CN114465816A - Detection method and device for password spray attack, computer equipment and storage medium - Google Patents

Detection method and device for password spray attack, computer equipment and storage medium Download PDF

Info

Publication number
CN114465816A
CN114465816A CN202210263997.4A CN202210263997A CN114465816A CN 114465816 A CN114465816 A CN 114465816A CN 202210263997 A CN202210263997 A CN 202210263997A CN 114465816 A CN114465816 A CN 114465816A
Authority
CN
China
Prior art keywords
login
accounts
password
target system
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210263997.4A
Other languages
Chinese (zh)
Inventor
王立帅
魏兴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202210263997.4A priority Critical patent/CN114465816A/en
Publication of CN114465816A publication Critical patent/CN114465816A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The application relates to a method and a device for detecting password spray attack, computer equipment, a storage medium and a computer program product, relates to the field of information security, and can be used in the field of financial science and technology or other related fields. The method comprises the following steps: acquiring login data of a target system; determining login characteristics of the target system according to the login data of the target system; and if the login characteristics of the target system meet preset abnormal conditions, determining that password spraying attack occurs in the target system. By adopting the method, the password spraying attack can be timely and accurately detected through the login characteristics determined by the login data of the target system under the condition that the attack IP address is continuously changed.

Description

Detection method and device for password spray attack, computer equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting a password spray attack, a computer device, and a storage medium.
Background
With the rapid development of the internet, the security problem of the internet account login system becomes more and more serious, and because continuous password guessing aiming at the same user can cause the account to be locked, an attack mode of password spraying is provided for initiating an attack to the internet account login system under the condition of avoiding the account to be locked. The attack mode is one of automatic password attacks, and particularly, automatic password attacks are performed on all users through one password, namely, login attempts are simultaneously performed on all users logging in a system through one password, so that the probability of account cracking is increased. In order to ensure the security of the account logged in to the system, the attack mode needs to be detected.
In the related art, since the password spraying attack generally initiates an attack on the login system through the same IP Address (Internet Protocol Address), whether the password spraying attack is a password spraying attack is generally determined by detecting whether the password spraying attack is the same IP Address. However, with the development of attack technology, the password spraying attacker does not use the same IP address to launch the attack any more, and once the attack IP address is randomly transformed, the password spraying attack cannot be detected.
Disclosure of Invention
In view of the above, it is necessary to provide a method, an apparatus, a computer device, a computer readable storage medium, and a computer program product for detecting a password spray attack, which can detect the password spray attack in time.
In a first aspect, the application provides a method for detecting a password spray attack. The method comprises the following steps:
acquiring login data of a target system, wherein the login data comprises a first number of accounts sending login requests and login characteristics of the accounts;
screening the accounts of the first number according to the login characteristics of the accounts, and determining the number of target accounts meeting preset detection conditions;
determining an attack probability value corresponding to the target system according to the number of the target account numbers;
and if the attack probability value is greater than or equal to a preset detection threshold value, determining that the target system has password spraying attack.
In one embodiment, the login feature includes geographic location information of each account;
screening the accounts of the first number according to the login characteristics of the accounts to determine the number of target accounts meeting preset detection conditions, wherein the screening comprises the following steps:
and screening a first number of accounts sending login requests according to the geographical position information of each account, and determining the number of target accounts with the same geographical position information.
In one embodiment, the determining, according to the number of the target account numbers, an attack probability value corresponding to the target system includes: and taking the ratio of the number of the target account numbers to the first number as an attack probability value corresponding to the target system.
In one embodiment, the login characteristics include password level information of each account and a login result of each account;
screening the accounts of the first number according to the login characteristics of the accounts to determine the number of target accounts meeting preset detection conditions, wherein the screening comprises the following steps:
screening the accounts of the first number according to the login result of each account, and determining that the login result is a third number of accounts which fail to login;
and screening a third number of accounts with login failure results according to the password level information of each account, and determining a fourth number of accounts with password level information meeting a preset weak password condition, wherein the number of the target accounts comprises the third number and the fourth number.
In one embodiment, the determining, according to the number of the target account numbers, an attack probability value corresponding to the target system includes:
and taking the ratio of the fourth quantity to the third quantity as the attack probability value corresponding to the target system.
In one embodiment, the login feature further includes password content of each account;
screening the accounts of the first number according to the login characteristics of the accounts to determine the number of target accounts meeting preset detection conditions, wherein the screening comprises the following steps:
screening the accounts of the first number according to the login result of each account, and determining that the login result is a third number of accounts which fail to login;
and screening the accounts with the third number and the fifth number, which have the same password content, of which the login results are login failures according to the password content of each account, and determining the accounts with the fifth number and the number of the target accounts comprises the third number and the fifth number.
In one embodiment, the determining, according to the number of the target account numbers, an attack probability value corresponding to the target system includes:
and taking the ratio of the fifth quantity to the third quantity as an attack probability value corresponding to the target system.
In one embodiment, the login data further comprises log information of the target system;
if the attack probability value is greater than or equal to a preset detection threshold value, determining that the target system has password spraying attack, including:
under the condition that the attack probability value is greater than or equal to a preset detection threshold value, searching a login request data packet and a login page request data packet according to the log information of the target system;
and if the login request data packet is found and the login page request data packet cannot be found, determining that the target system has password spraying attack.
In one embodiment, before the step of determining that the target system has a password spray attack if the attack probability value is greater than or equal to a preset detection threshold, the method further includes:
and determining a preset detection threshold corresponding to the acquisition time and the login characteristics according to the acquisition time of the login data of the target system.
In a second aspect, the application further provides a detection device for password spraying attack. The device comprises:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring login data of a target system, and the login data comprises a first number of accounts sending login requests and login characteristics of the accounts;
the screening module is used for screening the accounts of the first number according to the login characteristics of the accounts and determining the number of target accounts meeting preset detection conditions;
the computing module is used for determining an attack probability value corresponding to the target system according to the number of the target account numbers;
and the determining module is used for determining that the target system generates password spraying attack if the attack probability value is greater than or equal to a preset detection threshold value.
In one embodiment, the login feature includes geographic location information of each account;
the screening module is specifically configured to: and screening a first number of accounts sending login requests according to the geographical position information of each account, and determining the number of target accounts with the same geographical position information.
In one embodiment, the calculation module is specifically configured to: and taking the ratio of the number of the target account numbers to the first number as an attack probability value corresponding to the target system.
In one embodiment, the login characteristics include password level information of each account and a login result of each account;
the screening module is specifically configured to: screening the accounts of the first number according to the login result of each account, and determining that the login result is a third number of accounts which fail to login; and screening a third number of accounts with login failure results according to the password level information of each account, and determining a fourth number of accounts with password level information meeting a preset weak password condition, wherein the number of the target accounts comprises the third number and the fourth number.
In one embodiment, the calculation module is specifically configured to:
and taking the ratio of the fourth quantity to the third quantity as the attack probability value corresponding to the target system.
In one embodiment, the login feature further includes password content of each account;
the screening module is specifically configured to: screening the accounts of the first number according to the login result of each account, and determining that the login result is a third number of accounts which fail to login;
and screening the accounts with the third number and the fifth number, which have the same password content, of which the login results are login failures according to the password content of each account, and determining the accounts with the fifth number and the number of the target accounts comprises the third number and the fifth number.
In one embodiment, the calculation module is specifically configured to:
and taking the ratio of the fifth quantity to the third quantity as an attack probability value corresponding to the target system.
In one embodiment, the login data further comprises log information of the target system;
the calculation module is further specifically configured to: under the condition that the attack probability value is greater than or equal to a preset detection threshold value, searching a login request data packet and a login page request data packet according to the log information of the target system;
and if the login request data packet is found and the login page request data packet cannot be found, determining that the target system has password spraying attack.
In one embodiment, before the step of determining that the target system has a password spray attack if the attack probability value is greater than or equal to a preset detection threshold, the apparatus further includes:
and the preset detection threshold value determining module is used for determining a preset detection threshold value corresponding to the acquisition time and the login characteristics according to the acquisition time of the login data of the target system.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the following steps when executing the computer program: acquiring login data of a target system, wherein the login data comprises a first number of accounts and login characteristics of the accounts; screening the accounts of the first number according to the login characteristics of the accounts, and determining the number of target accounts meeting preset detection conditions; determining an attack probability value corresponding to the target system according to the number of the target account numbers; and if the attack probability value is greater than or equal to a preset detection threshold value, determining that the target system has password spraying attack.
In a fourth aspect, the present application further provides a computer-readable storage medium. The computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of: acquiring login data of a target system, wherein the login data comprises a first number of accounts sending login requests and login characteristics of the accounts; screening the accounts of the first number according to the login characteristics of the accounts, and determining the number of target accounts meeting preset detection conditions; determining an attack probability value corresponding to the target system according to the number of the target account numbers; and if the attack probability value is greater than or equal to a preset detection threshold value, determining that the target system has password spraying attack.
In a fifth aspect, the present application further provides a computer program product. The computer program product comprising a computer program which when executed by a processor performs the steps of: acquiring login data of a target system, wherein the login data comprises a first number of accounts sending login requests and login characteristics of the accounts; screening the accounts of the first number according to the login characteristics of the accounts, and determining the number of target accounts meeting preset detection conditions; determining an attack probability value corresponding to the target system according to the number of the target account numbers; and if the attack probability value is greater than or equal to a preset detection threshold value, determining that the target system has password spraying attack.
The detection method of the password spraying attack comprises the steps of obtaining login data of a target system; determining the login characteristics of the target system according to the login data of the target system; and if the login characteristics of the target system meet preset abnormal conditions, determining that password spraying attack occurs to the target system. By adopting the method, the password spraying attack can be timely and accurately detected through the login characteristics determined by the login data of the target system under the condition that the attack IP address is continuously changed.
Drawings
FIG. 1 is a schematic flow chart illustrating a method for detecting a password spray attack in one embodiment;
FIG. 2 is a flow diagram illustrating a fourth number of steps in one embodiment;
FIG. 3 is a flow diagram illustrating a fifth number of steps in one embodiment;
FIG. 4 is a flowchart illustrating the lookup steps for the login request packet in one embodiment;
FIG. 5 is a block diagram showing the structure of a device for detecting a password spray attack in one embodiment;
FIG. 6 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
In an embodiment, as shown in fig. 1, a method for detecting a password spray attack is provided, and this embodiment is exemplified by applying the method to a terminal, it is to be understood that the method may also be applied to a server, and may also be applied to a system including a terminal and a server, and is implemented by interaction between the terminal and the server, where the terminal may be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices, and the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart car-mounted devices, and the like. The portable wearable device can be a smart watch, a smart bracelet, a head-mounted device and the like, and the server can be realized by an independent server or a server cluster formed by a plurality of servers. In this embodiment, the detection method for password spray attack includes the following steps:
step 102, obtaining login data of a target system.
The target system may be any login system, the login data includes a first number of accounts which send login requests, the login data further includes login characteristics of the accounts, and the login requests are sent to the target system by the accounts.
Specifically, under the condition that whether password spraying attack occurs to the target system needs to be detected, the terminal can collect the account number which sends the login request to the target system and the login characteristics of each account number when the login request is sent in the login log of the target system in real time within a preset time range. And the terminal may count the number of the accounts sending the login request to the target system to obtain the first number.
And 104, screening the accounts of the first number according to the login characteristics of the accounts, and determining the number of the target accounts meeting the preset detection conditions.
The terminal can determine preset detection conditions corresponding to the login features in multiple types of preset detection conditions according to the types of the collected login features of the account.
Specifically, in a first number of accounts sending login requests to a target system, a terminal screens login characteristics of the accounts sending the login requests according to the accounts, determines a plurality of target accounts meeting preset detection conditions, and counts the number of the target accounts to obtain the number of the target accounts meeting the preset detection conditions.
And step 106, determining an attack probability value corresponding to the target system according to the number of the target account numbers.
The attack probability value corresponding to the target system is the probability that the target system has the password spraying attack, and the higher the attack probability value is, the higher the probability that the target system has the password spraying attack is.
Specifically, the terminal may perform processing according to the calculated number of the target account numbers and the first number of the account numbers that send the login request, and determine the real-time attack probability value of the target system.
And step 108, if the attack probability value is larger than or equal to a preset detection threshold value, determining that the target system has password spraying attack.
The preset detection threshold corresponds to login characteristics of an account acquired by a terminal, and can be the probability that the geographical position information is the same under the condition that the login characteristics are the geographical position information; in the case where the login feature is password content, the preset detection threshold may be a probability that the password content is the same.
Specifically, the terminal compares the attack probability value obtained by real-time calculation with a preset detection threshold corresponding to the login feature. If the attack probability value is larger than or equal to the preset detection threshold value, the terminal can determine that the password spraying attack has occurred on the target system.
In one example, if the terminal determines that the attack probability value is less than a preset detection threshold, the terminal may determine that the target system has not generated a password spray attack at this time.
In the detection method of the password spraying attack, the detection method of the password spraying attack comprises the step of obtaining login data of a target system. And determining the login characteristics of the target system according to the login data of the target system. And if the login characteristics of the target system meet the preset abnormal conditions, determining that the password spraying attack occurs to the target system. By adopting the method, the password spraying attack can be timely and accurately detected through the login characteristics determined by the login data of the target system under the condition that the attack IP address is continuously changed.
In one embodiment, the login characteristics include geographic location information for each account.
Correspondingly, the specific processing procedure of "screening the accounts of the first number according to the login characteristics of each account, and determining the number of target accounts meeting the preset detection conditions" in step 104 includes:
screening a first number of account numbers according to the geographical position information of each account number, and determining the number of target account numbers with the same geographical position information.
Specifically, the first number of accounts that issued the login request is the first number of accounts attempting to login to the target system. The terminal obtains a first number of accounts which send login requests to a target system and login characteristics of the accounts, wherein the login characteristics comprise geographical position information of the accounts when the accounts send the login requests. The terminal divides a first number of account numbers according to the address position information of each account number, divides the account numbers with the same geographic position information into the same account number set, and obtains a plurality of initial account number sets.
In this way, the terminal may count the number of accounts included in each primary account set, use the primary account set including the highest number of accounts as a set of target accounts, and use the number of accounts corresponding to the set of target accounts as the number of target accounts.
In an embodiment, the specific process of determining the attack probability value corresponding to the target system according to the number of the target account in step 106 includes:
and taking the ratio of the number of the target account numbers to the first number as the attack probability value corresponding to the target system.
Specifically, the terminal may use a ratio of the number of the accounts with the same geographic location to the first number of the account that issued the login request as the attack probability value of the target system.
In one embodiment, the login characteristics include password level information for each account and login results for each account.
The password level information of each account may include a plurality of levels, such as a strong password level, a medium password level, and a weak password level. The login result of each account includes login success and login failure.
Correspondingly, as shown in fig. 2, a specific processing procedure of "screening a first number of accounts according to login features of the accounts, and determining the number of target accounts meeting preset detection conditions" in step 102 includes:
step 202, according to the login results of the accounts, screening the accounts of the first number, and determining that the login results are accounts of a third number which fail to login.
Specifically, the terminal performs screening according to the login result of each account in a first number of accounts which send login requests. The specific process of the terminal for screening may be: and the terminal eliminates the account with the login result of successful login, reserves the account with the login result of failed login, and counts the number of the accounts with the login result of failed login to obtain a third number.
And 204, screening the accounts with the third number and the fourth number, the login results of which are login failures, according to the password level information of each account, and determining the accounts with the fourth number and the number of target accounts of which the password level information meets the preset weak password condition, wherein the number of the target accounts comprises the third number and the fourth number.
Specifically, the account whose password level information satisfies the preset weak password condition may be an account whose password level information is a weak password level. The specific process of the terminal screening among the third number of accounts with login results of login failure may be: and the terminal reserves the account with the password level information being a weak password level, eliminates the account with the password level information being a non-weak password level, and counts the number of the reserved accounts to obtain a fourth number.
In the embodiment, the password spraying attack can be timely and accurately detected through the login feature.
In an embodiment, the specific implementation process of determining the attack probability value corresponding to the target system according to the number of the target account in step 106 includes:
and taking the ratio of the fourth quantity to the third quantity as the attack probability value corresponding to the target system.
Specifically, the terminal may use a ratio of the number (fourth number) of accounts with login failure and a weak password strength level as a login result to the number (third number) of accounts with login failure as the attack probability value of the target system.
In one embodiment, the login feature further includes password content of the respective account.
Correspondingly, as shown in fig. 3, the specific processing procedure of "screening the accounts of the first number according to the login features of the accounts, and determining the number of target accounts meeting the preset detection condition" in step 104 includes:
step 302, according to the login results of the accounts, screening the accounts of the first number, and determining that the login results are accounts of a third number with login failure.
And 304, screening the accounts with the third number and the fifth number, of which the login results are login failures, according to the password contents of the accounts, and determining the accounts with the fifth number and the same password contents, wherein the number of the target accounts comprises the third number and the fifth number.
Specifically, the terminal eliminates accounts with login results of successful login from the first number of accounts sending login requests, reserves accounts with login results of failed login, and counts the number of accounts with login results of failed login to obtain a third number.
In this way, the terminal performs screening on the account numbers with the third number and the login result of login failure, specifically: the terminal eliminates account numbers with different password contents, reserves the account numbers with the same password contents to obtain a plurality of account number sets with the same password contents, and takes the account number set with the highest account number as a target account number set, wherein the number of the target account number set is the fourth number.
In an embodiment, the specific implementation process of "determining the attack probability value corresponding to the target system according to the number of the target account" in step 106 includes:
and taking the ratio of the fifth quantity to the third quantity as an attack probability value corresponding to the target system.
Specifically, the terminal may use a ratio of the number (fifth number) of the accounts with the login failure and the same password content as the login result to the number (third number) of the accounts with the login failure as the attack probability value of the target system.
In one embodiment, the login data further comprises log information of the target system.
As shown in fig. 4, the specific processing procedure of "determining that the target system has a password spraying attack if the attack probability value is greater than or equal to a preset detection threshold" includes:
step 402, under the condition that the attack probability value is greater than or equal to a preset detection threshold value, searching a login request data packet and a login page request data packet according to the log information of the target system.
Specifically, the terminal may query the integrity of the login request packet of each account included in the login data when the attack probability value is greater than or equal to the preset detection threshold. The specific query process comprises the following steps: and the terminal searches the login request data packet and the login page request data packet of each account in the log information of the target system.
Step 404, if the login request data packet is found and the login page request data packet cannot be found, determining that the target system has password spraying attack.
Specifically, the terminal needs to detect the integrity of the login request data packet of each account. If under the condition of normal login, the user needs to firstly send a login page request data packet and secondly send a login request data packet. When the password spraying attack is carried out, an attacker can directly send a login request data packet to a target system through a packet sending tool, so that a terminal can extract login log information corresponding to different IP addresses from a server corresponding to the target system, and if the login request data packet is determined to exist but the login page request data packet does not exist, the terminal can determine that the password spraying attack occurs to the target system.
In one embodiment, before the step of determining that the target system has a password spray attack if the attack probability value is greater than or equal to a preset detection threshold, the method further comprises:
and determining a preset detection threshold corresponding to the acquisition time and the login characteristics according to the acquisition time of the login data of the target system.
In one possible implementation manner, the login characteristics may include geographic position information of each account, password level information, login results of each account, and password content information of each account; in this way, the terminal can determine the login characteristics of each account by collecting login data, and then respectively calculate the initial attack probability values corresponding to the login characteristics. In this way, the terminal can perform weighted calculation on the initial attack probability values corresponding to the various login characteristics one by one to obtain a target attack probability value, and under the condition that the target attack probability value is greater than or equal to a preset detection threshold value, the target system can be determined to generate password spraying attack.
In a possible implementation manner, a specific implementation process of the detection method for the password spray attack may be:
step 1, a target system starts to operate, a terminal collects a login log of the target system, login data are obtained according to the login log, and login feature information contained in the login data are stored in a preset database. The login characteristics may include ip address information of a login account, geographical location information, and password information (password content information and password level information) used in login.
Step 2, firstly, the terminal can calculate the IP address repetition rate according to the IP address information of each account contained in the collected login data, wherein the IP address repetition rate refers to the probability that different accounts use the same IP address to login, and if the probability that the IP addresses used by all the accounts are detected by the terminal to be the same at present is greater than or equal to a preset detection threshold value, the target system is determined to generate password spraying attack; and if the probability that the IP addresses used by all the current accounts are the same is smaller than a preset detection threshold value, executing the step 3.
Specifically, the terminal may obtain login data in a historical time period in advance, calculate the maximum probability that IP addresses used when the system logs in to the daily account are the same, and use the maximum probability as a detection threshold. When the password spraying attack is detected, the terminal calculates the probability of logging in the target system through the same IP address according to the logging data collected in real time, and if the probability is greater than a detection threshold value, the target system is determined to generate the password spraying attack. The probability that the address location information is the same can be calculated by the following formula:
Figure BDA0003551905540000121
step 3, firstly, the terminal can calculate the repetition rate of the geographical position information according to the geographical position information of each account contained in the collected login data, wherein the repetition rate of the geographical position information refers to the probability that different accounts are located in the same geographical position, and if the terminal detects that the repetition rate of the geographical positions where all the accounts are located at present is greater than or equal to a preset detection threshold value, the target system is determined to generate password spraying attack; and if the repetition rate of the geographic positions of all the current accounts is smaller than a preset detection threshold value, executing the step 4.
Specifically, the terminal may obtain login data in a historical time period in advance, calculate the maximum probability that the daily account login geographical positions of the system are the same, and use the maximum probability as a detection threshold. When the password spraying attack is detected, the probability that the address position information obtained by the terminal through calculation according to the login data collected in real time is the same is determined, and if the probability is larger than a detection threshold value, the password spraying attack of the target system is determined. The probability that the address location information is the same can be calculated by the following formula:
Figure BDA0003551905540000122
and 4, the terminal determines the probability that the password of the account with login failure is a weak password according to the acquired login data. Specifically, the terminal detects that different accounts use weak password probability under the condition of password login failure. In order to guarantee the accuracy of the selected data, login data in a historical time period (such as the previous six months) are obtained in advance, and the probability of using a weak password under the condition of login failure of different account passwords every day is calculated and is used as a detection threshold. Under the condition that the target system needs to be detected, if the login of different accounts calculated by the terminal fails and the probability value of using the weak password is greater than or equal to the detection threshold value, the target system is determined to generate password spraying attack. The calculation formula of the weak password probability under the condition of login failure of different account passwords can be calculated through the following formula:
Figure BDA0003551905540000123
and 5, by utilizing the acquired probability that the login accounts use the same password under the condition of login account failure, if the probability that all the login failure accounts use the same password at present is detected to be greater than a threshold value, the system is considered to be attacked by password spraying, and the process is ended. If less than or equal to the threshold, step 6 is performed.
Specifically, the terminal can obtain login data of a historical time period (such as the previous six months) before the detection time according to the detection time, namely the terminal collects all samples in a time range from the current time to the previous six months in real time according to the detection time, the calculation method comprises the steps of firstly obtaining all login failure accounts, recording all passwords used under the condition that the accounts are failed to login, selecting the passwords with the highest identical probability as a domain value, and in the daily detection process, if the probability that the passwords used for login are identical under the condition that different accounts are failed to login in a unit time is calculated to exceed the domain value, determining that the target system has password spraying attack; the calculation formula of the same password probability under the condition of login failure of different account passwords can be calculated through the following formula:
Figure BDA0003551905540000131
and 6, obtaining login access data packets corresponding to each IP address, and if the login request sent by the IP address is detected, and only the login request data packets but not the login page request data packets exist, the terminal can determine that the target system has password spraying attack.
Specifically, the terminal needs to detect the integrity of the login request data packet, and under the normal login condition, the user must first request the login page and then send the login request data packet, but when an attacker performs password spraying attack, the attacker generally directly utilizes a packet sending tool to send the login request data packet. Therefore, the terminal can extract log information corresponding to different IP addresses from the server log, and if the login request corresponding to the target IP address is found to be only a login request data packet but not a login page request data packet, the terminal can enable the target system to have password spraying attack.
The password spraying attack detection method provided by the embodiment of the invention can overcome the difficulty that an attacker is not easy to find out when executing specific password login attempts to all users at the same time, and the password spraying attack detection is carried out by utilizing various login characteristics, such as ip geographic position information, password information, login failure rate, password repetition rate, a plurality of equal angles in the same time period.
It should be understood that, although the steps in the flowcharts related to the embodiments as described above are sequentially displayed as indicated by arrows, the steps are not necessarily performed sequentially as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the embodiments described above may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the execution order of the steps or stages is not necessarily sequential, but may be rotated or alternated with other steps or at least a part of the steps or stages in other steps.
Based on the same inventive concept, the embodiment of the application also provides a detection device for the password spraying attack, which is used for realizing the detection method for the password spraying attack. The implementation scheme for solving the problem provided by the device is similar to the implementation scheme recorded in the method, so that specific limitations in the embodiment of the detection device for one or more password spray attacks provided below can be referred to the limitations of the detection method for the password spray attacks, and details are not repeated here.
In one embodiment, as shown in fig. 5, there is provided a detection apparatus 500 for password spray attack, including: an obtaining module 501, a screening module 501, a calculating module 503 and a determining module 504, wherein:
an obtaining module 501, configured to obtain login data of a target system, where the login data includes a first number of accounts and login characteristics of each account;
a screening module 502, configured to screen the first number of accounts according to the login characteristics of each account, and determine the number of target accounts meeting preset detection conditions;
a calculating module 503, configured to determine an attack probability value corresponding to the target system according to the number of the target account numbers;
a determining module 504, configured to determine that the target system has a password spraying attack if the attack probability value is greater than or equal to a preset detection threshold.
In one embodiment, the login feature includes geographic location information of each account;
the screening module is specifically configured to: and screening a first number of accounts sending login requests according to the geographical position information of each account, and determining the number of target accounts with the same geographical position information.
In one embodiment, the calculation module is specifically configured to: and taking the ratio of the number of the target account numbers to the first number as an attack probability value corresponding to the target system.
In one embodiment, the login characteristics include password level information of each account and a login result of each account;
the screening module is specifically configured to: screening the accounts of the first number according to the login result of each account, and determining that the login result is a third number of accounts which fail to login; and screening a third number of accounts with login failure results according to the password level information of each account, and determining a fourth number of accounts with password level information meeting a preset weak password condition, wherein the number of the target accounts comprises the third number and the fourth number.
In one embodiment, the calculation module is specifically configured to:
and taking the ratio of the fourth quantity to the third quantity as the attack probability value corresponding to the target system.
In one embodiment, the login feature further includes password content of each account;
the screening module is specifically configured to: screening the accounts of the first number according to the login result of each account, and determining that the login result is a third number of accounts which fail to login;
and screening the accounts with the third number and the fifth number, which have the same password content, of which the login results are login failures according to the password content of each account, and determining the accounts with the fifth number and the number of the target accounts comprises the third number and the fifth number.
In one embodiment, the calculation module is specifically configured to:
and taking the ratio of the fifth quantity to the third quantity as an attack probability value corresponding to the target system.
In one embodiment, the login data further comprises log information of the target system;
the calculation module is further specifically configured to: under the condition that the attack probability value is greater than or equal to a preset detection threshold value, searching a login request data packet and a login page request data packet according to the log information of the target system;
and if the login request data packet is found and the login page request data packet cannot be found, determining that the target system has password spraying attack.
In one embodiment, before the step of determining that the target system has a password spray attack if the attack probability value is greater than or equal to a preset detection threshold, the apparatus further includes:
and the preset detection threshold value determining module is used for determining a preset detection threshold value corresponding to the acquisition time and the login characteristics according to the acquisition time of the login data of the target system.
All or part of each module in the detection device for the password spray attack can be realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 6. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing detection data related to password spray attack. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a method of detecting a cryptographic spray attack.
Those skilled in the art will appreciate that the architecture shown in fig. 6 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is further provided, which includes a memory and a processor, the memory stores a computer program, and the processor implements the steps of the above method embodiments when executing the computer program.
In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
In an embodiment, a computer program product is provided, comprising a computer program which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
It should be noted that, the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
It should be noted that the method and apparatus in the embodiments of the present disclosure may be used in the technical field of artificial intelligence, and may be used in the field of financial technology or other related fields.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), Magnetic Random Access Memory (MRAM), Ferroelectric Random Access Memory (FRAM), Phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims (13)

1. A method for detecting a password spray attack, the method comprising:
acquiring login data of a target system, wherein the login data comprises a first number of accounts sending login requests to the target system and login characteristics of the accounts;
screening the accounts of the first number according to the login characteristics of the accounts, and determining the number of target accounts meeting preset detection conditions;
determining an attack probability value corresponding to the target system according to the number of the target account numbers;
and if the attack probability value is greater than or equal to a preset detection threshold value, determining that the target system has password spraying attack.
2. The method of claim 1, wherein the login characteristics include geographic location information for the respective account number;
screening the accounts of the first number according to the login characteristics of the accounts to determine the number of target accounts meeting preset detection conditions, wherein the screening comprises the following steps:
screening the accounts of the first number according to the geographic position information of each account, and determining the number of target accounts with the same geographic position information.
3. The method of claim 2, wherein the determining the attack probability value corresponding to the target system according to the number of the target account numbers comprises:
and taking the ratio of the number of the target account numbers to the first number as an attack probability value corresponding to the target system.
4. The method according to claim 1, wherein the login characteristics include password level information of each account and login results of each account;
screening the accounts of the first number according to the login characteristics of the accounts to determine the number of target accounts meeting preset detection conditions, wherein the screening comprises the following steps:
screening the accounts of the first number according to the login result of each account, and determining that the login result is a third number of accounts which fail to login;
and screening a third number of accounts with login failure results according to the password level information of each account, and determining a fourth number of accounts with password level information meeting a preset weak password condition, wherein the number of the target accounts comprises the third number and the fourth number.
5. The method of claim 4, wherein the determining the attack probability value corresponding to the target system according to the number of the target account numbers comprises:
and taking the ratio of the fourth quantity to the third quantity as the attack probability value corresponding to the target system.
6. The method of claim 4, wherein the login characteristics further include password content of the respective account;
screening the accounts of the first number according to the login characteristics of the accounts to determine the number of target accounts meeting preset detection conditions, wherein the screening comprises the following steps:
screening the accounts of the first number according to the login result of each account, and determining that the login result is a third number of accounts which fail to login;
and screening the accounts with the third number and the fifth number, which have the same password content, of which the login results are login failures according to the password content of each account, and determining the accounts with the fifth number and the number of the target accounts comprises the third number and the fifth number.
7. The method of claim 6, wherein the determining the attack probability value corresponding to the target system according to the number of the target account numbers comprises:
and taking the ratio of the fifth quantity to the third quantity as an attack probability value corresponding to the target system.
8. The method of any of claims 1-7, wherein the login data further comprises log information for the target system;
if the attack probability value is greater than or equal to a preset detection threshold value, determining that the target system has password spraying attack, including:
under the condition that the attack probability value is greater than or equal to a preset detection threshold value, searching a login request data packet and a login page request data packet according to the log information of the target system;
and if the login request data packet is found and the login page request data packet cannot be found, determining that the target system has password spraying attack.
9. The method of any one of claims 1-7, wherein prior to the step of determining that the target system has a password spray attack if the attack probability value is greater than or equal to a preset detection threshold, the method further comprises:
and determining a preset detection threshold corresponding to the acquisition time and the login characteristics according to the acquisition time of the login data of the target system.
10. A device for detecting a password spray attack, the device comprising:
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is used for acquiring login data of a target system, and the login data comprises a first number of accounts and login characteristics of the accounts;
the screening module is used for screening the accounts of the first number according to the login characteristics of the accounts and determining the number of target accounts meeting preset detection conditions;
the computing module is used for determining an attack probability value corresponding to the target system according to the number of the target account numbers;
and the determining module is used for determining that the target system generates password spraying attack if the attack probability value is greater than or equal to a preset detection threshold value.
11. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor realizes the steps of the method of any one of claims 1 to 9 when executing the computer program.
12. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 9.
13. A computer program product comprising a computer program, characterized in that the computer program realizes the steps of the method of any one of claims 1 to 9 when executed by a processor.
CN202210263997.4A 2022-03-17 2022-03-17 Detection method and device for password spray attack, computer equipment and storage medium Pending CN114465816A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210263997.4A CN114465816A (en) 2022-03-17 2022-03-17 Detection method and device for password spray attack, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210263997.4A CN114465816A (en) 2022-03-17 2022-03-17 Detection method and device for password spray attack, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114465816A true CN114465816A (en) 2022-05-10

Family

ID=81418035

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210263997.4A Pending CN114465816A (en) 2022-03-17 2022-03-17 Detection method and device for password spray attack, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114465816A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115001832A (en) * 2022-06-10 2022-09-02 阿里云计算有限公司 Method and device for preventing password attack and electronic equipment

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104954350A (en) * 2014-03-31 2015-09-30 腾讯科技(深圳)有限公司 Account information protection method and system thereof
US20180091530A1 (en) * 2016-09-28 2018-03-29 Sony Interactive Entertainment America Llc Addressing inside-enterprise hack attempts
US20180176238A1 (en) * 2016-12-15 2018-06-21 Sap Se Using frequency analysis in enterprise threat detection to detect intrusions in a computer system
US20190190934A1 (en) * 2017-12-19 2019-06-20 T-Mobile Usa, Inc. Mitigating against malicious login attempts
CN111787050A (en) * 2020-05-15 2020-10-16 华南师范大学 Method, system and device for analyzing login abnormal behavior
CN111835782A (en) * 2020-07-21 2020-10-27 山石网科通信技术股份有限公司 Login protection method and device for network equipment, storage medium and processor
US20210090816A1 (en) * 2017-08-31 2021-03-25 Barracuda Networks, Inc. System and method for email account takeover detection and remediation utilizing ai models
US20210152571A1 (en) * 2019-11-20 2021-05-20 Citrix Systems, Inc. Systems and methods for detecting security incidents
US20210243207A1 (en) * 2020-02-05 2021-08-05 International Business Machines Corporation Detection of and defense against password spraying attacks
US20210288981A1 (en) * 2020-03-14 2021-09-16 Microsoft Technology Licensing, Llc Identity attack detection and blocking

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104954350A (en) * 2014-03-31 2015-09-30 腾讯科技(深圳)有限公司 Account information protection method and system thereof
US20180091530A1 (en) * 2016-09-28 2018-03-29 Sony Interactive Entertainment America Llc Addressing inside-enterprise hack attempts
US20180176238A1 (en) * 2016-12-15 2018-06-21 Sap Se Using frequency analysis in enterprise threat detection to detect intrusions in a computer system
US20210090816A1 (en) * 2017-08-31 2021-03-25 Barracuda Networks, Inc. System and method for email account takeover detection and remediation utilizing ai models
US20190190934A1 (en) * 2017-12-19 2019-06-20 T-Mobile Usa, Inc. Mitigating against malicious login attempts
US20210152571A1 (en) * 2019-11-20 2021-05-20 Citrix Systems, Inc. Systems and methods for detecting security incidents
US20210243207A1 (en) * 2020-02-05 2021-08-05 International Business Machines Corporation Detection of and defense against password spraying attacks
US20210288981A1 (en) * 2020-03-14 2021-09-16 Microsoft Technology Licensing, Llc Identity attack detection and blocking
CN111787050A (en) * 2020-05-15 2020-10-16 华南师范大学 Method, system and device for analyzing login abnormal behavior
CN111835782A (en) * 2020-07-21 2020-10-27 山石网科通信技术股份有限公司 Login protection method and device for network equipment, storage medium and processor

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115001832A (en) * 2022-06-10 2022-09-02 阿里云计算有限公司 Method and device for preventing password attack and electronic equipment
CN115001832B (en) * 2022-06-10 2024-02-20 阿里云计算有限公司 Method and device for preventing password attack and electronic equipment

Similar Documents

Publication Publication Date Title
US11025674B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US11601475B2 (en) Rating organization cybersecurity using active and passive external reconnaissance
CN107211016B (en) Session security partitioning and application profiler
US11245716B2 (en) Composing and applying security monitoring rules to a target environment
US20160019388A1 (en) Event correlation based on confidence factor
CN108932426B (en) Unauthorized vulnerability detection method and device
US11095671B2 (en) DNS misuse detection through attribute cardinality tracking
US9300684B2 (en) Methods and systems for statistical aberrant behavior detection of time-series data
CA2934627C (en) Communications security
US9197657B2 (en) Internet protocol address distribution summary
US20210281609A1 (en) Rating organization cybersecurity using probe-based network reconnaissance techniques
US10560364B1 (en) Detecting network anomalies using node scoring
JP2019523584A (en) Network attack prevention system and method
CN112073444B (en) Data set processing method and device and server
CN110430212A (en) The Internet of Things of multivariate data fusion threatens cognitive method and system
CN113711559A (en) System and method for detecting anomalies
CN114465816A (en) Detection method and device for password spray attack, computer equipment and storage medium
US9560027B1 (en) User authentication
CN114826727A (en) Flow data acquisition method and device, computer equipment and storage medium
CN110493224B (en) Sub-domain name hijacking vulnerability detection method, device and equipment
US10362062B1 (en) System and method for evaluating security entities in a computing environment
Zage et al. Robust decentralized virtual coordinate systems in adversarial environments
CN108521449B (en) Remote backup method and system for operation records of network equipment
CN116094847B (en) Honeypot identification method, honeypot identification device, computer equipment and storage medium
US20220247750A1 (en) Evaluating access requests using assigned common actor identifiers

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination