CN114417349A - Attack result determination method, device, electronic equipment and storage medium - Google Patents

Attack result determination method, device, electronic equipment and storage medium Download PDF

Info

Publication number
CN114417349A
CN114417349A CN202111560476.7A CN202111560476A CN114417349A CN 114417349 A CN114417349 A CN 114417349A CN 202111560476 A CN202111560476 A CN 202111560476A CN 114417349 A CN114417349 A CN 114417349A
Authority
CN
China
Prior art keywords
attack
feature
security event
determining
vulnerability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111560476.7A
Other languages
Chinese (zh)
Inventor
周凯强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202111560476.7A priority Critical patent/CN114417349A/en
Publication of CN114417349A publication Critical patent/CN114417349A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses an attack result judgment method, an attack result judgment device, electronic equipment and a storage medium, wherein the attack result judgment method comprises the following steps: determining a first feature corresponding to the vulnerability type of the first security event in a first feature library, and determining the attack result of the first security event as attack failure under the condition that the corresponding first feature exists in a response data packet of the first security event; wherein the first feature library comprises at least one first feature; each first feature characterizes a feature of a corresponding response data packet when a security event attack of a corresponding vulnerability type fails. Therefore, massive security events which fail in attacks can be filtered rapidly, and the efficiency of judging attack results is improved.

Description

Attack result determination method, device, electronic equipment and storage medium
Technical Field
The present application relates to the field of network security, and in particular, to a method and an apparatus for determining an attack result, an electronic device, and a storage medium.
Background
An Aggressive Behavior (Aggressive Behavior) refers to a Behavior of destroying or acquiring a server right on a computer by performing malicious operation by using an existing vulnerability or a high right. In the related art, technical personnel need to judge the attack results of massive attack behaviors, and the problem of low efficiency exists.
Disclosure of Invention
In view of this, embodiments of the present application provide a method and an apparatus for determining an attack result, an electronic device, and a storage medium, so as to at least solve the problem of low efficiency in determining an attack result in the related art.
The technical scheme of the embodiment of the application is realized as follows:
the embodiment of the application provides an attack result judgment method, which comprises the following steps:
determining a first feature corresponding to the vulnerability type of the first security event in a first feature library;
determining that the attack result of the first security event is attack failure under the condition that the corresponding first feature exists in the response data packet of the first security event; wherein the content of the first and second substances,
the first feature library comprises at least one first feature; each first feature characterizes a feature of a corresponding response data packet when a security event attack of a corresponding vulnerability type fails.
In the foregoing solution, before determining, in the first feature library, the first feature corresponding to the vulnerability type of the first security event, the method further includes:
determining a common characteristic of at least two response packets; each response data packet is generated based on a security event of a vulnerability type;
determining the common feature as a first feature of at least two vulnerability types; the at least two vulnerability types comprise vulnerability types corresponding to the at least two response data packets.
In the above scheme, the method further comprises:
determining a second feature corresponding to the vulnerability type of the first security event in a second feature library;
the determining that the attack result of the first security event is attack failure includes:
determining that the attack result of the first security event is attack failure under the condition that the corresponding second feature does not exist in the response data packet of the first security event; wherein the content of the first and second substances,
the second feature library comprises at least one second feature; each second feature characterizes a feature of the corresponding response data packet when the attack of the security event corresponding to the vulnerability type is successful.
In the above scheme, the method further comprises:
and under the condition that the corresponding second characteristics exist in the response data packet of the first security event, determining that the attack result of the first security event is successful.
In the foregoing solution, before determining, in the first feature library, the first feature corresponding to the vulnerability type of the first security event, the method further includes:
hijacking the first security event by a hook;
after determining an attack outcome of the first security event, the method further comprises:
releasing the hook of the first security event.
In the above scheme, the method further comprises:
and determining the risk level of the first security event based on the corresponding vulnerability type and the attack result.
In the above scheme, the method further comprises:
and displaying the attack result of the first security event on a set page.
An embodiment of the present application further provides an attack result determination apparatus, including:
the first processing unit is used for determining first characteristics corresponding to the vulnerability type of the first security event in a first characteristic library;
the second processing unit is used for determining that the attack result of the first security event is attack failure under the condition that the corresponding first characteristic exists in the response data packet of the first security event; wherein the content of the first and second substances,
the first feature library comprises at least one first feature; each first feature characterizes a feature of a corresponding response data packet when a security event attack of a corresponding vulnerability type fails.
An embodiment of the present application further provides an electronic device, including: a processor and a memory for storing a computer program capable of running on the processor,
wherein the processor is configured to execute the steps of the attack result determination method when the computer program is run.
The embodiment of the application also provides a storage medium, on which a computer program is stored, and the computer program realizes the steps of the attack result judgment method when being executed by a processor.
In the embodiment of the application, a first feature corresponding to the vulnerability type of a first security event is determined in a first feature library, and under the condition that the corresponding first feature exists in a response data packet of the first security event, the attack result of the first security event is determined to be attack failure; wherein the first feature library comprises at least one first feature; each first feature characterizes a feature of a corresponding response data packet when a security event attack of a corresponding vulnerability type fails. In the scheme, whether the response data packet has the characteristics of attack failure by using the corresponding type of vulnerability is judged, and the attack result of the corresponding security event is judged to be attack failure under the condition that the response data packet has the characteristics of attack failure, so that the massive security events with attack failure can be filtered quickly, and the efficiency of judging the attack result is improved.
Drawings
Fig. 1 is a schematic view of an implementation flow of an attack result determination method provided in an embodiment of the present application;
FIG. 2 is a schematic diagram of a display page provided in an embodiment of the present application;
fig. 3 is a schematic diagram of an implementation flow of an attack result determination method provided in an application embodiment of the present application;
fig. 4 is a schematic diagram of an attack failure detection engine provided in an application embodiment of the present application;
fig. 5 is a schematic structural diagram of an attack result determination apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The attack behavior refers to a behavior of destroying or acquiring the server authority on a computer by utilizing the existing loophole or high authority to carry out malicious operation.
There are a large number of malicious servers in the network that continuously scan for vulnerabilities on electronic devices on the internet to launch attacks. At present, a large number of security products are concentrated on improving detection of attack behaviors, and when security monitoring or event processing is carried out, technical personnel need to judge attack results of massive attack behaviors manually, so that the problems of high cost and low efficiency exist.
Based on this, in various embodiments of the present application, a first feature corresponding to a vulnerability type of a first security event is determined in a first feature library, and in a case that the corresponding first feature exists in a response data packet of the first security event, an attack result of the first security event is determined to be an attack failure; wherein the first feature library comprises at least one first feature; each first feature characterizes a feature of a corresponding response data packet when a security event attack of a corresponding vulnerability type fails. In the scheme, whether the response data packet has the characteristics of attack failure by using the corresponding type of vulnerability is judged, and the attack result of the corresponding security event is judged to be attack failure under the condition that the response data packet has the characteristics of attack failure, so that the massive security events with attack failure can be filtered quickly, and the efficiency of judging the attack result is improved.
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
Fig. 1 is a schematic view of an implementation process of an attack result determination method provided in an embodiment of the present application, where an execution subject of the process is an electronic device, including but not limited to a mobile terminal device such as a mobile phone and a tablet. As shown in fig. 1, the method includes:
step 101: a first feature corresponding to a vulnerability type of a first security event is determined in a first feature library.
Wherein the first library of features comprises at least one first feature; each first feature characterizes a feature of a corresponding response data packet when a security event attack of a corresponding vulnerability type fails.
And determining corresponding first characteristics in a set first characteristic library according to the vulnerability type of the first security event. Each first feature is a common feature in response data packets of security events failing to be attacked by the vulnerability of the corresponding vulnerability type, in other words, for the security events failing to be attacked by the vulnerability of the same vulnerability type, the collected response data packets all have the same first feature. A security event of a vulnerability type may correspond to one first characteristic, or may correspond to two or more first characteristics. First features corresponding to the vulnerability types are stored in a first feature library.
Here, the manner of determining the vulnerability type of the vulnerability used by the first security event may be that the first security event carries a set tag, and a field value of the set tag is used.
Step 102: and under the condition that the corresponding first characteristic exists in the response data packet of the first security event, determining that the attack result of the first security event is attack failure.
Different contents can be returned in the response data packet due to different vulnerability types of the security event, and whether the attack result of the first security event is attack failure or not can be judged by matching whether the corresponding first characteristics exist in the response data packet or not. And under the condition that the corresponding first characteristic exists in the response data packet of the first security event, determining that the attack result is attack failure.
Here, it is determined whether the attack result of the first security event is attack failure or not by the matching result of the first characteristic and the response packet. The first feature may be a keyword and/or a regular expression rule. The specific keywords can be set according to the needs, and the regular expression is a logic formula for operating the character string and the special characters, and a characteristic character string is formed by combining the characters.
There are a large number of malicious servers in the network that continuously scan for vulnerabilities on electronic devices on the internet to launch attacks. Most of these malicious server-initiated attacks fail. In the embodiment of the application, whether the response data packet has the characteristics when the attack using the corresponding type of vulnerability fails is judged, and the attack result of the corresponding security event is judged to be the attack failure under the condition that the response data packet has the characteristics of the attack failure, so that the security event of the attack failure is determined from the security events of the mass attack results to be judged, the mass security events of the attack failure can be rapidly filtered, and the efficiency of judging the attack result is improved.
Before determining a first feature corresponding to the vulnerability type of the first security event in the first feature library, a first feature library stored with the first feature needs to be established. Various vulnerability types may be divided into at least two broad categories, taking into account the exploitation frequency, the scope of application, the hazards, etc. of the vulnerability. Here, different vulnerability types can be divided into two major categories: high availability vulnerabilities and generic vulnerabilities. Highly available vulnerabilities refer to vulnerabilities that are high in frequency of utilization, wide in scope of application, and/or large in harm, while general purpose vulnerabilities refer to other types of vulnerabilities than highly available vulnerabilities.
For the high-availability vulnerability, the characteristics of the response data packet when the exploitation of each vulnerability type fails are extracted by analyzing the specific exploitation vulnerability, and the matching of the response data packet is carried out according to the characteristics of each vulnerability type when the exploitation fails, so as to judge whether the attack result is attack failure, such as the deserialization vulnerability of the T3 protocol of weblogic.
For a general purpose vulnerability, in an embodiment, before determining, in the first feature library, a first feature corresponding to the vulnerability type of the first security event, the method further includes:
determining a common characteristic of at least two response packets; each response data packet is generated based on a security event of a vulnerability type;
determining the common feature as a first feature of at least two vulnerability types; the at least two vulnerability types comprise vulnerability types corresponding to the at least two response data packets.
The method comprises the steps of determining common characteristics of at least two response data packets based on response data packets of security events of each of at least two vulnerability types when attacks fail, and taking the determined common characteristics as matching characteristics for judging whether the attacks fail or not with the security events of the at least two vulnerability types, namely first characteristics. And the determined common characteristics can also be used as first characteristics of the vulnerability types which are associated with the two vulnerability types. Here, common features may be extracted for at least two vulnerability types of the plurality of vulnerability types that are associated, and the vulnerability determination method is used for determining attack failure of security events of the plurality of vulnerability types.
For example, SQL injection uses SQL injection attacks on static pages such as HTML, which are mostly in dynamic page requests, as matching features of response packets to determine whether the attacks fail.
As mentioned above, the first feature is used for the attack failure determination condition, and can quickly filter a large amount of security events that fail the attack. Ideally, in order to increase the detection rate of the security event of attack failure, the determination condition of attack failure should be covered with more vulnerability types. In the embodiment, the features of attack failure do not need to be extracted for each vulnerability type with the incidence relation, and the workload required for generating the first feature library is reduced. Meanwhile, the first feature determined by the extracted common feature can be universally applied to security events with more vulnerability types, for example, for the current unknown vulnerability type, the first feature cannot be determined by feature extraction, so that the universality of the attack failure determination condition of the security event with the first feature as various vulnerabilities is improved.
It should be noted that the criterion for vulnerability type partitioning is not absolute, and the partitioning criterion may be determined in combination with an application scenario, for example, in a scenario that a component type vulnerability type (such as struts, tomcat, and the like) needs to be concerned, a vulnerability using the component type may be set to be a high available vulnerability. The vulnerability types are divided by setting a division standard, and corresponding first characteristics are respectively adopted for determining the corresponding vulnerability types of the two main categories. Thus, the workload required for generating the first feature library is reduced, and meanwhile, the security event with a specific vulnerability type is used for realizing accurate judgment of attack failure.
In the embodiments of the present application, whether the attack result of the first security event is attack failure is determined by the matching result of the first feature of the attack failure and the response data packet. In an embodiment, the method further comprises:
determining a second feature corresponding to the vulnerability type of the first security event in a second feature library;
the determining that the attack result of the first security event is attack failure includes:
determining that the attack result of the first security event is attack failure under the condition that the corresponding second feature does not exist in the response data packet of the first security event; wherein the content of the first and second substances,
the second feature library comprises at least one second feature; each second feature characterizes a feature of the corresponding response data packet when the attack of the security event corresponding to the vulnerability type is successful.
And determining corresponding second characteristics in a set second characteristic library according to the vulnerability type of the first security event. And determining that the attack result is attack failure under the condition that the corresponding first characteristic exists in the response data packet of the first security event and the corresponding second characteristic does not exist in the response data packet of the first security event.
It should be noted that, for a security event, the attack result may include three cases, i.e., attack success, attack failure, and pending. Whether the attack result of the first security event is successful or not can be judged by matching whether the corresponding second characteristics exist in the response data packet or not. The response data packet does not have the corresponding second characteristic, the attack result of the first security event is not attack success, the attack result at the moment can be attack failure or can not be judged, and the response data packet has the corresponding first characteristic, so that the attack result can be determined to be attack failure.
Each second feature is a common feature in the response data packet of the security event successfully attacked by the vulnerability of the corresponding vulnerability type, in other words, the collected response data packets have the same second feature for all the security events successfully attacked by the vulnerability of the same vulnerability type. The second characteristic can be determined by adopting an extraction mode of the first characteristic of the high-availability vulnerability type, namely, the characteristic of the response data packet when the vulnerability type is successfully utilized is extracted by analyzing the vulnerability which is specifically utilized, the matching of the response data packet is carried out according to the characteristic of each vulnerability type when the vulnerability type is successfully utilized, and whether the attack result is successful or not is judged. The second feature may be a keyword or a regular expression rule. The specific keywords can be set according to the needs, and the regular expression is a logic formula for operating the character string and the special characters, and a characteristic character string is formed by combining the characters. Moreover, a security event of a vulnerability type may correspond to one second feature, or may correspond to two or more second features.
Here, whether the first feature and the second feature are matched in the response packet may be performed simultaneously or sequentially.
In this way, by matching the features of successful attack and the features of failed attack of the response packet, respectively, the accuracy of attack result determination can be improved.
In an embodiment, the method further comprises:
and under the condition that the corresponding second characteristics exist in the response data packet of the first security event, determining that the attack result of the first security event is successful.
As mentioned above, by matching whether the corresponding second feature exists in the response packet, it can be determined whether the attack result of the first security event is successful. And under the condition that the corresponding second characteristics exist in the response data packet, determining that the attack result is successful.
Here, the priority of setting the attack success is set to be higher than the priority of the attack failure, that is, when the second feature of the attack success and the first feature of the attack failure are matched, it is determined that the attack result of the security event is the attack success. In this embodiment, in the case that the corresponding second feature exists in the response packet, whether the corresponding first feature exists in the response packet or not, it is determined that the attack result of the security event is success of the attack. Therefore, the accuracy of judging the attack result is improved by combining the successful attack characteristics of the response data packet and the failed attack characteristics.
In an embodiment, before the determining, in the first feature library, the first feature corresponding to the vulnerability type of the first security event, the method further comprises:
hijacking the first security event by a hook;
after determining an attack outcome of the first security event, the method further comprises:
releasing the hook of the first security event.
Before the first security event falls to the corresponding security log, hijacking the first security event through a hook, modifying a judgment result corresponding to the first security event after determining an attack result of the first security event, and releasing the hook of the first security event, wherein the first security event falls to the corresponding security log. The first security event is hijacked through the hook technology, so that the result modification of the security event in the subsequent steps is facilitated, and the attack result of the first security event can be determined before the security log corresponding to the first security event is generated.
In an embodiment, the method further comprises:
and determining the risk level of the first security event based on the corresponding vulnerability type and the attack result.
After the attack result of the first security event is determined, the risk score and the weight parameter of the first security event are determined according to the vulnerability type and the attack result corresponding to the first security event, and therefore the risk level is determined.
When the weight parameter of the attack result is set, a corresponding weight parameter can be set for each security event of the vulnerability type, and the same weight parameter can also be set for the security events of all vulnerability types. Here, when the weight parameter is set, the weight parameter whose attack result is attack success is not smaller than the weight parameter whose attack result is attack failure. In the scheme that a weight parameter is set corresponding to each security event of the vulnerability type, a risk score is determined based on the vulnerability type corresponding to the first security event, a weight parameter is determined based on the corresponding vulnerability type and the attack result, and a risk grade is determined according to the comparison between the calculation result of the risk score and the weight parameter and a set threshold value. The risk score corresponding to each vulnerability type can be preset. Generally, the greater the risk score, the greater the resulting calculation, the higher the risk level, indicating that the corresponding first safety event is more hazardous. Preferably, the alarm information may be output according to the risk level.
For example, there is a security event that the outer network server attacks the inner network server, and the attack result is attack failure, and the calculation result of the attack failure is smaller than the calculation result of the attack success through the weight parameter corresponding to the attack result, so that the determined risk level is smaller.
Therefore, the risk level of the first security event is determined based on the vulnerability type and the attack result corresponding to the first security event, and the automatic risk analysis of the security event can be realized, so that the processing efficiency of the security event is improved.
In an embodiment, the method further comprises:
and displaying the attack result of the first security event on a set page.
Here, the first security event and the corresponding security log are displayed on the setting page, and the attack result of the first security event is represented by the setting field. As shown in the schematic display page diagram of fig. 2, for a security event whose attack result is failure, a "failure" tag is used for labeling, for a security event whose attack result is success, a "success" tag is used for labeling, and security events of different attack results can be screened. In addition, the risk level and the security level of the security event may be displayed on a setting page.
The information such as the attack result related to the security event is displayed on the set page, so that a user can intuitively acquire the related information of the massive security events, the efficiency of processing the security events by the user can be improved, and the operation experience of the user is improved.
The present application will be described in further detail with reference to the following application examples.
Fig. 3 is a schematic diagram illustrating an implementation flow of an attack result determination method provided in an application embodiment of the present application, where the attack result determination method includes:
step 301: an attack event.
And for the security event generated by the attack engine, before the security event falls to the security log, hijacking the security event by a hook at the next hook, so that the subsequent steps can modify the result of the security event conveniently.
Here, the object can be hijacked by hook technology, thereby controlling the interaction of this object with other objects.
Step 302: and distinguishing types.
Determining the vulnerability type of the vulnerability utilized by the security event according to the tag value of the tag of the security event, distinguishing the security event type according to the vulnerability type, and then sending the security event to an attack failure detection engine.
Such as SQL injection, cross site scripting attacks, etc.
Step 303: and (5) attack failure detection.
Here, attack failure detection is performed by the set attack failure detection engine.
As shown in fig. 4, the attack failure detection engine may classify types of vulnerabilities into general vulnerability detection (such as SQL injection and XSS vulnerabilities) and highly available vulnerability detection (such as struts and tomcat component vulnerabilities) in consideration of exploitation frequency, application range, and hazards of the vulnerabilities.
For a general vulnerability, by matching common characteristics when the vulnerability exploitation of the type fails, for example, SQL injection exploitation is mostly in a dynamic page request, so that SQL injection attack of static pages such as HTML can be judged as attack failure.
And (3) aiming at the high available vulnerability, extracting the characteristics of attack success and/or attack failure of the security event of each vulnerability type by analyzing the specific vulnerability utilization, and respectively judging whether the attack behavior is attack success or attack failure according to the characteristics, such as the deserialization vulnerability of the T3 protocol of weblogic. Because different contents are returned in the response data packet when different exploits are successful, whether the attack fails can be judged by matching whether the characteristic character strings exist in the response data packet or not.
Wherein the attack failure represents that the attack behavior does not achieve the intended purpose, for example, failing to destroy or acquire the server authority.
Step 304: and modifying the event result.
And the attack failure detection engine modifies the security event judgment result into attack failure for the security event judged to be attack failure according to the detected attack result, and then releases hook in the step 301, and the security event is stored as a security log after falling to the ground.
Step 305: and (5) displaying an attack result.
And displaying on a platform page according to a security log generated by landing of the security event, marking the attack event with a failed attack result by using a 'failure' label, and adjusting and displaying the risk and threat level of the event according to the attack result, wherein if the security event that the intranet server is attacked by the extranet server exists, the risk and threat level of the security event can be correspondingly reduced according to the 'failure' label.
There are a large number of malicious servers in the network that continuously scan for vulnerabilities on electronic devices on the internet to launch attacks. At present, a large number of security products are concentrated on improving detection of attack behaviors, and when security monitoring or event processing is carried out, technical personnel need to judge attack results of massive attack behaviors manually, so that the problems of high cost and low efficiency exist.
Meanwhile, by manually judging the attack results of a large number of security events, security events which attack successfully can also be missed, in other words, the security events which attack successfully are covered in the large number of security events, so that the false alarm rate of the security events which attack successfully is improved.
In the embodiment of the application, an attack failure determination system is provided, and is used for determining whether an attack result of a security event is an attack failure or not, marking the attack failure result, and displaying a corresponding security event on a platform page through a set label of the attack failure so as to filter a large number of security events of the attack failure from among the large number of security events, and realize the distinction of the security events of different attack results, so that the workload of security event processing and monitoring can be reduced, and the efficiency of security event processing is improved. And by filtering massive security events which fail to attack, and automatically determining attack results, the attack results of massive attack behaviors are not required to be judged manually, so that the rate of missing report of the security events which succeed in attacking is reduced, personnel without safety capability can complete security event processing according to failure labels, and the use threshold is reduced.
The attack result of the security event is marked as attack failure through the 'failure' label, so that the attack result can be used as a screening condition or a data source for judgment, and the data source is provided for realizing functions such as attack behavior analysis and the like.
It should be noted that the difference between attack failure and attack success is as follows:
from the damage level, the attack failure represents that the attack behavior is invalid, and the damage degree is far lower than the attack success;
from the scheme design, attack failure is used as a filtering and screening condition, the accuracy needs to reach a high degree, and once false alarm occurs, an attack event is easily ignored;
from the priority of the detection logic, in order to avoid detecting attack success and attack failure and to avoid repeatedly modifying an attack result, the priority of the attack failure is defined to be lower than the attack success; in the calculation of the risk score and the weight parameter, the weight parameter of attack failure is lower than the weight parameter of attack success;
the display is carried out on the platform page, and the display can also be carried out by highlighting the color of the label which succeeds in attacking and making the color of the label which fails in attacking be gray or black;
in terms of quantity, the quantity of the security events which fail the attack is far higher than that of the security events which succeed the attack, so that the quantity of the security events which fail the attack is filtered, and the efficiency of judging the attack result is improved.
There are some differences in the requirements for detecting attack failure, which needs to cover more comprehensive data, and attack success needs more precise features for the accuracy of detection, for example, features of attack success are extracted for security events of each vulnerability type, specifically vulnerability types or methods are used, and failure can be detected by the features of general vulnerabilities.
In order to implement the method according to the embodiment of the present application, an attack result determining apparatus is further provided according to the embodiment of the present application, and as shown in fig. 5, the apparatus includes:
a first processing unit 501, configured to determine, in a first feature library, a first feature corresponding to a vulnerability type of a first security event;
a second processing unit 502, configured to determine that an attack result of the first security event is attack failure when a corresponding first feature exists in a response packet of the first security event; wherein the content of the first and second substances,
the first feature library comprises at least one first feature; each first feature characterizes a feature of a corresponding response data packet when a security event attack of a corresponding vulnerability type fails.
Wherein, in one embodiment, the apparatus further comprises:
a third processing unit, configured to determine a common feature of at least two response packets before the first processing unit 501 determines the first feature corresponding to the vulnerability type of the first security event in the first feature library; each response data packet is generated based on a security event of a vulnerability type; determining the common feature as a first feature of at least two vulnerability types; the at least two vulnerability types comprise vulnerability types corresponding to the at least two response data packets.
In one embodiment, the apparatus further comprises:
the fourth processing unit is used for determining second characteristics corresponding to the vulnerability type of the first security event in the second characteristic library;
the second processing unit 502 is configured to:
determining that the attack result of the first security event is attack failure under the condition that the corresponding second feature does not exist in the response data packet of the first security event; wherein the content of the first and second substances,
the second feature library comprises at least one second feature; each second feature characterizes a feature of the corresponding response data packet when the attack of the security event corresponding to the vulnerability type is successful.
In one embodiment, the apparatus further comprises:
and the fifth processing unit is used for determining that the attack result of the first security event is successful under the condition that the corresponding second characteristic exists in the response data packet of the first security event.
In one embodiment, the apparatus further comprises:
a sixth processing unit, configured to hijack, by a hook, a first security event before the first processing unit 501 determines, in the first feature library, a first feature corresponding to a vulnerability type of the first security event; and is further configured to release the hook of the first security event after the second processing unit 502 determines the attack result of the first security event.
In one embodiment, the apparatus further comprises:
and the seventh processing unit is used for determining the risk level of the first security event based on the corresponding vulnerability type and the attack result.
In one embodiment, the apparatus further comprises:
and the display unit is used for displaying the attack result of the first security event on a set page.
In practical applications, the first Processing Unit 501, the second Processing Unit 502, the third Processing Unit, the fourth Processing Unit, the fifth Processing Unit, the sixth Processing Unit, the seventh Processing Unit, and the display Unit may be implemented by a Processor in an attack result determination device, such as a Central Processing Unit (CPU), a Digital Signal Processor (DSP), a Micro Control Unit (MCU), or a Programmable Gate Array (FPGA).
It should be noted that: in the attack result determination device provided in the above embodiment, when determining the attack result, only the division of each program module is taken as an example, and in practical applications, the processing distribution may be completed by different program modules according to needs, that is, the internal structure of the device may be divided into different program modules to complete all or part of the processing described above. In addition, the attack result determination device and the attack result determination method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are detailed in the method embodiments and are not described herein again.
Based on the hardware implementation of the program module, and in order to implement the attack result determination method according to the embodiment of the present application, an embodiment of the present application further provides an electronic device. Fig. 6 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application, and as shown in fig. 6, the electronic device includes:
a communication interface 1 capable of information interaction with other devices such as network devices and the like;
and the processor 2 is connected with the communication interface 1 to realize information interaction with other equipment, and is used for executing the method provided by one or more technical schemes when running a computer program. And the computer program is stored on the memory 3.
In practice, of course, the various components in the electronic device are coupled together by the bus system 4. It will be appreciated that the bus system 4 is used to enable connection communication between these components. The bus system 4 comprises, in addition to a data bus, a power bus, a control bus and a status signal bus. For the sake of clarity, however, the various buses are labeled as bus system 4 in fig. 6.
The memory 3 in the embodiment of the present invention is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.
It will be appreciated that the memory 3 may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The memory 2 described in the embodiments of the present invention is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed by the above embodiment of the present invention can be applied to the processor 2, or implemented by the processor 2. The processor 2 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 2. The processor 2 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 2 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed by the embodiment of the invention can be directly implemented by a hardware decoding processor, or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 3, and the processor 2 reads the program in the memory 3 and in combination with its hardware performs the steps of the aforementioned method.
When the processor 2 executes the program, the corresponding processes in the methods according to the embodiments of the present invention are realized, and for brevity, are not described herein again.
In an exemplary embodiment, the present invention further provides a storage medium, i.e. a computer storage medium, in particular a computer readable storage medium, for example comprising a memory 3 storing a computer program, which is executable by a processor 2 to perform the steps of the aforementioned method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, electronic device and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
The technical means described in the embodiments of the present application may be arbitrarily combined without conflict. Unless otherwise specified and limited, the term "coupled" is to be construed broadly, e.g., as meaning electrical connections, or as meaning communications between two elements, either directly or indirectly through intervening media, as well as the specific meanings of such terms as understood by those skilled in the art.
In addition, in the examples of the present application, "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a specific order or a sequential order. It should be understood that "first \ second \ third" distinct objects may be interchanged under appropriate circumstances such that the embodiments of the application described herein may be implemented in an order other than those illustrated or described herein.
The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the term "at least one" herein means any combination of at least two of any one or more of a plurality, for example, including at least one of A, B, C, and may mean including any one or more elements selected from the group consisting of A, B and C.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Various combinations of the specific features in the embodiments described in the detailed description may be made without contradiction, for example, different embodiments may be formed by different combinations of the specific features, and in order to avoid unnecessary repetition, various possible combinations of the specific features in the present application will not be described separately.

Claims (10)

1. An attack result determination method, characterized by comprising:
determining a first feature corresponding to the vulnerability type of the first security event in a first feature library;
determining that the attack result of the first security event is attack failure under the condition that the corresponding first feature exists in the response data packet of the first security event; wherein the content of the first and second substances,
the first feature library comprises at least one first feature; each first feature characterizes a feature of a corresponding response data packet when a security event attack of a corresponding vulnerability type fails.
2. The method of claim 1, wherein prior to the determining, in the first feature repository, the first feature corresponding to the vulnerability type of the first security event, the method further comprises:
determining a common characteristic of at least two response packets; each response data packet is generated based on a security event of a vulnerability type;
determining the common feature as a first feature of at least two vulnerability types; the at least two vulnerability types comprise vulnerability types corresponding to the at least two response data packets.
3. The method of claim 1, further comprising:
determining a second feature corresponding to the vulnerability type of the first security event in a second feature library;
the determining that the attack result of the first security event is attack failure includes:
determining that the attack result of the first security event is attack failure under the condition that the corresponding second feature does not exist in the response data packet of the first security event; wherein the content of the first and second substances,
the second feature library comprises at least one second feature; each second feature characterizes a feature of the corresponding response data packet when the attack of the security event corresponding to the vulnerability type is successful.
4. The method of claim 3, further comprising:
and under the condition that the corresponding second characteristics exist in the response data packet of the first security event, determining that the attack result of the first security event is successful.
5. The method of claim 1,
before the determining, in the first feature library, a first feature corresponding to a vulnerability type of a first security event, the method further comprises:
hijacking the first security event by a hook;
after determining an attack outcome of the first security event, the method further comprises:
releasing the hook of the first security event.
6. The method of claim 1, further comprising:
and determining the risk level of the first security event based on the corresponding vulnerability type and the attack result.
7. The method according to any one of claims 1 to 6, further comprising:
and displaying the attack result of the first security event on a set page.
8. An attack result determination device, comprising:
the first processing unit is used for determining first characteristics corresponding to the vulnerability type of the first security event in a first characteristic library;
the second processing unit is used for determining that the attack result of the first security event is attack failure under the condition that the corresponding first characteristic exists in the response data packet of the first security event; wherein the content of the first and second substances,
the first feature library comprises at least one first feature; each first feature characterizes a feature of a corresponding response data packet when a security event attack of a corresponding vulnerability type fails.
9. An electronic device, comprising: a processor and a memory for storing a computer program capable of running on the processor,
wherein the processor is adapted to perform the steps of the method of any one of claims 1 to 7 when running the computer program.
10. A storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the steps of the method according to any one of claims 1 to 7.
CN202111560476.7A 2021-12-20 2021-12-20 Attack result determination method, device, electronic equipment and storage medium Pending CN114417349A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111560476.7A CN114417349A (en) 2021-12-20 2021-12-20 Attack result determination method, device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111560476.7A CN114417349A (en) 2021-12-20 2021-12-20 Attack result determination method, device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114417349A true CN114417349A (en) 2022-04-29

Family

ID=81267517

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111560476.7A Pending CN114417349A (en) 2021-12-20 2021-12-20 Attack result determination method, device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114417349A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115314322A (en) * 2022-10-09 2022-11-08 安徽华云安科技有限公司 Vulnerability detection confirmation method, device, equipment and storage medium based on flow

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115314322A (en) * 2022-10-09 2022-11-08 安徽华云安科技有限公司 Vulnerability detection confirmation method, device, equipment and storage medium based on flow

Similar Documents

Publication Publication Date Title
CN102254111B (en) Malicious site detection method and device
CN101826139B (en) Method and device for detecting Trojan in non-executable file
CN109586282B (en) Power grid unknown threat detection system and method
CN110417778B (en) Access request processing method and device
CN113489713B (en) Network attack detection method, device, equipment and storage medium
KR101132197B1 (en) Apparatus and Method for Automatically Discriminating Malicious Code
US10505986B1 (en) Sensor based rules for responding to malicious activity
US20200336498A1 (en) Method and apparatus for detecting hidden link in website
CN111628990A (en) Attack recognition method and device and server
CN112738094B (en) Expandable network security vulnerability monitoring method, system, terminal and storage medium
CN107666464B (en) Information processing method and server
CN111191243A (en) Vulnerability detection method and device and storage medium
EP3745292A1 (en) Hidden link detection method and apparatus for website
CN105959294B (en) A kind of malice domain name discrimination method and device
CN113055407A (en) Asset risk information determination method, device, equipment and storage medium
CN116340943A (en) Application program protection method, device, equipment, storage medium and program product
CN113965419B (en) Method and device for judging attack success through reverse connection
CN108156127B (en) Network attack mode judging device, judging method and computer readable storage medium thereof
CN114417349A (en) Attack result determination method, device, electronic equipment and storage medium
CN114465741B (en) Abnormality detection method, abnormality detection device, computer equipment and storage medium
CN113378161A (en) Security detection method, device, equipment and storage medium
CN109785537B (en) Safety protection method and device for ATM
CN115643044A (en) Data processing method, device, server and storage medium
CN115001724B (en) Network threat intelligence management method, device, computing equipment and computer readable storage medium
CN115086081A (en) Escape prevention method and system for honeypots

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination