial intelligence |
| CN113472721A (en) * | 2020-03-31 | 2021-10-01 | 华为技术有限公司 | Network attack detection method and device |
| WO2021196691A1 (en) * | 2020-03-31 | 2021-10-07 | 华为技术有限公司 | Method and apparatus for detecting network attack |
| CN112953895A (en) * | 2021-01-26 | 2021-06-11 | 深信服科技股份有限公司 | Attack behavior detection method, device, equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108683666B (en) | Webpage identification method and device | |
| CN110275958B (en) | Website information identification method and device and electronic equipment | |
| CN107872436B (en) | Account identification method, device and system | |
| JP6633188B2 (en) | Image-based CAPTCHA challenge | |
| CN111651757B (en) | Method, device, equipment and storage medium for monitoring attack behaviors | |
| US7891005B1 (en) | Verifying human interaction via rotated images | |
| US9490987B2 (en) | Accurately classifying a computer program interacting with a computer system using questioning and fingerprinting | |
| CN109976995B (en) | Method and apparatus for testing | |
| CN111866024B (en) | Network encryption traffic identification method and device | |
| EP3684025B1 (en) | Web page request identification | |
| CN114553523A (en) | Attack detection method and device based on attack detection model, medium and equipment | |
| CN111641588A (en) | Webpage analog input detection method and device, computer equipment and storage medium | |
| WO2020082763A1 (en) | Decision trees-based method and apparatus for detecting phishing website, and computer device | |
| CN109995751B (en) | Internet access equipment marking method and device, storage medium and computer equipment | |
| CN114448664B (en) | Method and device for identifying phishing webpage, computer equipment and storage medium | |
| CN111385272B (en) | Weak password detection method and device | |
| CN115314291A (en) | Model training method and assembly, safety detection method and assembly | |
| CN113364784B (en) | Detection parameter generation method and device, electronic equipment and storage medium | |
| CN113282920B (en) | Log abnormality detection method, device, computer equipment and storage medium | |
| CN114338202A (en) | Network attack result detection method and device, computing equipment and storage medium | |
| CN116112209A (en) | Vulnerability attack flow detection method and device | |
| CN116089920A (en) | Sensitive field early warning method, system, computer equipment and medium | |
| CN111131223B (en) | Test method and device for click hijacking | |
| CN114756850A (en) | Data acquisition method, device, equipment and storage medium | |
| CN111767544B (en) | Multi-frequency replay attack vulnerability determination method, device, equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |