CN114629707A - Method and device for detecting messy codes, electronic equipment and storage medium - Google Patents
Method and device for detecting messy codes, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114629707A CN114629707A CN202210259508.8A CN202210259508A CN114629707A CN 114629707 A CN114629707 A CN 114629707A CN 202210259508 A CN202210259508 A CN 202210259508A CN 114629707 A CN114629707 A CN 114629707A
- Authority
- CN
- China
- Prior art keywords
- detected
- data content
- readable
- messy
- code detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000001514 detection method Methods 0.000 claims abstract description 122
- 238000004590 computer program Methods 0.000 claims description 10
- 238000010586 diagram Methods 0.000 description 6
- 230000001360 synchronised effect Effects 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/34—Encoding or coding, e.g. Huffman coding or error correction
Abstract
The application discloses a method and a device for detecting messy codes, an electronic device and a computer readable storage medium, wherein the method comprises the following steps: acquiring the content of data to be detected in the flow to be detected; carrying out readable character statistics of a target coding format on data content to be detected; and carrying out messy code detection according to the proportion and the uniformity of the readable characters in the data content to be detected to obtain a messy code detection result. The messy code detection method provided by the application distinguishes readable characters from unreadable characters of data content to be detected in flow to be detected, can determine the messy codes in the data content to be detected by utilizing the proportion and the uniformity degree of the readable characters, can accurately confirm the specific positions of the messy codes in the flow to be detected, can avoid the influence of the messy codes in the flow to be detected on attack detection when being applied to an attack detection scene, and reduces false attack reports caused by the messy codes contained in the flow to be detected.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for detecting a scrambling code, an electronic device, and a computer-readable storage medium.
Background
With the development of the internet era, the number of network devices also increases, and various environments are different among different devices, so that the frequency of messy codes is higher and higher due to the non-uniformity. Scrambling means that the computer system cannot display the correct character but other meaningless characters or spaces. The messy codes as unreadable characters can affect the rule matching in the attack detection, and the mistake report of the attack can be caused by the messy codes, so that the attack detection result is greatly affected by the occurrence of the visible messy codes. The method for detecting a scrambled code in the related art is performed based on conversion of a code, and is to reduce the occurrence of the scrambled code, that is, convert the scrambled code into a non-scrambled code, and is not suitable for the detection of the scrambled code in attack detection.
Therefore, how to implement the scrambling code detection in the attack detection scenario is a technical problem to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide a method and a device for detecting a messy code, an electronic device and a computer readable storage medium, which realize the messy code detection in an attack detection scene.
In order to achieve the above object, the present application provides a method for detecting a scrambling code, including:
acquiring the content of data to be detected in the flow to be detected;
carrying out readable character statistics of a target coding format on the data content to be detected;
and performing messy code detection according to the proportion and the uniformity of the readable characters in the data content to be detected to obtain a messy code detection result.
The method for detecting the messy codes according to the proportion and the uniformity of the readable characters in the data content to be detected to obtain a messy code detection result comprises the following steps:
judging whether the proportion of readable characters in the data content to be detected is greater than or equal to a first preset value or not;
if so, judging that the data content to be detected is a non-messy code;
and if not, carrying out messy code detection based on the uniformity degree of the readable characters in the data content to be detected.
The messy code detection based on the uniformity degree of the readable characters in the data content to be detected comprises the following steps:
segmenting the content to be detected based on unreadable characters in the data content to be detected to obtain a plurality of readable character strings;
calculating the average length of the readable character strings according to the total number of the readable characters in the data content to be detected and the total number of the readable character strings;
calculating the distribution value of the readable characters in the data content to be detected according to the average length of the readable character strings and the length of each readable character string;
judging that the distribution value is greater than or equal to a second preset value;
if so, judging that the data content to be detected is a non-messy code;
and if not, carrying out messy code detection based on the maximum readable character string length in the data content to be detected.
The method for detecting the messy codes based on the maximum readable character string length in the data content to be detected comprises the following steps:
judging that the length of the maximum readable character string in the data content to be detected is larger than or equal to a third preset value;
if so, judging that the data content to be detected is a non-messy code;
if not, the data content to be detected is judged to be a messy code.
Wherein, the data content to be detected in the flow to be detected is obtained, including:
and acquiring the data content to be detected, wherein the HTTP protocol type in the traffic to be detected is larger than or equal to a fourth preset value in length.
Wherein the target encoding format comprises a UTF-8 encoding format.
Wherein, still include:
carrying out attack detection on the flow to be detected to obtain an attack detection result;
and generating a final attack detection result based on the attack detection result and the messy code detection result of the flow to be detected.
In order to achieve the above object, the present application provides a scrambling code detecting apparatus, including:
the acquisition module is used for acquiring the content of the data to be detected in the flow to be detected;
the statistical module is used for carrying out readable character statistics of a target coding format on the data content to be detected;
and the messy code detection module is used for carrying out messy code detection according to the proportion and the uniformity of the readable characters in the data content to be detected to obtain a messy code detection result.
To achieve the above object, the present application provides an electronic device including:
a memory for storing a computer program;
and the processor is used for realizing the steps of the messy code detection method when executing the computer program.
To achieve the above object, the present application provides a computer-readable storage medium having a computer program stored thereon, which, when being executed by a processor, implements the steps of the above mentioned scrambling code detecting method.
According to the scheme, the method for detecting the messy codes comprises the following steps: acquiring the content of data to be detected in the flow to be detected; carrying out readable character statistics of a target coding format on the data content to be detected; and performing messy code detection according to the proportion and the uniformity of the readable characters in the data content to be detected to obtain a messy code detection result.
The messy code detection method provided by the application can distinguish readable characters from unreadable characters of the to-be-detected data content in the to-be-detected flow, can determine the messy codes in the to-be-detected data content by utilizing the proportion and the uniformity degree of the readable characters, can accurately confirm the specific positions of the messy codes in the to-be-detected flow, can avoid the influence of the messy codes in the to-be-detected flow on attack detection by applying the messy code detection method to an attack detection scene, and reduces attack misinformation caused by the messy codes contained in the to-be-detected flow. The application also discloses a messy code detection device, an electronic device and a computer readable storage medium, which can also realize the technical effect.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts. The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:
FIG. 1 is a flow diagram illustrating a method of garbled code detection in accordance with an exemplary embodiment;
FIG. 2 is a flow diagram illustrating another method of garbled code detection in accordance with an exemplary embodiment;
FIG. 3 is a block diagram illustrating a scrambling code detecting apparatus in accordance with an exemplary embodiment;
FIG. 4 is a block diagram illustrating an electronic device in accordance with an exemplary embodiment.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application. In addition, in the embodiments of the present application, "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a particular order or sequence.
The embodiment of the application discloses a method for detecting a messy code, which realizes the messy code detection in an attack detection scene.
Referring to fig. 1, a flowchart of a method for detecting a garbled code according to an exemplary embodiment is shown, as shown in fig. 1, including:
s101: acquiring the content of data to be detected in the flow to be detected;
the purpose of this embodiment is to perform scrambling code detection on a flow to be detected, and in specific implementation, obtain data content to be detected in the flow to be detected. As a possible implementation, the present step includes: and acquiring the data content to be detected, wherein the data content to be detected has an HTTP (Hyper Text Transfer Protocol) Protocol type and a length greater than or equal to a fourth preset value in the flow to be detected. In the specific implementation, for the traffic to be detected, the log of the HTTP protocol type is matched, and the matched content is the body content of the request or the response. Further, length limitation is carried out on the data content to be detected, namely the data content to be detected with the matching length being greater than or equal to a fourth preset value in the flow to be detected. The specific numerical value of the fourth preset value is not limited, and a user can flexibly set the detection precision according to the requirement.
Therefore, only the data content to be detected with the HTTP protocol type and the length larger than or equal to the fourth preset value needs to be subjected to the subsequent detection step of the readable characters, other data content is directly judged to be non-messy codes, and the messy code detection efficiency is improved.
S102: carrying out readable character statistics of a target coding format on the data content to be detected;
in the step, readable characters in a target coding format are counted for the data content to be detected, and the definition range of the readable characters comprises English letters, numbers, punctuations, Chinese characters, Chinese punctuations and the like. The target encoding Format in this embodiment includes a UTF-8 (8-bit, Unicode Transformation Format-8) encoding Format, and the range of the UTF-8 encoding Format includes a chinese character encoding range: 4E00-9FA 5; letter, number, special character range: 20-7E.
S103: and performing messy code detection according to the proportion and the uniformity of the readable characters in the data content to be detected to obtain a messy code detection result.
In specific implementation, the messy code detection is carried out according to the proportion and the uniformity degree of the readable characters in the data content to be detected, if the proportion of the readable characters in the data content to be detected is greater than or equal to a first preset value, or the non-uniformity degree is greater than or equal to a second preset value, the data content to be detected can be judged to be the messy code, otherwise, the data content to be detected is judged to be the messy code.
As a possible implementation, the present step includes: judging whether the proportion of readable characters in the data content to be detected is greater than or equal to a first preset value or not; if so, judging that the data content to be detected is a non-messy code; and if not, carrying out messy code detection based on the uniformity degree of the readable characters in the data content to be detected. In specific implementation, a ratio between the total number of the readable characters in the data content to be detected and the total number of the readable characters in the data content to be detected is calculated, that is, a ratio of the readable characters in the data content to be detected, if the ratio of the readable characters is greater than or equal to a first preset value, the data content to be detected can be directly judged to be a non-messy code, otherwise, further detection needs to be performed based on the uniformity degree of the readable characters in the data content to be detected.
As a possible implementation manner, the performing scrambling code detection based on the uniformity degree of the readable characters in the data content to be detected includes: segmenting the content to be detected based on unreadable characters in the data content to be detected to obtain a plurality of readable character strings; calculating the average length of the readable character strings according to the total number of the readable characters in the data content to be detected and the total number of the readable character strings; calculating the distribution value of the readable characters in the data content to be detected according to the average length of the readable character strings and the length of each readable character string; judging that the distribution value is greater than or equal to a second preset value; if so, judging that the data content to be detected is a non-messy code; and if not, carrying out messy code detection based on the maximum readable character string length in the data content to be detected.
In the specific implementation, the characters in the data content to be detected are divided into readable characters and unreadable characters, and when the data content to be detected is readable or characters with readable meanings exist in the data content to be detected, the readable characters are continuously distributed on a certain position as a character string. Therefore, for the data content to be detected, firstly, a plurality of readable character strings can be obtained by splitting according to the unreadable characters. For example, the data content to be detected is "AaBbCc", wherein "a", "B" and "C" are readable characters, the rest are unreadable characters, and the segmentation result is { A, B, C }. Secondly, the length of each readable character string and the total number of the readable character strings are counted, and the ratio of the total number of the readable characters in the data content to be detected to the total number of the readable character strings, namely the average length of the readable character strings, is calculated. Then, calculating a distribution value F of the readable characters in the data content to be detected according to the average length F of the readable character strings and the length of each readable character string:
where x is the total number of readable strings and Xi is the length of the ith string.
Further, the distribution value of the readable characters in the data content to be detected is compared with a second preset value, if the distribution value is larger than the second preset value, it is indicated that the data content to be detected is non-uniformly distributed, the data content to be detected is judged to be non-messy codes, otherwise, it is indicated that the data content to be detected is uniformly distributed, and further detection needs to be performed based on the maximum readable character string length in the data content to be detected.
As a possible implementation manner, the performing scrambling code detection based on the maximum readable character string length in the data content to be detected includes: judging that the length of the maximum readable character string in the data content to be detected is greater than or equal to a third preset value; if so, judging that the data content to be detected is a non-messy code; if not, the data content to be detected is judged to be a messy code. It can be understood that, for the data content to be detected, only the readable character string with a certain length or more has a readable meaning, so the messy code detection is performed by counting the length of the maximum readable character string in the data content to be detected and comparing the length with the third preset value. Specifically, if the length of the maximum readable character string in the data content to be detected is greater than or equal to a third preset value, the data content to be detected is judged to be a non-messy code, otherwise, the data content to be detected is judged to be a messy code.
As a preferred embodiment, this embodiment further includes: carrying out attack detection on the flow to be detected to obtain an attack detection result; and generating a final attack detection result based on the attack detection result and the messy code detection result of the flow to be detected. In specific implementation, the traffic to be detected is subjected to attack detection, and the embodiment does not limit a specific attack detection manner, for example, a rule matching manner may be adopted, and a final attack detection result is obtained comprehensively based on an attack detection result and a messy code detection result. For example, the messy codes in the flow to be detected can be removed based on the messy code detection result, and then the attack detection is carried out by adopting a rule matching mode, so that the influence of the messy codes on the rule matching is avoided, and the accuracy of the attack detection is improved. For another example, the result of performing attack detection on traffic to be detected by adopting a rule matching mode is as follows: the content to be detected in the flow to be detected is attack flow, but the messy code detection of the content to be detected is messy code, which indicates that the detection result of the content to be detected as the attack flow is false alarm caused by the messy code, the content to be detected is messy code instead of the attack flow, namely the final attack detection result of the flow to be detected is attack flow not contained, so that the false attack alarm caused by the messy code contained in the flow to be detected is avoided, and the accuracy of the attack detection is improved.
The messy code detection method provided by the embodiment of the application distinguishes the readable characters from the unreadable characters of the data content to be detected in the flow to be detected, can determine the messy codes in the data content to be detected by utilizing the proportion and the uniformity degree of the readable characters, can accurately confirm the specific positions of the messy codes in the flow to be detected, can avoid the influence of the messy codes in the flow to be detected on the attack detection by applying the messy code detection method to the attack detection scene, and reduces the false attack reports caused by the messy codes contained in the flow to be detected.
The embodiment of the application discloses a method for detecting a messy code, and compared with the previous embodiment, the embodiment further explains and optimizes the technical scheme. Specifically, the method comprises the following steps:
referring to fig. 2, a flowchart of another garbled code detection method according to an exemplary embodiment is shown, as shown in fig. 2, including:
s201: acquiring the data content to be detected, wherein the HTTP protocol type in the flow to be detected is larger than or equal to a fourth preset value;
in this embodiment, the data content to be detected, which is to be detected and has the HTTP protocol type and the length greater than or equal to the fourth preset value, is extracted, the subsequent step of detecting the readable character is performed, and other data content is directly determined to be the non-random code.
S202: carrying out readable character statistics of a target coding format on the data content to be detected;
s203: judging whether the proportion of readable characters in the data content to be detected is greater than or equal to a first preset value or not; if yes, go to S209; if not, entering S204;
in specific implementation, the proportion of the readable characters in the data content to be detected is calculated, if the proportion of the readable characters is greater than or equal to a first preset value, the data content to be detected can be directly judged to be non-messy codes, and otherwise, further detection needs to be performed based on the uniformity degree of the readable characters in the data content to be detected.
S204: segmenting the content to be detected based on unreadable characters in the data content to be detected to obtain a plurality of readable character strings;
s205: calculating the average length of the readable character strings according to the total number of the readable characters in the data content to be detected and the total number of the readable character strings;
s206: calculating the distribution value of the readable characters in the data content to be detected according to the average length of the readable character strings and the length of each readable character string;
s207: judging that the distribution value is greater than or equal to a second preset value; if yes, go to S209; if not, the step S208 is entered;
in specific implementation, a distribution value of readable characters in the data content to be detected is calculated, if the distribution value is greater than a second preset value, the data content to be detected is judged to be non-messy codes, otherwise, the data content to be detected is uniformly distributed, and further detection needs to be performed based on the maximum readable character string length in the data content to be detected.
S208: judging that the length of the maximum readable character string in the data content to be detected is greater than or equal to a third preset value; if yes, go to S209; if not, entering S210;
s209: judging that the data content to be detected is a non-messy code;
s210: and judging that the data content to be detected is a messy code.
In specific implementation, the length of the maximum readable character string in the data content to be detected is counted, if the length of the maximum readable character string is greater than or equal to a third preset value, the data content to be detected is judged to be a non-messy code, and otherwise, the data content to be detected is judged to be a messy code.
In the following, a random code detection apparatus provided in an embodiment of the present application is introduced, and a random code detection apparatus described below and a random code detection method described above may be referred to each other.
Referring to fig. 3, a block diagram of a scrambling code detecting apparatus according to an exemplary embodiment is shown, as shown in fig. 3, including:
an obtaining module 301, configured to obtain content of data to be detected in a flow to be detected;
a counting module 302, configured to perform readable character counting in a target encoding format on the data content to be detected;
and the messy code detection module 303 is configured to perform messy code detection according to the proportion and the uniformity of the readable characters in the data content to be detected, so as to obtain a messy code detection result.
The messy code detection device provided by the embodiment of the application distinguishes readable characters from unreadable characters of data content to be detected in flow to be detected, can determine the messy codes in the data content to be detected by utilizing the proportion and the uniformity degree of the readable characters, can accurately confirm the specific positions of the messy codes in the flow to be detected, can avoid the influence of the messy codes in the flow to be detected on attack detection when being applied to an attack detection scene, and reduces false attack reports caused by the messy codes contained in the flow to be detected.
On the basis of the foregoing embodiment, as a preferred implementation manner, the scrambling code detecting module 303 includes:
the judging unit is used for judging whether the proportion of the readable characters in the data content to be detected is greater than or equal to a first preset value or not; if yes, starting the working process of the first judgment unit; if not, starting the working process of the first detection unit;
and the first detection unit is used for carrying out messy code detection based on the uniformity degree of the readable characters in the data content to be detected.
On the basis of the foregoing embodiment, as a preferred implementation manner, the first detection unit is specifically configured to: segmenting the content to be detected based on unreadable characters in the data content to be detected to obtain a plurality of readable character strings; calculating the average length of the readable character strings according to the total number of the readable characters in the data content to be detected and the total number of the readable character strings; calculating the distribution value of the readable characters in the data content to be detected according to the average length of the readable character strings and the length of each readable character string; judging that the distribution value is greater than or equal to a second preset value; if yes, starting the working process of the first judgment unit; if not, starting the working process of the second detection unit;
and the second detection unit is used for carrying out messy code detection based on the maximum readable character string length in the data content to be detected.
On the basis of the foregoing embodiment, as a preferred implementation manner, the second detection unit is specifically configured to: judging that the length of the maximum readable character string in the data content to be detected is greater than or equal to a third preset value; if yes, starting the working process of the first judgment unit; if not, starting the working process of the second judgment unit;
and the second judging unit is used for judging that the data content to be detected is a messy code.
On the basis of the foregoing embodiment, as a preferred implementation manner, the obtaining module 301 is specifically configured to: and acquiring the data content to be detected, wherein the HTTP protocol type in the traffic to be detected is larger than or equal to a fourth preset value in length.
On the basis of the above embodiment, as a preferred implementation, the target encoding format includes a UTF-8 encoding format.
On the basis of the above embodiment, as a preferred implementation, the method further includes:
and the attack detection module is used for carrying out attack detection on the flow to be detected to obtain an attack detection result, and generating a final attack detection result based on the attack detection result and the messy code detection result of the flow to be detected.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
Based on the hardware implementation of the program module, and in order to implement the method according to the embodiment of the present application, an embodiment of the present application further provides an electronic device, and fig. 4 is a structural diagram of an electronic device according to an exemplary embodiment, as shown in fig. 4, the electronic device includes:
a communication interface 1 capable of information interaction with other devices such as network devices and the like;
and the processor 2 is connected with the communication interface 1 to realize information interaction with other equipment, and is used for executing the messy code detection method provided by one or more technical schemes when running a computer program. And the computer program is stored on the memory 3.
In practice, of course, the various components in the electronic device are coupled together by the bus system 4. It will be appreciated that the bus system 4 is used to enable connection communication between these components. The bus system 4 comprises, in addition to a data bus, a power bus, a control bus and a status signal bus. For the sake of clarity, however, the various buses are labeled as bus system 4 in fig. 4.
The memory 3 in the embodiment of the present application is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.
It will be appreciated that the memory 3 may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM), Enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), Synchronous Dynamic Random Access Memory (SLDRAM), Direct Memory (DRmb Access), and Random Access Memory (DRAM). The memory 3 described in the embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the embodiment of the present application may be applied to the processor 2, or may be implemented by the processor 2. The processor 2 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 2. The processor 2 described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 2 may implement or perform the methods, steps and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the memory 3, and the processor 2 reads the program in the memory 3 and in combination with its hardware performs the steps of the aforementioned method.
When the processor 2 executes the program, the corresponding processes in the methods according to the embodiments of the present application are realized, and for brevity, are not described herein again.
In an exemplary embodiment, the present application further provides a storage medium, i.e. a computer storage medium, specifically a computer readable storage medium, for example, including a memory 3 storing a computer program, which can be executed by a processor 2 to implement the steps of the foregoing method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof that contribute to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for enabling an electronic device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A method for detecting a scrambling code, comprising:
acquiring the content of data to be detected in the flow to be detected;
carrying out readable character statistics of a target coding format on the data content to be detected;
and performing messy code detection according to the proportion and the uniformity of the readable characters in the data content to be detected to obtain a messy code detection result.
2. The method according to claim 1, wherein the garbled code detection is performed according to the proportion and the uniformity of the readable characters in the data content to be detected to obtain a garbled code detection result, and the method comprises the following steps:
judging whether the proportion of readable characters in the data content to be detected is greater than or equal to a first preset value or not;
if so, judging that the data content to be detected is a non-messy code;
and if not, carrying out messy code detection based on the uniformity degree of the readable characters in the data content to be detected.
3. The scrambling code detecting method according to claim 2, wherein the scrambling code detection based on the uniformity degree of the readable characters in the data content to be detected comprises:
segmenting the content to be detected based on unreadable characters in the data content to be detected to obtain a plurality of readable character strings;
calculating the average length of the readable character strings according to the total number of the readable characters in the data content to be detected and the total number of the readable character strings;
calculating the distribution value of the readable characters in the data content to be detected according to the average length of the readable character strings and the length of each readable character string;
judging that the distribution value is greater than or equal to a second preset value;
if so, judging that the data content to be detected is a non-messy code;
and if not, carrying out messy code detection based on the maximum readable character string length in the data content to be detected.
4. The scrambling code detection method according to claim 3, wherein the scrambling code detection based on the maximum readable character string length in the data content to be detected comprises:
judging that the length of the maximum readable character string in the data content to be detected is greater than or equal to a third preset value;
if yes, judging that the data content to be detected is a non-random code;
if not, judging that the data content to be detected is a messy code.
5. The scrambling code detection method according to claim 1, wherein the obtaining of the data content to be detected in the flow to be detected comprises:
and acquiring the data content to be detected, wherein the HTTP protocol type in the traffic to be detected is larger than or equal to a fourth preset value in length.
6. The scrambling code detection method of claim 1, wherein the target encoding format comprises a UTF-8 encoding format.
7. The scrambling code detecting method according to claim 1, further comprising:
carrying out attack detection on the flow to be detected to obtain an attack detection result;
and generating a final attack detection result based on the attack detection result and the messy code detection result of the flow to be detected.
8. A scrambling code detecting apparatus, comprising:
the acquisition module is used for acquiring the content of the data to be detected in the flow to be detected;
the statistical module is used for carrying out readable character statistics of a target coding format on the data content to be detected;
and the messy code detection module is used for carrying out messy code detection according to the proportion and the uniformity of the readable characters in the data content to be detected to obtain a messy code detection result.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the scrambling code detection method of any of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the method of detecting an illegal code according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210259508.8A CN114629707A (en) | 2022-03-16 | 2022-03-16 | Method and device for detecting messy codes, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210259508.8A CN114629707A (en) | 2022-03-16 | 2022-03-16 | Method and device for detecting messy codes, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114629707A true CN114629707A (en) | 2022-06-14 |
Family
ID=81902097
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210259508.8A Pending CN114629707A (en) | 2022-03-16 | 2022-03-16 | Method and device for detecting messy codes, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114629707A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115080061A (en) * | 2022-06-28 | 2022-09-20 | 中国电信股份有限公司 | Anti-serialization attack detection method, device, electronic equipment and medium |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH06231298A (en) * | 1993-01-28 | 1994-08-19 | Nippon Telegr & Teleph Corp <Ntt> | Method and device for reading character |
| US20050265331A1 (en) * | 2003-11-12 | 2005-12-01 | The Trustees Of Columbia University In The City Of New York | Apparatus method and medium for tracing the origin of network transmissions using n-gram distribution of data |
| CN102184345A (en) * | 2011-06-27 | 2011-09-14 | 山东地纬计算机软件有限公司 | Test-paper generation method based on genetic algorithm |
| US20130141457A1 (en) * | 2011-12-06 | 2013-06-06 | Hon Hai Precision Industry Co., Ltd. | Electronic device capable of recovering garbled characters and method for recovering garbled characters |
| CN103970990A (en) * | 2014-04-22 | 2014-08-06 | 中国民航大学 | Aircraft route segment fuel consumption range estimation method based on QAR data |
| CN104516862A (en) * | 2013-09-29 | 2015-04-15 | 北大方正集团有限公司 | Method and system for selecting and reading coded format of target document |
| CN104732228A (en) * | 2015-04-16 | 2015-06-24 | 同方知网数字出版技术股份有限公司 | Detection and correction method for messy codes of PDF (portable document format) document |
| CN105608453A (en) * | 2014-11-17 | 2016-05-25 | 株式会社日立信息通信工程 | Character identification system and character identification method |
| CN108038124A (en) * | 2017-11-06 | 2018-05-15 | 广东广业开元科技有限公司 | A kind of PDF document acquiring and processing method, system and device based on big data |
| CN108985289A (en) * | 2018-07-18 | 2018-12-11 | 百度在线网络技术(北京)有限公司 | Messy code detection method and device |
| CN111144107A (en) * | 2019-12-25 | 2020-05-12 | 福建天晴在线互动科技有限公司 | Messy code identification method based on slicing algorithm |
| CN111695327A (en) * | 2019-02-28 | 2020-09-22 | 珠海金山办公软件有限公司 | Method and device for repairing messy codes, electronic equipment and readable storage medium |
| CN112329445A (en) * | 2020-11-19 | 2021-02-05 | 北京明略软件系统有限公司 | Disorder code judging method, disorder code judging system, information extracting method and information extracting system |
| US20210042443A1 (en) * | 2017-03-17 | 2021-02-11 | Ping An Technology (Shenzhen) Co., Ltd. | Method and device for detecting information leakage, server, and computer-readable storage medium |
| CN112395877A (en) * | 2020-11-04 | 2021-02-23 | 苏宁云计算有限公司 | Character string detection method and device, computer equipment and storage medium |
-
2022
- 2022-03-16 CN CN202210259508.8A patent/CN114629707A/en active Pending
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH06231298A (en) * | 1993-01-28 | 1994-08-19 | Nippon Telegr & Teleph Corp <Ntt> | Method and device for reading character |
| US20050265331A1 (en) * | 2003-11-12 | 2005-12-01 | The Trustees Of Columbia University In The City Of New York | Apparatus method and medium for tracing the origin of network transmissions using n-gram distribution of data |
| CN102184345A (en) * | 2011-06-27 | 2011-09-14 | 山东地纬计算机软件有限公司 | Test-paper generation method based on genetic algorithm |
| US20130141457A1 (en) * | 2011-12-06 | 2013-06-06 | Hon Hai Precision Industry Co., Ltd. | Electronic device capable of recovering garbled characters and method for recovering garbled characters |
| CN104516862A (en) * | 2013-09-29 | 2015-04-15 | 北大方正集团有限公司 | Method and system for selecting and reading coded format of target document |
| CN103970990A (en) * | 2014-04-22 | 2014-08-06 | 中国民航大学 | Aircraft route segment fuel consumption range estimation method based on QAR data |
| CN105608453A (en) * | 2014-11-17 | 2016-05-25 | 株式会社日立信息通信工程 | Character identification system and character identification method |
| CN104732228A (en) * | 2015-04-16 | 2015-06-24 | 同方知网数字出版技术股份有限公司 | Detection and correction method for messy codes of PDF (portable document format) document |
| US20210042443A1 (en) * | 2017-03-17 | 2021-02-11 | Ping An Technology (Shenzhen) Co., Ltd. | Method and device for detecting information leakage, server, and computer-readable storage medium |
| CN108038124A (en) * | 2017-11-06 | 2018-05-15 | 广东广业开元科技有限公司 | A kind of PDF document acquiring and processing method, system and device based on big data |
| CN108985289A (en) * | 2018-07-18 | 2018-12-11 | 百度在线网络技术(北京)有限公司 | Messy code detection method and device |
| CN111695327A (en) * | 2019-02-28 | 2020-09-22 | 珠海金山办公软件有限公司 | Method and device for repairing messy codes, electronic equipment and readable storage medium |
| CN111144107A (en) * | 2019-12-25 | 2020-05-12 | 福建天晴在线互动科技有限公司 | Messy code identification method based on slicing algorithm |
| CN112395877A (en) * | 2020-11-04 | 2021-02-23 | 苏宁云计算有限公司 | Character string detection method and device, computer equipment and storage medium |
| CN112329445A (en) * | 2020-11-19 | 2021-02-05 | 北京明略软件系统有限公司 | Disorder code judging method, disorder code judging system, information extracting method and information extracting system |
Non-Patent Citations (1)
| Title |
|---|
| 龙廷艳;万良;丁红卫;: "自编码网络在JavaScript恶意代码检测中的应用研究", 计算机科学与探索, no. 12, pages 98 - 109 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115080061A (en) * | 2022-06-28 | 2022-09-20 | 中国电信股份有限公司 | Anti-serialization attack detection method, device, electronic equipment and medium |
| CN115080061B (en) * | 2022-06-28 | 2023-09-29 | 中国电信股份有限公司 | Anti-serialization attack detection method and device, electronic equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11734341B2 (en) | Information processing method, related device, and computer storage medium | |
| CN110798488B (en) | Web application attack detection method | |
| CN112765324B (en) | Concept drift detection method and device | |
| CN113381963B (en) | Domain name detection method, device and storage medium | |
| CN113132416B (en) | Data packet detection method and device | |
| CN111597309A (en) | Similar enterprise recommendation method and device, electronic equipment and medium | |
| CN112364625A (en) | Text screening method, device, equipment and storage medium | |
| CN114629707A (en) | Method and device for detecting messy codes, electronic equipment and storage medium | |
| CN113536770B (en) | Text analysis method, device and equipment based on artificial intelligence and storage medium | |
| WO2024066271A1 (en) | Database watermark embedding method and apparatus, database watermark tracing method and apparatus, and electronic device | |
| CN111355709A (en) | Data verification method and device, electronic equipment and computer readable storage medium | |
| CN112995218A (en) | Domain name anomaly detection method, device and equipment | |
| CN113688240A (en) | Threat element extraction method, device, equipment and storage medium | |
| CN111177362A (en) | Information processing method, device, server and medium | |
| CN112015768A (en) | Information matching method based on Rete algorithm and related products thereof | |
| CN111708988A (en) | Infringement video identification method and device, electronic equipment and storage medium | |
| CN111353301B (en) | Auxiliary secret determination method and device | |
| CN113591440B (en) | Text processing method and device and electronic equipment | |
| CN117112846B (en) | Multi-information source license information management method, system and medium | |
| CN113283215B (en) | Data confusion method and device based on UTF-32 coding | |
| CN117081727B (en) | Weak password detection method and device | |
| CN111104484B (en) | Text similarity detection method and device and electronic equipment | |
| CN114528375A (en) | Similar public opinion text recognition method and device | |
| CN106649427B (en) | Information identification method and device | |
| CN117668314A (en) | Data retrieval method, related device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |