CN114629707B - Disorder code detection method and device, electronic equipment and storage medium - Google Patents
Disorder code detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114629707B CN114629707B CN202210259508.8A CN202210259508A CN114629707B CN 114629707 B CN114629707 B CN 114629707B CN 202210259508 A CN202210259508 A CN 202210259508A CN 114629707 B CN114629707 B CN 114629707B
- Authority
- CN
- China
- Prior art keywords
- detected
- readable
- data content
- content
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 98
- 238000000034 method Methods 0.000 claims abstract description 39
- 238000004590 computer program Methods 0.000 claims description 10
- 230000001360 synchronised effect Effects 0.000 description 9
- 230000005291 magnetic effect Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 230000011218 segmentation Effects 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000005294 ferromagnetic effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/34—Encoding or coding, e.g. Huffman coding or error correction
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a method and a device for detecting messy codes, an electronic device and a computer readable storage medium, wherein the method comprises the following steps: acquiring the content of data to be detected in the flow to be detected; performing readable character statistics of a target coding format on the data content to be detected; and carrying out disorder code detection according to the proportion and the uniformity degree of readable characters in the data content to be detected, and obtaining a disorder code detection result. According to the method for detecting the messy codes, the readable characters and the unreadable characters are distinguished from the data content to be detected in the flow to be detected, the messy codes in the data content to be detected can be determined by utilizing the proportion and the uniformity degree of the readable characters, the specific positions of the messy codes in the flow to be detected can be accurately confirmed, the influence of the messy codes in the flow to be detected on attack detection can be avoided when the messy codes are applied to an attack detection scene, and attack false alarm caused by the fact that the flow to be detected contains the messy codes is reduced.
Description
Technical Field
The present application relates to the field of computer technology, and more particularly, to a method and apparatus for detecting a scrambling code, an electronic device, and a computer readable storage medium.
Background
With the development of the internet age, the number of network devices is also increased, and various environments are often different among different devices, so that the frequency of occurrence of messy codes is also higher and higher due to the non-uniformity. The messy code means that the computer system cannot display correct characters, but displays other meaningless characters or blanks. The disorder code as an unreadable character can influence rule matching in attack detection, and false alarm of attack caused by the disorder code can cause great influence on an attack detection result. The method for detecting the messy code in the related art is based on the conversion aiming at the code, so as to reduce the occurrence of the messy code, namely, the messy code is converted into a non-messy code, and is not applicable to the messy code detection in attack detection.
Therefore, how to implement the scrambling code detection in the attack detection scenario is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide a method and a device for detecting messy codes, electronic equipment and a computer readable storage medium, and the method and the device realize the detection of the messy codes in an attack detection scene.
In order to achieve the above object, the present application provides a method for detecting a scrambling code, including:
acquiring the content of data to be detected in the flow to be detected;
Performing readable character statistics of a target coding format on the data content to be detected;
And carrying out disorder code detection according to the proportion and the uniformity degree of readable characters in the data content to be detected, and obtaining a disorder code detection result.
The method for detecting the messy codes according to the proportion and the uniformity degree of the readable characters in the data content to be detected, and obtaining the messy code detection result, comprises the following steps:
judging whether the proportion of readable characters in the data content to be detected is larger than or equal to a first preset value or not;
If yes, judging the content of the data to be detected as a non-messy code;
if not, detecting the messy codes based on the uniformity degree of the readable characters in the data content to be detected.
Wherein, the detecting the messy code based on the uniformity degree of the readable characters in the data content to be detected includes:
segmenting the content to be detected based on unreadable characters in the content of the data to be detected to obtain a plurality of readable character strings;
calculating the average length of the readable character strings according to the total number of the readable characters and the total number of the readable character strings in the data content to be detected;
Calculating the distribution value of readable characters in the data content to be detected according to the average length of the readable character strings and the length of each readable character string;
Judging that the distribution value is larger than or equal to a second preset value;
If yes, judging the content of the data to be detected as a non-messy code;
if not, detecting the messy codes based on the maximum readable character string length in the data content to be detected.
The detecting the messy code based on the maximum readable character string length in the data content to be detected includes:
judging that the length of the maximum readable character string in the data content to be detected is larger than or equal to a third preset value;
If yes, judging the content of the data to be detected as a non-messy code;
if not, judging the content of the data to be detected as a messy code.
The obtaining the content of the data to be detected in the flow to be detected includes:
and acquiring the to-be-detected data content which is in the HTTP protocol type in the to-be-detected flow and has the length larger than or equal to a fourth preset value.
Wherein the target coding format comprises a UTF-8 coding format.
Wherein, still include:
carrying out attack detection on the flow to be detected to obtain an attack detection result;
and generating a final attack detection result based on the attack detection result and the messy code detection result of the flow to be detected.
In order to achieve the above object, the present application provides a device for detecting a random number, comprising:
The acquisition module is used for acquiring the content of the data to be detected in the flow to be detected;
The statistics module is used for carrying out readable character statistics of a target coding format on the data content to be detected;
and the messy code detection module is used for performing messy code detection according to the proportion and the uniformity degree of the readable characters in the data content to be detected, and obtaining a messy code detection result.
To achieve the above object, the present application provides an electronic device including:
A memory for storing a computer program;
and the processor is used for realizing the steps of the messy code detection method when executing the computer program.
To achieve the above object, the present application provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the above-described scrambling code detection method.
According to the scheme, the method for detecting the messy codes comprises the following steps: acquiring the content of data to be detected in the flow to be detected; performing readable character statistics of a target coding format on the data content to be detected; and carrying out disorder code detection according to the proportion and the uniformity degree of readable characters in the data content to be detected, and obtaining a disorder code detection result.
According to the method for detecting the messy codes, the readable characters and the unreadable characters are distinguished from the data content to be detected in the flow to be detected, the messy codes in the data content to be detected can be determined by utilizing the proportion and the uniformity degree of the readable characters, the specific positions of the messy codes in the flow to be detected can be accurately confirmed, the influence of the messy codes in the flow to be detected on attack detection can be avoided when the messy codes are applied to an attack detection scene, and attack false alarm caused by the fact that the flow to be detected contains the messy codes is reduced. The application also discloses a messy code detection device, an electronic device and a computer readable storage medium, and the technical effects can be realized.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application as claimed.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art. The accompanying drawings are included to provide a further understanding of the disclosure, and are incorporated in and constitute a part of this specification, illustrate the disclosure and together with the description serve to explain, but do not limit the disclosure. In the drawings:
FIG. 1 is a flow chart illustrating a method of scrambling code detection according to an exemplary embodiment;
FIG. 2 is a flow chart illustrating another method of scrambling code detection according to an exemplary embodiment;
Fig. 3 is a block diagram illustrating a scrambling code detection device according to an exemplary embodiment;
Fig. 4 is a block diagram of an electronic device, according to an example embodiment.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application. In addition, in the embodiments of the present application, "first", "second", etc. are used to distinguish similar objects and are not necessarily used to describe a particular order or precedence.
The embodiment of the application discloses a method for detecting a messy code, which realizes the detection of the messy code in an attack detection scene.
Referring to fig. 1, a flowchart of a method for detecting a scrambling code according to an exemplary embodiment is shown, as shown in fig. 1, including:
s101: acquiring the content of data to be detected in the flow to be detected;
The purpose of this embodiment is to perform scrambling code detection on the flow to be detected, and in a specific implementation, obtain the content of data to be detected in the flow to be detected. As a possible embodiment, the step includes: and acquiring the to-be-detected data content which is in the to-be-detected flow, has the HTTP (hypertext transfer protocol ) protocol type and has the length larger than or equal to a fourth preset value. In a specific implementation, for the traffic to be detected, the log in which the HTTP protocol type is matched, and the matched content is body content of the request or the response. Further, the length of the data content to be detected is limited, that is, the data content to be detected with the matching length being greater than or equal to a fourth preset value in the flow to be detected. The specific value of the fourth preset value is not limited here, and the user can flexibly set according to the required detection precision.
Therefore, only the to-be-detected data content which is of the HTTP protocol type and has the length larger than or equal to the fourth preset value needs to be subjected to the subsequent readable character detection step, other data contents are directly judged to be non-messy codes, and the messy code detection efficiency is improved.
S102: performing readable character statistics of a target coding format on the data content to be detected;
In the step, readable character statistics of a target coding format is carried out on the data content to be detected, and the definition range of the readable characters comprises English letters, numbers, punctuation, chinese characters, chinese punctuation and the like. The target coding format in this embodiment includes a UTF-8 (8-bit, unicode Transformation Format-8) coding format, and the range of UTF-8 coding formats includes a Chinese character coding range: 4E00-9FA5; letter, number, special character range: 20-7E.
S103: and carrying out disorder code detection according to the proportion and the uniformity degree of readable characters in the data content to be detected, and obtaining a disorder code detection result.
In a specific implementation, the scrambling code detection is performed according to the proportion and the uniformity degree of the readable characters in the data content to be detected, if the proportion of the readable characters in the data content to be detected is greater than or equal to a first preset value, or the non-uniformity degree is greater than or equal to a second preset value, the data content to be detected can be judged to be non-scrambling codes, otherwise, the data content to be detected is judged to be scrambling codes.
As a possible embodiment, the step includes: judging whether the proportion of readable characters in the data content to be detected is larger than or equal to a first preset value or not; if yes, judging the content of the data to be detected as a non-messy code; if not, detecting the messy codes based on the uniformity degree of the readable characters in the data content to be detected. In a specific implementation, a ratio between the total number of readable characters in the data content to be detected and the total number of characters in the data content to be detected, that is, the ratio of the readable characters in the data content to be detected, is calculated, if the ratio of the readable characters is greater than or equal to a first preset value, the data content to be detected can be directly judged to be a non-messy code, otherwise, further detection is needed based on the uniformity degree of the readable characters in the data content to be detected.
As a possible implementation manner, the detecting the scrambling code based on the uniformity degree of the readable characters in the data content to be detected includes: segmenting the content to be detected based on unreadable characters in the content of the data to be detected to obtain a plurality of readable character strings; calculating the average length of the readable character strings according to the total number of the readable characters and the total number of the readable character strings in the data content to be detected; calculating the distribution value of readable characters in the data content to be detected according to the average length of the readable character strings and the length of each readable character string; judging that the distribution value is larger than or equal to a second preset value; if yes, judging the content of the data to be detected as a non-messy code; if not, detecting the messy codes based on the maximum readable character string length in the data content to be detected.
In a specific implementation, characters in the data content to be detected are divided into readable characters and unreadable characters, and when the data content to be detected is readable or characters with readable meaning exist in the readable characters, the readable characters are necessarily distributed as a character string at a certain position continuously. Therefore, for the data content to be detected, firstly, a plurality of readable character strings can be obtained by segmentation according to unreadable characters. For example, the content of the data to be detected is "AaBbCc", wherein "a", "B", "C" are readable characters, the rest are unreadable characters, and the segmentation result is { A, B, C }. And secondly, counting the length of each readable character string and the total number of the readable character strings, and calculating the ratio between the total number of the readable characters and the total number of the readable character strings in the data content to be detected, namely the average length of the readable character strings. Then, calculating a distribution value F of the readable characters in the data content to be detected according to the average length F of the readable character strings and the length of each readable character string:
where x is the total number of readable strings and Xi is the length of the ith read string.
Further, comparing the distribution value of the readable characters in the data content to be detected with a second preset value, if the distribution value is larger than the second preset value, judging that the data content to be detected is non-messy codes, otherwise, judging that the data content to be detected is uniformly distributed, and further detecting based on the length of the maximum readable character string in the data content to be detected.
As a possible implementation manner, the detecting the scrambling code based on the maximum readable character string length in the data content to be detected includes: judging that the length of the maximum readable character string in the data content to be detected is larger than or equal to a third preset value; if yes, judging the content of the data to be detected as a non-messy code; if not, judging the content of the data to be detected as a messy code. It can be understood that, for the data content to be detected, only the readable character strings with a certain length or more have readable meaning, so that the messy code detection is performed by counting the length of the maximum readable character string in the data content to be detected and comparing the length with the third preset value. Specifically, if the length of the maximum readable character string in the data content to be detected is greater than or equal to a third preset value, judging that the data content to be detected is a non-messy code, otherwise, judging that the data content to be detected is a messy code.
As a preferred embodiment, the present embodiment further includes: carrying out attack detection on the flow to be detected to obtain an attack detection result; and generating a final attack detection result based on the attack detection result and the messy code detection result of the flow to be detected. In a specific implementation, the attack detection is performed on the traffic to be detected, and the embodiment does not limit a specific attack detection mode, for example, a rule matching mode can be adopted, and a final attack detection result is comprehensively obtained based on the attack detection result and the messy code detection result. For example, the messy codes in the flow to be detected can be removed based on the messy code detection result, then attack detection is carried out in a rule matching mode, the influence of the messy codes on rule matching is avoided, and the accuracy of attack detection is improved. For another example, the result of attack detection on the traffic to be detected by adopting the rule matching mode is as follows: the content to be detected in the traffic to be detected is the attack traffic, but the messy code detection of the content to be detected is the messy code, which means that the detection result of the content to be detected is the false alarm caused by the messy code, and the content to be detected is the messy code but not the attack traffic, namely the final attack detection result of the traffic to be detected is the attack traffic not contained, so that the false alarm caused by the messy code contained in the traffic to be detected is avoided, and the accuracy of attack detection is improved.
According to the method for detecting the messy codes, the readable characters and the unreadable characters are distinguished from the data content to be detected in the flow to be detected, the messy codes in the data content to be detected can be determined by utilizing the proportion and the uniformity degree of the readable characters, the specific positions of the messy codes in the flow to be detected can be accurately confirmed, the influence of the messy codes in the flow to be detected on attack detection can be avoided when the method is applied to an attack detection scene, and attack false alarm caused by the fact that the flow to be detected contains the messy codes is reduced.
The embodiment of the application discloses a method for detecting messy codes, which further describes and optimizes a technical scheme relative to the previous embodiment. Specific:
Referring to fig. 2, a flowchart of another method for detecting a scrambling code according to an exemplary embodiment is shown, as shown in fig. 2, including:
s201: acquiring to-be-detected data content which is of the HTTP protocol type in the to-be-detected flow and has the length larger than or equal to a fourth preset value;
In this embodiment, the to-be-detected data content of the HTTP protocol type and the length greater than or equal to the fourth preset value in the to-be-detected traffic is extracted, the subsequent step of detecting the readable characters is performed, and the other data content is directly determined to be a non-messy code.
S202: performing readable character statistics of a target coding format on the data content to be detected;
S203: judging whether the proportion of readable characters in the data content to be detected is larger than or equal to a first preset value or not; if yes, go to S209; if not, entering S204;
in a specific implementation, the proportion of readable characters in the data content to be detected is calculated, if the proportion of the readable characters is larger than or equal to a first preset value, the data content to be detected can be directly judged to be a non-messy code, otherwise, further detection is needed based on the uniformity degree of the readable characters in the data content to be detected.
S204: segmenting the content to be detected based on unreadable characters in the content of the data to be detected to obtain a plurality of readable character strings;
s205: calculating the average length of the readable character strings according to the total number of the readable characters and the total number of the readable character strings in the data content to be detected;
S206: calculating the distribution value of readable characters in the data content to be detected according to the average length of the readable character strings and the length of each readable character string;
S207: judging that the distribution value is larger than or equal to a second preset value; if yes, go to S209; if not, entering S208;
In a specific implementation, calculating a distribution value of readable characters in the data content to be detected, if the distribution value is larger than a second preset value, judging that the data content to be detected is a non-messy code, otherwise, indicating that the data content to be detected is uniformly distributed, and further detecting based on the length of the maximum readable character string in the data content to be detected.
S208: judging that the length of the maximum readable character string in the data content to be detected is larger than or equal to a third preset value; if yes, go to S209; if not, entering S210;
s209: judging the content of the data to be detected as a non-messy code;
S210: and judging the content of the data to be detected as a messy code.
In a specific implementation, the length of the maximum readable character string in the data content to be detected is counted, if the length of the maximum readable character string is larger than or equal to a third preset value, the data content to be detected is judged to be a non-messy code, otherwise, the data content to be detected is judged to be a messy code.
The following describes a scrambling code detection device provided in the embodiment of the present application, and the scrambling code detection device described below and the scrambling code detection method described above may be referred to each other.
Referring to fig. 3, a structure diagram of a scrambling code detection device according to an exemplary embodiment is shown, as shown in fig. 3, including:
an obtaining module 301, configured to obtain content of data to be detected in the traffic to be detected;
A statistics module 302, configured to perform readable character statistics in a target coding format on the data content to be detected;
And the messy code detection module 303 is used for performing messy code detection according to the proportion and the uniformity degree of the readable characters in the data content to be detected, so as to obtain a messy code detection result.
According to the messy code detection device provided by the embodiment of the application, the readable characters and the unreadable characters are distinguished from the data content to be detected in the flow to be detected, the messy codes in the data content to be detected can be determined by utilizing the proportion and the uniformity degree of the readable characters, the specific positions of the messy codes in the flow to be detected can be accurately confirmed, the influence of the messy codes in the flow to be detected on attack detection can be avoided when the messy codes are applied to an attack detection scene, and the attack false alarm caused by the fact that the flow to be detected contains the messy codes is reduced.
Based on the above embodiment, as a preferred implementation manner, the scrambling code detection module 303 includes:
the judging unit is used for judging whether the proportion of readable characters in the data content to be detected is larger than or equal to a first preset value; if yes, starting the workflow of the first judging unit; if not, starting the working flow of the first detection unit;
And the first detection unit is used for detecting the messy codes based on the uniformity degree of the readable characters in the data content to be detected.
On the basis of the above embodiment, as a preferred implementation manner, the first detection unit is specifically configured to: segmenting the content to be detected based on unreadable characters in the content of the data to be detected to obtain a plurality of readable character strings; calculating the average length of the readable character strings according to the total number of the readable characters and the total number of the readable character strings in the data content to be detected; calculating the distribution value of readable characters in the data content to be detected according to the average length of the readable character strings and the length of each readable character string; judging that the distribution value is larger than or equal to a second preset value; if yes, starting the workflow of the first judging unit; if not, starting the working flow of the second detection unit;
And the second detection unit is used for detecting the messy codes based on the length of the maximum readable character string in the data content to be detected.
On the basis of the above embodiment, as a preferred implementation manner, the second detection unit is specifically configured to: judging that the length of the maximum readable character string in the data content to be detected is larger than or equal to a third preset value; if yes, starting the workflow of the first judging unit; if not, starting the workflow of the second judging unit;
and the second judging unit is used for judging that the data content to be detected is a messy code.
On the basis of the above embodiment, as a preferred implementation manner, the obtaining module 301 is specifically configured to: and acquiring the to-be-detected data content which is in the HTTP protocol type in the to-be-detected flow and has the length larger than or equal to a fourth preset value.
On the basis of the above embodiment, as a preferred implementation, the target coding format includes a UTF-8 coding format.
On the basis of the above embodiment, as a preferred implementation manner, the method further includes:
And the attack detection module is used for carrying out attack detection on the flow to be detected to obtain an attack detection result, and generating a final attack detection result based on the attack detection result and the messy code detection result of the flow to be detected.
The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein.
Based on the hardware implementation of the program modules, and in order to implement the method according to the embodiment of the present application, the embodiment of the present application further provides an electronic device, and fig. 4 is a block diagram of an electronic device according to an exemplary embodiment, and as shown in fig. 4, the electronic device includes:
a communication interface 1 capable of information interaction with other devices such as network devices and the like;
And the processor 2 is connected with the communication interface 1 to realize information interaction with other devices and is used for executing the messy code detection method provided by one or more technical schemes when running the computer program. And the computer program is stored on the memory 3.
Of course, in practice, the various components in the electronic device are coupled together by a bus system 4. It will be appreciated that the bus system 4 is used to enable connected communications between these components. The bus system 4 comprises, in addition to a data bus, a power bus, a control bus and a status signal bus. But for clarity of illustration the various buses are labeled as bus system 4 in fig. 4.
The memory 3 in the embodiment of the present application is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.
It will be appreciated that the memory 3 may be either volatile memory or nonvolatile memory, and may include both volatile and nonvolatile memory. The non-volatile Memory may be, among other things, a Read Only Memory (ROM), a programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable programmable Read-Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable programmable Read-Only Memory (EEPROM, ELECTRICALLY ERASABLE PROGRAMMABLE READ-Only Memory), Magnetic random access Memory (FRAM, ferromagnetic random access Memory), flash Memory (Flash Memory), magnetic surface Memory, optical disk, or compact disk-Only (CD-ROM, compact Disc Read-Only Memory); the magnetic surface memory may be a disk memory or a tape memory. The volatile memory may be random access memory (RAM, random Access Memory) which acts as external cache memory. By way of example and not limitation, many forms of RAM are available, such as static random access memory (SRAM, static Random Access Memory), synchronous static random access memory (SSRAM, synchronous Static Random Access Memory), dynamic random access memory (DRAM, dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, synchronous Dynamic Random Access Memory), and, Double data rate synchronous dynamic random access memory (DDRSDRAM, double Data Rate Synchronous Dynamic Random Access Memory), enhanced synchronous dynamic random access memory (ESDRAM, enhanced Synchronous Dynamic Random Access Memory), synchronous link dynamic random access memory (SLDRAM, syncLink Dynamic Random Access Memory), Direct memory bus random access memory (DRRAM, direct Rambus Random Access Memory). The memory 3 described in the embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the above embodiment of the present application may be applied to the processor 2 or implemented by the processor 2. The processor 2 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in the processor 2 or by instructions in the form of software. The processor 2 described above may be a general purpose processor, DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 2 may implement or perform the methods, steps and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiment of the application can be directly embodied in the hardware of the decoding processor or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium in the memory 3 and the processor 2 reads the program in the memory 3 to perform the steps of the method described above in connection with its hardware.
The corresponding flow in each method of the embodiments of the present application is implemented when the processor 2 executes the program, and for brevity, will not be described in detail herein.
In an exemplary embodiment, the present application also provides a storage medium, i.e. a computer storage medium, in particular a computer readable storage medium, for example comprising a memory 3 storing a computer program executable by the processor 2 for performing the steps of the method described above. The computer readable storage medium may be FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware associated with program instructions, where the foregoing program may be stored in a computer readable storage medium, and when executed, the program performs steps including the above method embodiments; and the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
Or the above-described integrated units of the application may be stored in a computer-readable storage medium if implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solutions of the embodiments of the present application may be embodied in essence or a part contributing to the prior art in the form of a software product stored in a storage medium, including several instructions for causing an electronic device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (8)
1. The method for detecting the messy code is characterized by comprising the following steps of:
acquiring the content of data to be detected in the flow to be detected;
Performing readable character statistics of a target coding format on the data content to be detected;
judging whether the proportion of readable characters in the data content to be detected is larger than or equal to a first preset value or not;
If yes, judging the content of the data to be detected as a non-messy code;
if not, segmenting the data content to be detected based on the unreadable characters in the data content to be detected to obtain a plurality of readable character strings;
calculating the average length of the readable character strings according to the total number of the readable characters and the total number of the readable character strings in the data content to be detected;
Calculating the distribution value of readable characters in the data content to be detected according to the average length of the readable character strings and the length of each readable character string;
Judging that the distribution value is larger than or equal to a second preset value;
If yes, judging the content of the data to be detected as a non-messy code;
if not, detecting the messy codes based on the maximum readable character string length in the data content to be detected.
2. The method for detecting a scrambling code according to claim 1, wherein the detecting a scrambling code based on a maximum readable string length in the data content to be detected includes:
judging that the length of the maximum readable character string in the data content to be detected is larger than or equal to a third preset value;
If yes, judging the content of the data to be detected as a non-messy code;
if not, judging the content of the data to be detected as a messy code.
3. The method for detecting a scrambling code according to claim 1, wherein the obtaining the content of the data to be detected in the traffic to be detected includes:
and acquiring the to-be-detected data content which is in the HTTP protocol type in the to-be-detected flow and has the length larger than or equal to a fourth preset value.
4. The method of claim 1, wherein the target encoding format comprises a UTF-8 encoding format.
5. The method of detecting a scrambling code of claim 1, further comprising:
carrying out attack detection on the flow to be detected to obtain an attack detection result;
and generating a final attack detection result based on the attack detection result and the messy code detection result of the flow to be detected.
6. A disorder code detection apparatus, comprising:
The acquisition module is used for acquiring the content of the data to be detected in the flow to be detected;
The statistics module is used for carrying out readable character statistics of a target coding format on the data content to be detected;
The messy code detection module is used for judging whether the proportion of readable characters in the data content to be detected is larger than or equal to a first preset value; if yes, judging the content of the data to be detected as a non-messy code; if not, segmenting the data content to be detected based on the unreadable characters in the data content to be detected to obtain a plurality of readable character strings; calculating the average length of the readable character strings according to the total number of the readable characters and the total number of the readable character strings in the data content to be detected; calculating the distribution value of readable characters in the data content to be detected according to the average length of the readable character strings and the length of each readable character string; judging that the distribution value is larger than or equal to a second preset value; if yes, judging the content of the data to be detected as a non-messy code; if not, detecting the messy codes based on the maximum readable character string length in the data content to be detected.
7. An electronic device, comprising:
A memory for storing a computer program;
a processor for implementing the steps of the method for detecting a scrambling code as claimed in any of claims 1 to 5 when executing said computer program.
8. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the method for detecting a scrambling code as claimed in any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210259508.8A CN114629707B (en) | 2022-03-16 | 2022-03-16 | Disorder code detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210259508.8A CN114629707B (en) | 2022-03-16 | 2022-03-16 | Disorder code detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114629707A CN114629707A (en) | 2022-06-14 |
| CN114629707B true CN114629707B (en) | 2024-05-24 |
Family
ID=81902097
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210259508.8A Active CN114629707B (en) | 2022-03-16 | 2022-03-16 | Disorder code detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114629707B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115080061B (en) * | 2022-06-28 | 2023-09-29 | 中国电信股份有限公司 | Anti-serialization attack detection method and device, electronic equipment and medium |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH06231298A (en) * | 1993-01-28 | 1994-08-19 | Nippon Telegr & Teleph Corp <Ntt> | Method and device for reading character |
| CN102184345A (en) * | 2011-06-27 | 2011-09-14 | 山东地纬计算机软件有限公司 | Test-paper generation method based on genetic algorithm |
| CN102265344A (en) * | 2008-10-24 | 2011-11-30 | 尼尔森(美国)有限公司 | Methods and apparatus to perform audio watermarking imbedding and watermark detection and extraction |
| CN103442009A (en) * | 2013-08-30 | 2013-12-11 | 苏州跨界软件科技有限公司 | File transmission method based on NFC |
| CN103970990A (en) * | 2014-04-22 | 2014-08-06 | 中国民航大学 | Aircraft route segment fuel consumption range estimation method based on QAR data |
| CN104516862A (en) * | 2013-09-29 | 2015-04-15 | 北大方正集团有限公司 | Method and system for selecting and reading coded format of target document |
| CN104732228A (en) * | 2015-04-16 | 2015-06-24 | 同方知网数字出版技术股份有限公司 | Detection and correction method for messy codes of PDF (portable document format) document |
| CN105608453A (en) * | 2014-11-17 | 2016-05-25 | 株式会社日立信息通信工程 | Character identification system and character identification method |
| CN108038124A (en) * | 2017-11-06 | 2018-05-15 | 广东广业开元科技有限公司 | A kind of PDF document acquiring and processing method, system and device based on big data |
| CN108985289A (en) * | 2018-07-18 | 2018-12-11 | 百度在线网络技术(北京)有限公司 | Messy code detection method and device |
| CN110610090A (en) * | 2019-08-28 | 2019-12-24 | 北京小米移动软件有限公司 | Information processing method and device, and storage medium |
| CN111144107A (en) * | 2019-12-25 | 2020-05-12 | 福建天晴在线互动科技有限公司 | Messy code identification method based on slicing algorithm |
| CN111695327A (en) * | 2019-02-28 | 2020-09-22 | 珠海金山办公软件有限公司 | Method and device for repairing messy codes, electronic equipment and readable storage medium |
| CN112329445A (en) * | 2020-11-19 | 2021-02-05 | 北京明略软件系统有限公司 | Disorder code judging method, disorder code judging system, information extracting method and information extracting system |
| CN112395877A (en) * | 2020-11-04 | 2021-02-23 | 苏宁云计算有限公司 | Character string detection method and device, computer equipment and storage medium |
| CN113298082A (en) * | 2021-07-28 | 2021-08-24 | 北京猿力未来科技有限公司 | Dictation data processing method and device, electronic equipment and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4662944B2 (en) * | 2003-11-12 | 2011-03-30 | ザ トラスティーズ オブ コロンビア ユニヴァーシティ イン ザ シティ オブ ニューヨーク | Apparatus, method, and medium for detecting payload anomalies using n-gram distribution of normal data |
| CN103150293B (en) * | 2011-12-06 | 2017-06-06 | 富泰华工业(深圳)有限公司 | The method that the electronic installation of mess code recovery can be carried out and recover mess code |
| CN107066882B (en) * | 2017-03-17 | 2019-07-12 | 平安科技(深圳)有限公司 | Information leakage detection method and device |
-
2022
- 2022-03-16 CN CN202210259508.8A patent/CN114629707B/en active Active
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH06231298A (en) * | 1993-01-28 | 1994-08-19 | Nippon Telegr & Teleph Corp <Ntt> | Method and device for reading character |
| CN102265344A (en) * | 2008-10-24 | 2011-11-30 | 尼尔森(美国)有限公司 | Methods and apparatus to perform audio watermarking imbedding and watermark detection and extraction |
| CN102184345A (en) * | 2011-06-27 | 2011-09-14 | 山东地纬计算机软件有限公司 | Test-paper generation method based on genetic algorithm |
| CN103442009A (en) * | 2013-08-30 | 2013-12-11 | 苏州跨界软件科技有限公司 | File transmission method based on NFC |
| CN104516862A (en) * | 2013-09-29 | 2015-04-15 | 北大方正集团有限公司 | Method and system for selecting and reading coded format of target document |
| CN103970990A (en) * | 2014-04-22 | 2014-08-06 | 中国民航大学 | Aircraft route segment fuel consumption range estimation method based on QAR data |
| CN105608453A (en) * | 2014-11-17 | 2016-05-25 | 株式会社日立信息通信工程 | Character identification system and character identification method |
| CN104732228A (en) * | 2015-04-16 | 2015-06-24 | 同方知网数字出版技术股份有限公司 | Detection and correction method for messy codes of PDF (portable document format) document |
| CN108038124A (en) * | 2017-11-06 | 2018-05-15 | 广东广业开元科技有限公司 | A kind of PDF document acquiring and processing method, system and device based on big data |
| CN108985289A (en) * | 2018-07-18 | 2018-12-11 | 百度在线网络技术(北京)有限公司 | Messy code detection method and device |
| CN111695327A (en) * | 2019-02-28 | 2020-09-22 | 珠海金山办公软件有限公司 | Method and device for repairing messy codes, electronic equipment and readable storage medium |
| CN110610090A (en) * | 2019-08-28 | 2019-12-24 | 北京小米移动软件有限公司 | Information processing method and device, and storage medium |
| CN111144107A (en) * | 2019-12-25 | 2020-05-12 | 福建天晴在线互动科技有限公司 | Messy code identification method based on slicing algorithm |
| CN112395877A (en) * | 2020-11-04 | 2021-02-23 | 苏宁云计算有限公司 | Character string detection method and device, computer equipment and storage medium |
| CN112329445A (en) * | 2020-11-19 | 2021-02-05 | 北京明略软件系统有限公司 | Disorder code judging method, disorder code judging system, information extracting method and information extracting system |
| CN113298082A (en) * | 2021-07-28 | 2021-08-24 | 北京猿力未来科技有限公司 | Dictation data processing method and device, electronic equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 自编码网络在JavaScript恶意代码检测中的应用研究;龙廷艳;万良;丁红卫;;计算机科学与探索(12);第98-109页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114629707A (en) | 2022-06-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111539502B (en) | Anti-counterfeiting two-dimensional code generation method and device, server and storage medium | |
| US11734341B2 (en) | Information processing method, related device, and computer storage medium | |
| CN114629707B (en) | Disorder code detection method and device, electronic equipment and storage medium | |
| CN112765324A (en) | Concept drift detection method and device | |
| CN113434672B (en) | Text type intelligent recognition method, device, equipment and medium | |
| CN113887551A (en) | Target person analysis method based on ticket data, terminal device and storage medium | |
| CN112491816A (en) | Service data processing method and device | |
| CN111355709A (en) | Data verification method and device, electronic equipment and computer readable storage medium | |
| CN111104484B (en) | Text similarity detection method and device and electronic equipment | |
| CN111695327B (en) | Method and device for repairing messy codes, electronic equipment and readable storage medium | |
| CN112698877B (en) | Data processing method and system | |
| CN114021112A (en) | Cryptographic algorithm energy analysis method and device, storage medium and electronic equipment | |
| CN114238974A (en) | Malicious Office document detection method and device, electronic equipment and storage medium | |
| CN115883111A (en) | Phishing website identification method and device, electronic equipment and storage medium | |
| CN114500261B (en) | Network asset identification method and device, electronic equipment and storage medium | |
| CN114448685B (en) | Method and device for generating network protocol message protection strategy | |
| CN115035527B (en) | Method, device and equipment for identifying electronic signature position | |
| CN116150442B (en) | TCAM-based network data detection method and equipment | |
| CN117112846B (en) | Multi-information source license information management method, system and medium | |
| WO2023124565A1 (en) | Methods, apparatuses, and computer-readable storage media for image-based sensitive-text detection | |
| CN114528375A (en) | Similar public opinion text recognition method and device | |
| US10417471B2 (en) | Barcode processing | |
| CN106649427B (en) | Information identification method and device | |
| CN113434710A (en) | Document retrieval method, document retrieval device, server and storage medium | |
| CN115623484A (en) | Short message exception handling method and device, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |