CN114465741B - Abnormality detection method, abnormality detection device, computer equipment and storage medium - Google Patents
Abnormality detection method, abnormality detection device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN114465741B CN114465741B CN202011237341.2A CN202011237341A CN114465741B CN 114465741 B CN114465741 B CN 114465741B CN 202011237341 A CN202011237341 A CN 202011237341A CN 114465741 B CN114465741 B CN 114465741B
- Authority
- CN
- China
- Prior art keywords
- information
- flow data
- characteristic information
- flow
- protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The embodiment of the application discloses an abnormality detection method, an abnormality detection device, computer equipment and a storage medium, wherein the embodiment of the application can acquire configuration information of a network port of a preset network card; acquiring flow data generated by script operation based on the configuration information flowing through the network port; analyzing the flow data to obtain flow information; extracting transmission characteristic information of the flow data from the flow information; matching the transmission characteristic information with sample characteristic information of a preset abnormal sample; when sample characteristic information successfully matched with the transmission characteristic information exists, determining that the flow data has an abnormal script, and generating a log file corresponding to the abnormal script of the flow data, thereby improving the accuracy and timeliness of abnormality detection.
Description
Technical Field
The present application relates to the field of internet technologies, and in particular, to an anomaly detection method, an anomaly detection device, a computer device, and a storage medium.
Background
WebShell is a command execution environment in the form of a web page file such as asp, php, jsp or cgi, and is commonly used by hackers as a backdoor tool for a server that invades a website, with the purpose of obtaining the execution operation authority of the server, such as executing system commands, stealing user data, deleting web pages, modifying homepages, and the like, which is self-evident. For example, webShell can utilize server vulnerabilities to implant dynamic WebShell scripts (also called backdoors or trojans) into the WebShell scripts, the scripts are mixed with normal webpage files under a WEB directory of a website server, then a browser is used for WEB access and uploading to the WebShell scripts, and a command execution environment is obtained, so that the purpose of controlling the website server is achieved, and therefore the WebShell tends to cause a great potential safety hazard to the server.
At present, in order to discover the WebShell in time so as to take corresponding countermeasures, the WebShell can be detected, and in the process of detecting the WebShell, a static detection or log detection mode can be utilized for detection. The static detection is to search for the WebShell by matching the feature codes with the dangerous function, and the like, and because the static detection can only search for the known WebShell, the false alarm rate of the detection result is high, the reliability is low, and the analysis can only be carried out after the fact, thereby reducing the timeliness of finding the WebShell. The log detection is to establish a request model through a large number of web log files so as to detect the WebShell, but because the log files generally only record a small amount of information such as a uniform resource locator (Uniform Resource Locator, URL) or an Internet protocol address (Internet Protocol Address), the log detection has a detection effect only under the condition of rich logs, so that the detection accuracy is reduced, and the detection accuracy can only be analyzed after the event, so that the timeliness of finding the WebShell is reduced.
Disclosure of Invention
The embodiment of the application provides an abnormality detection method, an abnormality detection device, computer equipment and a storage medium, which can improve the accuracy and timeliness of abnormality detection.
In order to solve the technical problems, the embodiment of the application provides the following technical scheme:
the embodiment of the application provides an abnormality detection method, which comprises the following steps:
acquiring configuration information of a network port of a preset network card;
acquiring flow data generated by script operation based on the configuration information flowing through the network port;
analyzing the flow data to obtain flow information;
extracting transmission characteristic information of the flow data from the flow information;
matching the transmission characteristic information with sample characteristic information of a preset abnormal sample;
when sample characteristic information successfully matched with the transmission characteristic information exists, determining that the flow data has an abnormal script, and generating a log file corresponding to the abnormal script of the flow data.
According to an aspect of the present application, there is also provided an abnormality detection apparatus including:
the first acquisition unit is used for acquiring configuration information of a network port of a preset network card;
the second acquisition unit is used for acquiring flow data generated by script operation based on the configuration information flowing through the network port;
the analysis unit is used for analyzing the flow data to obtain flow information;
An extracting unit, configured to extract transmission characteristic information of the flow data from the flow information;
the matching unit is used for matching the transmission characteristic information with sample characteristic information of a preset abnormal sample;
and the determining unit is used for determining that the flow data has an abnormal script when the sample characteristic information successfully matched with the transmission characteristic information exists, and generating a log file corresponding to the abnormal script of the flow data.
According to an aspect of the present application, there is also provided a computer device including a processor and a memory, the memory storing a computer program, the processor executing any one of the anomaly detection methods provided by the embodiments of the present application when calling the computer program in the memory.
According to an aspect of the present application, there is also provided a storage medium for storing a computer program loaded by a processor to perform any one of the anomaly detection methods provided by the embodiments of the present application.
The embodiment of the application can acquire the configuration information of the network port of the preset network card, and acquire the flow data generated by script operation based on the network port based on the configuration information; and then analyzing the flow data to obtain flow information, and extracting transmission characteristic information of the flow data from the flow information. At this time, the transmission characteristic information can be matched with sample characteristic information of a preset abnormal sample, when sample characteristic information successfully matched with the transmission characteristic information exists, an abnormal script exists in the flow data, and a log file corresponding to the abnormal script exists in the flow data is generated. According to the scheme, the flow data is accurately obtained through the configuration information, and whether an abnormal script exists or not is rapidly determined based on the matching result of the transmission characteristic information of the flow data and the sample characteristic information of the preset abnormal sample, so that the accuracy and timeliness of abnormality detection are improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic view of a scenario in which an anomaly detection method provided by an embodiment of the present application is applied;
FIG. 2 is a schematic flow chart of an anomaly detection method according to an embodiment of the present application;
fig. 3 is a schematic diagram of data interaction between a terminal and a server through a network according to an embodiment of the present application;
FIG. 4 is a schematic diagram of detection by a deployment proxy server provided by an embodiment of the present application;
FIG. 5 is a schematic diagram of a configuration interface display provided by an embodiment of the present application;
FIG. 6 is another schematic illustration of a configuration interface display provided by an embodiment of the present application;
fig. 7 is a schematic diagram of a protocol format of an HTTP protocol according to an embodiment of the present application;
FIG. 8 is another flow chart of an anomaly detection method according to an embodiment of the present application;
FIG. 9 is a schematic diagram of a tree structure provided by an embodiment of the present application;
FIG. 10 is a schematic diagram of background processing data according to an embodiment of the present application;
FIG. 11 is a schematic diagram of a monitoring interface display provided by an embodiment of the present application;
FIG. 12 is a schematic diagram of an abnormality detection apparatus provided in an embodiment of the present application;
fig. 13 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to fall within the scope of the application.
The embodiment of the application provides an abnormality detection method, an abnormality detection device, computer equipment and a storage medium.
Referring to fig. 1, fig. 1 is a schematic view of a scenario of an anomaly detection method application provided by an embodiment of the present application, where the anomaly detection method application may include an anomaly detection device, and the anomaly detection device may be specifically integrated in a computer device, where the computer device may be a terminal or a server, where the server may be an independent physical server, may be a server cluster or a distributed system formed by a plurality of physical servers, and may also be a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content distribution networks (Content Delivery Network, CDNs), and big data and artificial intelligent platforms, but is not limited thereto. The terminal may be a cell phone, tablet computer, notebook computer, desktop computer, or wearable device, etc. The terminal and the server may be directly or indirectly connected through wired or wireless communication, which is not limited herein.
The Database (Database), which may be referred to as an electronic filing cabinet, is a place where electronic files are stored, and a user may perform operations such as adding, querying, updating, deleting, etc. on data in the files. A "database" is a collection of data stored together in a manner that can be shared with multiple users, with as little redundancy as possible, independent of the application.
Cloud computing (clouding) is a computing model that distributes computing tasks across a large pool of computers, enabling various application systems to acquire computing power, storage space, and information services as needed. The network that provides the resources is referred to as the "cloud". Resources in the cloud are infinitely expandable in the sense of users, and can be acquired at any time, used as needed, expanded at any time and paid for use as needed.
Cloud storage (cloud storage) is a new concept that extends and develops in the concept of cloud computing, and a distributed cloud storage system (hereinafter referred to as a storage system for short) refers to a storage system that integrates a large number of storage devices (storage devices are also referred to as storage nodes) of various types in a network to work cooperatively through application software or application interfaces through functions such as cluster application, grid technology, and a distributed storage file system, so as to provide data storage and service access functions for the outside.
A proxy service may be provided on a computer device, which may refer to a program running on the computer device. The computer equipment can be used for acquiring configuration information of a network port of a preset network card through proxy service, and acquiring flow data generated by script operation based on the network port based on the configuration information; then analyzing the flow data to obtain flow information and extracting transmission characteristic information of the flow data from the flow information; at this time, the transmission characteristic information can be matched with sample characteristic information of a preset abnormal sample, when sample characteristic information successfully matched with the transmission characteristic information exists, an abnormal script exists in the flow data, and a log file corresponding to the abnormal script exists in the flow data is generated. At this time, alarm information corresponding to the abnormal script of the flow data can be generated based on the log file, and the alarm information can be output, etc. Therefore, the abnormal script can be found in time and corresponding measures can be taken, and the information safety and the cloud safety are improved.
Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, institutions, and secure Cloud platforms based on Cloud computing business model applications. Cloud security fuses emerging technologies and concepts such as parallel processing, grid computing, unknown virus behavior judgment and the like, acquires latest information of Trojan horse and malicious programs in the Internet through abnormal monitoring of software behaviors in the network by a large number of netlike clients, sends the latest information to a server (namely, the server) for automatic analysis and processing, and distributes solutions of viruses and Trojan horse to each client (namely, the client on the terminal).
It should be noted that, the schematic view of the scenario of the application of the anomaly detection method shown in fig. 1 is only an example, and the application and the scenario of the anomaly detection method described in the embodiment of the present application are for more clearly describing the technical solution of the embodiment of the present application, and do not constitute a limitation on the technical solution provided by the embodiment of the present application, and those skilled in the art can know that, along with the evolution of the application of the anomaly detection method and the occurrence of a new service scenario, the technical solution provided by the embodiment of the present application is equally applicable to similar technical problems.
The following will describe in detail. The following description of the embodiments is not intended to limit the preferred embodiments.
In the present embodiment, description will be made from the viewpoint of an abnormality detection apparatus which may be integrated in a computer device such as a server or a terminal.
Referring to fig. 2, fig. 2 is a flowchart illustrating an anomaly detection method according to an embodiment of the application. The abnormality detection method may include:
s101, acquiring configuration information of a network port of a preset network card.
The preset network card can be flexibly set according to actual needs, the preset network card can be a network card to be monitored, configuration information of a network port of the preset network card can be obtained through a preset proxy service, the proxy service can be a program running on computer equipment, the configuration information can comprise network card information, port information, a policy for obtaining flow data (which can be called as a flow filtering rule, such as port information for capturing flow data, and the like), and the like.
For example, as shown in fig. 3, data interaction may be performed between a terminal and a computer device such as a server through a network, and at this time, a network card on the terminal may be monitored to obtain configuration information of a network port of the network card, and flow data flowing through the network port is obtained based on the configuration information. As another example, as shown in fig. 4, a proxy agent may be deployed on a computer device such as a terminal in a local area network or a data center, for example, a proxy agent may be deployed on a physical machine, a virtual machine, or a container of the computer device, and the anomaly detection method in the embodiment of the present application may be implemented by the proxy agent, for example, the traffic data of the terminal may be captured by the proxy agent (may be simply referred to as terminal traffic capture), terminal traffic restoration analysis, feature matching, and alarm, which will be described in detail below.
In an embodiment, the abnormality detection method may further include: displaying a configuration interface, wherein the configuration interface comprises an information input area and a confirmation control; and receiving configuration information of the network port input in the information input area, responding to triggering operation aiming at the confirmation control, and storing the configuration information of the network port into a configuration file.
In order to improve the convenience of configuration information acquisition and to improve the efficiency of anomaly detection, configuration information can be configured in advance through a configuration interface. For example, as shown in fig. 5, a configuration interface may be displayed, where the configuration interface may include an information input area and a confirmation control, and may further include a cancel control or other content, etc., and then may receive configuration information of a network port input by a user in the information input area, for example, may input configuration information of network card information, port information, and a policy for acquiring traffic data, etc., where configuration of the configuration information may be completed in response to a triggering operation for the confirmation control, and the configuration information of the network port may be stored in a configuration file. When the configuration information of the network port needs to be acquired, the configuration file can be loaded, and the configuration information of the network port is extracted from the configuration file.
In an embodiment, the abnormality detection method may further include: and displaying a configuration interface, wherein the configuration interface comprises an information input area, displaying an information list in response to the selection operation input in the information input area, selecting configuration information of the network port from the information list, and storing the configuration information of the network port into a configuration file. The obtaining the configuration information of the network port of the preset network card may include: configuration information of the network port is extracted from the configuration file.
In order to improve the flexibility and convenience of configuration information acquisition and to improve the efficiency of anomaly detection, configuration information can be configured in advance through a configuration interface. For example, as shown in fig. 6, a configuration interface may be displayed, where the configuration interface may include an information input area, and may further include other contents such as a confirmation control and a cancel control, and then, in response to a selection operation input in the information input area, an information list may be displayed, where a plurality of pieces of optional configuration information may be included in the information list, for example, configuration information such as network card information, port information, and a policy for acquiring traffic data. At this time, a selection instruction input based on the displayed information list may be received, configuration information of the network port may be selected from the information list based on the selection instruction, and after the configuration of the configuration information is completed, the configuration information of the network port may be stored in the configuration file. When the configuration information of the network port needs to be acquired, the configuration file can be loaded, and the configuration information of the network port is extracted from the configuration file.
S102, acquiring flow data generated by the network port based on script operation based on the configuration information.
The type of the script can be flexibly set according to actual needs, for example, based on port information carried in the configuration information, traffic data generated by running the script through a designated network port corresponding to the port information can be captured. The traffic may refer to data traffic generated by a device capable of connecting to a network on the network, and the traffic data may refer to traffic generated by traffic flowing in and out between a terminal and other network devices. Traffic may include north-south traffic, east-west traffic, etc., which may be traffic between a terminal and a data center, i.e., traffic from a network entry to the inside of the network; the east-west traffic may be traffic between servers as well as network traffic between different data centers, i.e. traffic inside a cluster of servers that process data.
S103, analyzing the flow data to obtain flow information.
The traffic data may be in the form of a packet, and in this case, the traffic data (i.e., the traffic packet) may be parsed (may also be referred to as a restore) to obtain traffic information included in the traffic data. For example, traffic data may be restored from the sequence to link layer data, internet protocol (Internet Protocol, IP) layer data, transport layer data, and application layer data, and then traffic information may be extracted from the application layer data, which may include traffic information such as a request method, a resource locator (Uniform Resource Locator, URL), a protocol version of data transmission, and transmission characteristic information corresponding to the traffic data, which may include a transfer function, a data encoding and decoding manner, and the like.
In an embodiment, parsing the flow data to obtain the flow information may include: extracting a preset character string from the flow data; when the transmission protocol of the flow data is determined to be the target protocol based on the preset character string, the flow data is analyzed according to the protocol format of the target protocol, and the flow information is obtained.
In order to improve the accuracy of analyzing the flow data, the flow data may be analyzed based on a protocol format, for example, a preset character string may be extracted from the flow data, the type, the specific content, and the like of the preset character string may be flexibly set according to actual needs, the preset character string may be used to identify a protocol of data transmission, and a transmission protocol of the flow data may be determined based on the preset character string. When the transmission protocol of the flow data is determined to be the target protocol based on the preset character string, the flow data can be analyzed according to the protocol format of the target protocol to obtain flow information. Among other things, the target protocols may include hypertext transfer protocol (HyperText Transfer Protocol, HTTP), transmission control protocol (Transmission Control Protocol, TCP), user datagram protocol (User Datagram Protocol, UDP), and the like. Taking the HTTP protocol as an example, the traffic data may be parsed according to the protocol format of the HTTP protocol, and the parsed data may include a request line, a request header, and request data (may be referred to as payload data), where the request line may include a request method, a URL of the request, a protocol version, and the like, the request header may include a header field name and the like, and the request data may include transmission feature information and the like, as shown in fig. 7.
S104, extracting transmission characteristic information of the flow data from the flow information.
After the flow information is obtained, transmission characteristic information of the flow data can be extracted from the flow information, and the transmission characteristic information can comprise a transmission function of the flow data, a data coding and decoding mode and the like.
S105, matching the transmission characteristic information with sample characteristic information of a preset abnormal sample.
The preset abnormal sample may include webshell script or other malicious script, the sample characteristic information may include a transfer function, a data encoding and decoding mode, and the like of the abnormal sample, and the sample characteristic information of the preset abnormal sample may be obtained from a database or other storage space. For example, taking a chinese kitchen knife corresponding to a webshell as an example, the php webshell flow may include the following sample feature information: the eval function is used to perform transferred attack payload data, which is Base64 decoded by (Base 64_decode ($_post [ z0 ])) (because chinese kitchen knives use Base64 code for attack payload by default to avoid being detected), & z0=qgluv9zzxq., which is transferred attack payload data, this parameter z0 corresponds to the data received by $_post [ z0], which parameter value is coded using Base64 code, so attack plaintext can be seen with Base64 decoding.
After the transmission characteristic information of the flow data and the sample characteristic information of the preset abnormal sample are obtained, the transmission characteristic information and the sample characteristic information of the preset abnormal sample can be matched through a multimode matching algorithm (Wu-Manber, WM) or an AC automaton and the like. For example, the sample feature information may be loaded into an AC automaton, which may store the sample feature information in the form of a tree structure, and the transmission feature information and the sample feature information may be automatically matched by the AC automaton. For example, as shown in fig. 8, configuration information such as network card monitoring (i.e. network card information of a network card needing to be monitored) and flow filtering rules (i.e. a policy for acquiring flow data) may be preset, the configuration information may be stored in a configuration file, then the configuration file may be loaded, sample feature information of a preset abnormal sample may be acquired, the sample feature information may be loaded in an AC automaton, a flow data packet of a network card port may be captured based on the configuration information in the configuration file, whether a transmission protocol of the flow data packet is an HTTP protocol may be judged, when the transmission protocol of the flow data packet is the HTTP protocol, the flow data packet may be parsed according to a protocol format of the HTTP protocol to extract the transmission feature information of the flow data, at this time, rule matching may be performed by the AC automaton, when the matching is successful, it is determined that the flow data has an abnormal script, a log file corresponding to the flow data has the abnormal script may be generated, and alarm information may be output.
In an embodiment, the abnormality detection method may further include: constructing a tree structure, wherein the tree structure comprises at least one layer of storage space; sample characteristic information of a preset abnormal sample is obtained, and the sample characteristic information is loaded into a storage space of a tree structure.
In order to improve the efficiency and accuracy of subsequent matching, sample characteristic information of a preset abnormal sample can be stored in a tree structure mode so as to perform multimode matching. For example, as shown in fig. 9, a tree structure may be constructed, the tree structure may include at least one layer of storage space, the number of layers, a specific structure, etc. of the tree structure may be flexibly set according to actual needs, for example, the tree structure may be a Trie tree or a Btree, etc., and sample feature information of a preset abnormal sample may be obtained from a local database or a server, etc., the sample feature information may include various information, and then the sample feature information may be loaded into the tree structure of storage space, for example, each sample feature information may be stored into each tree structure of storage space, respectively.
In an embodiment, matching the transmission characteristic information with sample characteristic information of a preset abnormal sample, and when sample characteristic information successfully matched with the transmission characteristic information exists, determining that the abnormal script exists in the flow data may include: based on a predetermined hierarchical sequence, matching the transmission characteristic information with sample characteristic information of a preset abnormal sample of a storage space in the tree structure; and when sample characteristic information successfully matched with the flow characteristic information exists in the storage space in the tree structure, determining that the flow data has an abnormal script.
Specifically, the transmission characteristic information of the flow data can be matched with the sample characteristic information pre-loaded into the storage space of the tree structure, whether the transmission characteristic information has information consistent with the sample characteristic information or not is judged, and if so, the risk of malicious scripts is indicated. In order to improve the convenience and efficiency of the matching, the transmission characteristic information may be matched with sample characteristic information of a preset abnormal sample of the storage space in the tree structure based on a predetermined hierarchical order, which may be flexibly set according to actual needs, for example, the predetermined hierarchical order may be set to match from the first layer to the last layer. For example, the transmission characteristic information may be matched in a first layer of storage space of the tree structure, when the transmission characteristic information is not matched in the first layer of storage space, a target pointer is determined according to the transmission characteristic information, and the transmission characteristic information is matched in a second layer of storage space of the tree structure according to the direction of the target pointer, so as to perform multi-path searching until the transmission characteristic information is matched or the tree structure is traversed. When the sample characteristic information stored in the storage space does not have the information successfully matched with the transmission characteristic information after all the levels are searched, the condition that the sample characteristic information successfully matched with the flow characteristic information does not exist in the storage space in the tree structure is described, and the condition that no abnormal script exists can be determined. And when sample characteristic information successfully matched with the flow characteristic information exists in the storage space in the tree structure, determining that the flow data has an abnormal script.
And S106, when sample characteristic information successfully matched with the transmission characteristic information exists, determining that the flow data has an abnormal script, and generating a log file corresponding to the abnormal script of the flow data.
When sample characteristic information successfully matched with the transmission characteristic information exists, an abnormal script of the flow data can be determined, at this time, a log file corresponding to the abnormal script of the flow data can be generated, for example, a data identifier of the flow data, detection time, detection detail information, URL, detection result and the like can be obtained, the data identifier can be used for uniquely identifying the flow data, and then the log file corresponding to the abnormal script of the flow data can be generated according to the data identifier, the detection time, the detection detail information and the detection result. The method and the device can realize real-time detection of webshell on the terminal by capturing, restoring and analyzing the flow data, combining feature matching and the like, and further can ensure the safety of the flow.
In order to facilitate the subsequent presentation of the relevant detection results of the flow data obtained according to the actual requirements, for example, as shown in fig. 10, when it is determined that the flow data has an abnormal script, the flow data may be extracted by a lightweight log analysis module filebat, the flow data is buffered by a message middleware Kafka, the flow data is processed in real time by a real-time processing service flash/Spark, so that the flow data is respectively stored in a database DB and a database of a distributed Search service Elastc Search, when the relevant information of the flow data is required to be presented, the flow data may be obtained from the database DB and analyzed, and a time-consuming distribution map, a request volume trend map (i.e. a request volume trend map of a network port), a time-consuming comparison map, a query rate per second (QPS), a time-consuming comparison map and other information may be displayed by a data presentation system, and the flow data and relevant information thereof may be obtained from the Elastc Search and sent to operators, and the like.
In an embodiment, the abnormality detection method may further include: generating alarm information corresponding to the abnormal script of the flow data based on the log file; and outputting alarm information.
In order to enable related personnel to know that abnormal scripts exist in the flow data in time so as to take corresponding measures in time, after the abnormal scripts exist in the flow data are determined, alarm information corresponding to the abnormal scripts in the flow data can be generated, and alarm information is output, for example, the alarm information corresponding to the abnormal scripts in the flow data can be generated based on information recorded in a log file, the form, specific content, output mode and the like of the alarm information can be flexibly set according to actual needs, for example, the alarm information can be displayed in a monitoring interface of the flow data, or the alarm information is indicated in a buzzer, voice broadcasting or indicator lamp flashing mode and the like.
In an embodiment, outputting the alarm information may include: displaying a monitoring interface, wherein the monitoring interface comprises an information display area and a display control; and displaying alarm information in the information display area in response to the selection operation for the display control.
In order to improve the flexibility of outputting the alarm information, the alarm information may be displayed through a monitoring interface, for example, as shown in fig. 11, a monitoring interface may be displayed, an information display area, a display control and the like may be included in the monitoring interface, and then the alarm information may be displayed in the information display area in response to a selection operation of the display control for the flow data to be queried. The type of the display control can be flexibly set according to actual needs, for example, related information such as a detection time-consuming distribution diagram, a request quantity trend diagram, a time-consuming comparison diagram and QPS of flow data to be queried can be selected, a query button (namely a display control) is clicked, and alarm information is displayed in an information display area.
The embodiment of the application can acquire the configuration information of the network port of the preset network card, and acquire the flow data generated by script operation based on the network port based on the configuration information; and then analyzing the flow data to obtain flow information, and extracting transmission characteristic information of the flow data from the flow information. At this time, the transmission characteristic information can be matched with sample characteristic information of a preset abnormal sample, when sample characteristic information successfully matched with the transmission characteristic information exists, an abnormal script exists in the flow data, and a log file corresponding to the abnormal script exists in the flow data is generated. According to the scheme, the flow data is accurately obtained through the configuration information, and whether an abnormal script exists or not is rapidly determined based on the matching result of the transmission characteristic information of the flow data and the sample characteristic information of the preset abnormal sample, so that the accuracy and timeliness of abnormality detection are improved.
In order to facilitate better implementation of the abnormality detection method provided by the embodiment of the application, the embodiment of the application also provides a device based on the abnormality detection method. The meaning of the nouns is the same as that of the abnormality detection method, and specific implementation details can be referred to the description of the method embodiment.
Referring to fig. 12, fig. 12 is a schematic structural diagram of an abnormality detection apparatus according to an embodiment of the present application, where the abnormality detection apparatus may include a first obtaining unit 301, a second obtaining unit 302, an analyzing unit 303, an extracting unit 304, a matching unit 305, a determining unit 306, and the like.
The first acquiring unit 301 is configured to acquire configuration information of a network port of a preset network card.
And a second obtaining unit 302, configured to obtain, based on the configuration information, traffic data generated based on script operation and flowing through the network port.
And the analyzing unit 303 is configured to analyze the flow data to obtain flow information.
An extracting unit 304 is configured to extract transmission characteristic information of the traffic data from the traffic information.
And a matching unit 305, configured to match the transmission characteristic information with sample characteristic information of a preset abnormal sample.
And the determining unit 306 is configured to determine that the flow data has an abnormal script when there is sample feature information that is successfully matched with the transmission feature information, and generate a log file corresponding to the abnormal script.
In one embodiment, the abnormality detection device may further include:
a building unit, configured to build a tree structure, where the tree structure includes at least one layer of storage space;
And loading sample characteristic information of a preset abnormal sample, and loading the sample characteristic information into a storage space of the tree structure.
In an embodiment, the matching unit 305 may specifically be configured to: and matching the transmission characteristic information with sample characteristic information of a preset abnormal sample of the storage space in the tree structure based on a preset hierarchical sequence.
The determining unit 306 may specifically be configured to: and when sample characteristic information successfully matched with the flow characteristic information exists in the storage space in the tree structure, determining that the flow data has an abnormal script.
In an embodiment, the parsing unit 303 may specifically be configured to: extracting a preset character string from the flow data; when the transmission protocol of the flow data is determined to be the target protocol based on the preset character string, the flow data is analyzed according to the protocol format of the target protocol, and the flow information is obtained.
In one embodiment, the abnormality detection device may further include:
the first display unit is used for displaying a configuration interface, and the configuration interface comprises an information input area and a confirmation control;
the response unit is used for receiving the configuration information of the network port input in the information input area, responding to the triggering operation aiming at the confirmation control and storing the configuration information of the network port into the configuration file; or, in response to a selection operation input in the information input area, displaying an information list, selecting configuration information of the network port from the information list, and storing the configuration information of the network port in a configuration file. The first acquisition unit 301 may specifically be configured to: configuration information of the network port is extracted from the configuration file.
In one embodiment, the abnormality detection device may further include:
the generating unit is used for generating alarm information corresponding to the abnormal script of the flow data based on the log file;
and the output unit is used for outputting alarm information.
In an embodiment, the output unit may specifically be configured to: displaying a monitoring interface, wherein the monitoring interface comprises an information display area and a display control; and displaying alarm information in the information display area in response to the selection operation for the display control.
In the embodiment of the application, the first acquiring unit 301 can acquire the configuration information of the network port of the preset network card, and the second acquiring unit 302 acquires the flow data generated by script operation based on the network port and based on the configuration information; the flow data may then be parsed by the parsing unit 303 to obtain flow information, and the transmission characteristic information of the flow data may be extracted from the flow information by the extracting unit 304. At this time, the matching unit 305 may match the transmission characteristic information with sample characteristic information of a preset abnormal sample, and when sample characteristic information that is successfully matched with the transmission characteristic information exists, the determining unit 306 may determine that the flow data has an abnormal script, and generate a log file corresponding to the flow data has the abnormal script. According to the scheme, the flow data is accurately obtained through the configuration information, and whether an abnormal script exists or not is rapidly determined based on the matching result of the transmission characteristic information of the flow data and the sample characteristic information of the preset abnormal sample, so that the accuracy and timeliness of abnormality detection are improved.
The embodiment of the application also provides a computer device, which may be a computer device, as shown in fig. 13, which shows a schematic structural diagram of the computer device according to the embodiment of the application, specifically:
the computer device may include one or more processors 401 of a processing core, memory 402 of one or more computer readable storage media, a power supply 403, and an input unit 404, among other components. Those skilled in the art will appreciate that the computer device structure shown in FIG. 13 is not limiting of the computer device and may include more or fewer components than shown, or may be combined with certain components, or a different arrangement of components. Wherein:
the processor 401 is a control center of the computer device, connects various parts of the entire computer device using various interfaces and lines, and performs various functions of the computer device and processes data by running or executing software programs and/or modules stored in the memory 402, and calling data stored in the memory 402, thereby performing overall monitoring of the computer device. Optionally, processor 401 may include one or more processing cores; preferably, the processor 401 may integrate an application processor and a modem processor, wherein the application processor mainly processes an operating system, a user interface, an application program, etc., and the modem processor mainly processes wireless communication. It will be appreciated that the modem processor described above may not be integrated into the processor 401.
The memory 402 may be used to store software programs and modules, and the processor 401 executes various functional applications and data processing by executing the software programs and modules stored in the memory 402. The memory 402 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program (such as a sound playing function, an image playing function, etc.) required for at least one function, and the like; the storage data area may store data created according to the use of the computer device, etc. In addition, memory 402 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device. Accordingly, the memory 402 may also include a memory controller to provide the processor 401 with access to the memory 402.
The computer device further comprises a power supply 403 for supplying power to the various components, preferably the power supply 403 may be logically connected to the processor 401 by a power management system, so that functions of charge, discharge, and power consumption management may be performed by the power management system. The power supply 403 may also include one or more of any of a direct current or alternating current power supply, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
The computer device may also include an input unit 404, which input unit 404 may be used to receive input numeric or character information and to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.
Although not shown, the computer device may further include a display unit or the like, which is not described herein. In particular, in this embodiment, the processor 401 in the computer device loads executable files corresponding to the processes of one or more application programs into the memory 402 according to the following instructions, and the processor 401 executes the application programs stored in the memory 402, so as to implement various functions as follows:
acquiring configuration information of a network port of a preset network card; acquiring flow data generated by the network port based on script operation based on configuration information; analyzing the flow data to obtain flow information; extracting transmission characteristic information of flow data from the flow information; matching the transmission characteristic information with sample characteristic information of a preset abnormal sample; when sample characteristic information successfully matched with the transmission characteristic information exists, determining that the flow data has an abnormal script, and generating a log file corresponding to the abnormal script of the flow data.
In an embodiment, the processor 401 may be configured to perform: constructing a tree structure, wherein the tree structure comprises at least one layer of storage space; sample characteristic information of a preset abnormal sample is obtained, and the sample characteristic information is loaded into a storage space of a tree structure.
In an embodiment, when the transmission characteristic information is matched with the sample characteristic information of the preset abnormal sample, and when the sample characteristic information successfully matched with the transmission characteristic information exists, it is determined that the abnormal script exists in the flow data, the processor 401 may be configured to execute: based on a predetermined hierarchical sequence, matching the transmission characteristic information with sample characteristic information of a preset abnormal sample of a storage space in the tree structure; and when sample characteristic information successfully matched with the flow characteristic information exists in the storage space in the tree structure, determining that the flow data has an abnormal script.
In one embodiment, when parsing the traffic data to obtain traffic information, the processor 401 may be configured to perform: extracting a preset character string from the flow data; when the transmission protocol of the flow data is determined to be the target protocol based on the preset character string, the flow data is analyzed according to the protocol format of the target protocol, and the flow information is obtained.
In an embodiment, the processor 401 may be configured to perform: displaying a configuration interface, wherein the configuration interface comprises an information input area and a confirmation control; receiving configuration information of a network port input in an information input area, responding to triggering operation aiming at a confirmation control, and storing the configuration information of the network port into a configuration file; or, in response to the selection operation input in the information input area, displaying an information list, selecting configuration information of the network port from the information list, and storing the configuration information of the network port into a configuration file; upon acquiring configuration information of a network port of a preset network card, the processor 401 may be configured to perform: configuration information of the network port is extracted from the configuration file.
In an embodiment, the processor 401 may be configured to perform: generating alarm information corresponding to the abnormal script of the flow data based on the log file; and outputting alarm information.
In one embodiment, in outputting the alert information, the processor 401 may be configured to perform: displaying a monitoring interface, wherein the monitoring interface comprises an information display area and a display control; and displaying alarm information in the information display area in response to the selection operation for the display control.
In the foregoing embodiments, the descriptions of the embodiments are focused on, and the portions of an embodiment that are not described in detail may be referred to the detailed description of the anomaly detection method above, which is not repeated herein.
The embodiment of the application can acquire the configuration information of the network port of the preset network card, and acquire the flow data generated by script operation based on the network port based on the configuration information; and then analyzing the flow data to obtain flow information, and extracting transmission characteristic information of the flow data from the flow information. At this time, the transmission characteristic information can be matched with sample characteristic information of a preset abnormal sample, when sample characteristic information successfully matched with the transmission characteristic information exists, an abnormal script exists in the flow data, and a log file corresponding to the abnormal script exists in the flow data is generated. According to the scheme, the flow data is accurately obtained through the configuration information, and whether an abnormal script exists or not is rapidly determined based on the matching result of the transmission characteristic information of the flow data and the sample characteristic information of the preset abnormal sample, so that the accuracy and timeliness of abnormality detection are improved.
According to one aspect of the present application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the methods provided in the various alternative implementations of the above embodiments.
Those of ordinary skill in the art will appreciate that all or a portion of the steps of the various methods of the above embodiments may be performed by computer instructions, or by control of associated hardware, which may be stored in a computer readable storage medium and loaded and executed by a processor. To this end, an embodiment of the present application provides a storage medium in which a computer program is stored, where the computer program may include computer instructions that can be loaded by a processor to perform any of the anomaly detection methods provided by the embodiments of the present application.
The specific implementation of each operation above may be referred to the previous embodiments, and will not be described herein.
Wherein the storage medium may include: read Only Memory (ROM), random access Memory (RAM, random Access Memory), magnetic or optical disk, and the like.
The instructions stored in the storage medium may perform steps in any of the anomaly detection methods provided in the embodiments of the present application, so that the beneficial effects that any of the anomaly detection methods provided in the embodiments of the present application can be achieved are detailed in the previous embodiments and are not described herein.
The foregoing describes in detail a method, apparatus, computer device and storage medium for detecting anomalies provided by the embodiments of the present application, and specific examples are applied to illustrate the principles and embodiments of the present application, and the above description of the embodiments is only for helping to understand the method and core ideas of the present application; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in light of the ideas of the present application, the present description should not be construed as limiting the present application.
Claims (8)
1. An abnormality detection method, comprising:
acquiring configuration information of a network port of a preset network card, wherein the configuration information comprises at least one of network card information, port information and a strategy for acquiring flow data;
acquiring flow data generated by script operation of the network port based on the configuration information, wherein the flow data comprises flow data generated by north-south flow or east-west flow;
extracting a preset character string from the flow data, and determining a transmission protocol of the flow data as a target protocol based on the preset character string, wherein the preset character string is used for identifying a protocol of data transmission, and the target protocol comprises at least one of a hypertext transmission protocol, a transmission control protocol and a user datagram protocol;
Analyzing the flow data according to the protocol format of the target protocol to obtain flow information;
extracting transmission characteristic information of the flow data from the flow information, wherein the transmission characteristic information comprises at least one of a transmission function of the flow data and a data coding or decoding mode;
performing multimode matching on the transmission characteristic information and sample characteristic information of a preset abnormal sample stored in at least one layer of storage space of a tree structure based on a preset hierarchical sequence through a multimode matching algorithm;
when sample characteristic information successfully matched with the transmission characteristic information exists in the storage space in the tree structure, determining that the flow data has an abnormal script, and generating a log file corresponding to the abnormal script.
2. The abnormality detection method according to claim 1, characterized in that the abnormality detection method further comprises:
building a tree structure, the tree structure comprising at least one layer of storage space;
sample characteristic information of a preset abnormal sample is obtained, and the sample characteristic information is loaded into a storage space of the tree structure.
3. The abnormality detection method according to claim 1, characterized in that the abnormality detection method further comprises:
Displaying a configuration interface, wherein the configuration interface comprises an information input area and a confirmation control;
receiving configuration information of the network port input in the information input area, responding to triggering operation aiming at a confirmation control, and storing the configuration information of the network port into a configuration file; or alternatively, the process may be performed,
responding to the selection operation input in the information input area, displaying an information list, selecting the configuration information of the network port from the information list, and storing the configuration information of the network port into a configuration file;
the obtaining the configuration information of the network port of the preset network card includes: and extracting the configuration information of the network port from the configuration file.
4. The abnormality detection method according to any one of claims 1 to 3, characterized in that the abnormality detection method further comprises:
generating alarm information corresponding to the abnormal script of the flow data based on the log file;
and outputting the alarm information.
5. The abnormality detection method according to claim 4, characterized in that said outputting the alarm information includes:
displaying a monitoring interface, wherein the notification monitoring surface comprises an information display area and a display control;
And responding to the selection operation of the display control, and displaying the alarm information in the information display area.
6. An abnormality detection apparatus, comprising:
the first acquisition unit is used for acquiring configuration information of a network port of a preset network card, wherein the configuration information comprises at least one of network card information, port information and a strategy for acquiring flow data;
the second obtaining unit is used for obtaining flow data generated by script operation of the network port based on the configuration information, wherein the flow data comprises flow data generated by north-south flow or east-west flow;
the analysis unit is used for extracting a preset character string from the flow data, determining a transmission protocol of the flow data as a target protocol based on the preset character string, wherein the preset character string is used for identifying a protocol of data transmission, and the target protocol comprises at least one of a hypertext transmission protocol, a transmission control protocol and a user datagram protocol; analyzing the flow data according to the protocol format of the target protocol to obtain flow information;
an extracting unit, configured to extract transmission characteristic information of the traffic data from the traffic information, where the transmission characteristic information includes at least one of a transmission function of the traffic data, and a data encoding or decoding manner;
The matching unit is used for carrying out multimode matching on the transmission characteristic information and sample characteristic information of a preset abnormal sample stored in at least one layer of storage space of the tree structure based on a preset hierarchical sequence through a multimode matching algorithm;
and the determining unit is used for determining that the flow data has an abnormal script when the sample characteristic information successfully matched with the transmission characteristic information exists in the storage space in the tree structure, and generating a log file corresponding to the abnormal script of the flow data.
7. A computer device comprising a processor and a memory, the memory having stored therein a computer program, the processor executing the anomaly detection method of any one of claims 1 to 5 when the processor invokes the computer program in the memory.
8. A storage medium storing a computer program loaded by a processor to perform the abnormality detection method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011237341.2A CN114465741B (en) | 2020-11-09 | 2020-11-09 | Abnormality detection method, abnormality detection device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011237341.2A CN114465741B (en) | 2020-11-09 | 2020-11-09 | Abnormality detection method, abnormality detection device, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114465741A CN114465741A (en) | 2022-05-10 |
| CN114465741B true CN114465741B (en) | 2023-09-26 |
Family
ID=81403793
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011237341.2A Active CN114465741B (en) | 2020-11-09 | 2020-11-09 | Abnormality detection method, abnormality detection device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114465741B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116170352A (en) * | 2023-02-01 | 2023-05-26 | 北京首都在线科技股份有限公司 | Network traffic processing method and device, electronic equipment and storage medium |
| CN116366346B (en) * | 2023-04-04 | 2024-03-22 | 中国华能集团有限公司北京招标分公司 | DNS traffic reduction method |
Citations (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101547207A (en) * | 2009-05-07 | 2009-09-30 | 杭州迪普科技有限公司 | Protocol identification control method and equipment based on application behavior mode |
| CN102567419A (en) * | 2010-12-31 | 2012-07-11 | 中国银联股份有限公司 | Mass data storage device and method based on tree structure |
| CN103188112A (en) * | 2011-12-28 | 2013-07-03 | 阿里巴巴集团控股有限公司 | Network flow detection method and network flow detection device |
| CN105812196A (en) * | 2014-12-30 | 2016-07-27 | 中国移动通信集团公司 | WebShell detection method and electronic device |
| CN106453438A (en) * | 2016-12-23 | 2017-02-22 | 北京奇虎科技有限公司 | Network attack identification method and apparatus |
| CN107294982A (en) * | 2017-06-29 | 2017-10-24 | 深信服科技股份有限公司 | Webpage back door detection method, device and computer-readable recording medium |
| CN107634931A (en) * | 2016-07-18 | 2018-01-26 | 深圳市深信服电子科技有限公司 | Processing method, cloud server, gateway and the terminal of abnormal data |
| CN107689940A (en) * | 2016-08-04 | 2018-02-13 | 深圳市深信服电子科技有限公司 | WebShell detection method and device |
| CN108040036A (en) * | 2017-11-22 | 2018-05-15 | 江苏翼企云通信科技有限公司 | A kind of industry cloud Webshell safety protecting methods |
| CN108206802A (en) * | 2016-12-16 | 2018-06-26 | 华为技术有限公司 | The method and apparatus for detecting webpage back door |
| CN109309591A (en) * | 2018-10-31 | 2019-02-05 | 掌阅科技股份有限公司 | Data on flows statistical method, electronic equipment and storage medium |
| CN109450842A (en) * | 2018-09-06 | 2019-03-08 | 南京聚铭网络科技有限公司 | A kind of network malicious act recognition methods neural network based |
| CN109495521A (en) * | 2019-01-18 | 2019-03-19 | 新华三信息安全技术有限公司 | A kind of anomalous traffic detection method and device |
| CN109525558A (en) * | 2018-10-22 | 2019-03-26 | 深信服科技股份有限公司 | Leaking data detection method, system, device and storage medium |
| CN110096872A (en) * | 2018-01-30 | 2019-08-06 | 中国移动通信有限公司研究院 | The detection method and server of homepage invasion script attack tool |
| CN110855661A (en) * | 2019-11-11 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | WebShell detection method, device, equipment and medium |
| CN110868431A (en) * | 2019-12-24 | 2020-03-06 | 华北电力大学 | Network flow abnormity detection method |
| CN111884876A (en) * | 2020-07-22 | 2020-11-03 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and medium for detecting protocol type of network protocol |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP6592196B2 (en) * | 2016-06-16 | 2019-10-16 | 日本電信電話株式会社 | Malignant event detection apparatus, malignant event detection method, and malignant event detection program |
-
2020
- 2020-11-09 CN CN202011237341.2A patent/CN114465741B/en active Active
Patent Citations (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101547207A (en) * | 2009-05-07 | 2009-09-30 | 杭州迪普科技有限公司 | Protocol identification control method and equipment based on application behavior mode |
| CN102567419A (en) * | 2010-12-31 | 2012-07-11 | 中国银联股份有限公司 | Mass data storage device and method based on tree structure |
| CN103188112A (en) * | 2011-12-28 | 2013-07-03 | 阿里巴巴集团控股有限公司 | Network flow detection method and network flow detection device |
| CN105812196A (en) * | 2014-12-30 | 2016-07-27 | 中国移动通信集团公司 | WebShell detection method and electronic device |
| CN107634931A (en) * | 2016-07-18 | 2018-01-26 | 深圳市深信服电子科技有限公司 | Processing method, cloud server, gateway and the terminal of abnormal data |
| CN107689940A (en) * | 2016-08-04 | 2018-02-13 | 深圳市深信服电子科技有限公司 | WebShell detection method and device |
| CN108206802A (en) * | 2016-12-16 | 2018-06-26 | 华为技术有限公司 | The method and apparatus for detecting webpage back door |
| CN106453438A (en) * | 2016-12-23 | 2017-02-22 | 北京奇虎科技有限公司 | Network attack identification method and apparatus |
| CN107294982A (en) * | 2017-06-29 | 2017-10-24 | 深信服科技股份有限公司 | Webpage back door detection method, device and computer-readable recording medium |
| CN108040036A (en) * | 2017-11-22 | 2018-05-15 | 江苏翼企云通信科技有限公司 | A kind of industry cloud Webshell safety protecting methods |
| CN110096872A (en) * | 2018-01-30 | 2019-08-06 | 中国移动通信有限公司研究院 | The detection method and server of homepage invasion script attack tool |
| CN109450842A (en) * | 2018-09-06 | 2019-03-08 | 南京聚铭网络科技有限公司 | A kind of network malicious act recognition methods neural network based |
| CN109525558A (en) * | 2018-10-22 | 2019-03-26 | 深信服科技股份有限公司 | Leaking data detection method, system, device and storage medium |
| CN109309591A (en) * | 2018-10-31 | 2019-02-05 | 掌阅科技股份有限公司 | Data on flows statistical method, electronic equipment and storage medium |
| CN109495521A (en) * | 2019-01-18 | 2019-03-19 | 新华三信息安全技术有限公司 | A kind of anomalous traffic detection method and device |
| CN110855661A (en) * | 2019-11-11 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | WebShell detection method, device, equipment and medium |
| CN110868431A (en) * | 2019-12-24 | 2020-03-06 | 华北电力大学 | Network flow abnormity detection method |
| CN111884876A (en) * | 2020-07-22 | 2020-11-03 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and medium for detecting protocol type of network protocol |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114465741A (en) | 2022-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110855676B (en) | Network attack processing method and device and storage medium | |
| CN108183916B (en) | Network attack detection method and device based on log analysis | |
| US9208309B2 (en) | Dynamically scanning a web application through use of web traffic information | |
| CN110020062B (en) | Customizable web crawler method and system | |
| CN110083391A (en) | Call request monitoring method, device, equipment and storage medium | |
| CN112073437B (en) | Multi-dimensional security threat event analysis method, device, equipment and storage medium | |
| CN114465741B (en) | Abnormality detection method, abnormality detection device, computer equipment and storage medium | |
| CN111885007B (en) | Information tracing method, device, system and storage medium | |
| CN113810408B (en) | Network attack organization detection method, device, equipment and readable storage medium | |
| CN114528457A (en) | Web fingerprint detection method and related equipment | |
| CN111787030A (en) | Network security inspection method, device, equipment and storage medium | |
| CN107168844B (en) | Performance monitoring method and device | |
| CN108234431A (en) | A kind of backstage logs in behavioral value method and detection service device | |
| CN112333171B (en) | Service data processing method and device and computer equipment | |
| CN113704569A (en) | Information processing method and device and electronic equipment | |
| CN111818030A (en) | Rapid positioning processing method and system for malicious domain name request terminal | |
| CN110457900B (en) | Website monitoring method, device and equipment and readable storage medium | |
| CN110442582B (en) | Scene detection method, device, equipment and medium | |
| CN111177722A (en) | Webshell file detection method and device, server and storage medium | |
| CN113778709B (en) | Interface calling method, device, server and storage medium | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| CN113079157A (en) | Method and device for acquiring network attacker position and electronic equipment | |
| CN110557465A (en) | method and device for acquiring IP address of user side | |
| CN111475783A (en) | Data detection method, system and equipment | |
| CN114285618B (en) | Network threat detection method and device, electronic equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |