CN114726579A - Method, apparatus, device, storage medium and program product for defending against network attacks - Google Patents
Method, apparatus, device, storage medium and program product for defending against network attacks Download PDFInfo
- Publication number
- CN114726579A CN114726579A CN202210227278.7A CN202210227278A CN114726579A CN 114726579 A CN114726579 A CN 114726579A CN 202210227278 A CN202210227278 A CN 202210227278A CN 114726579 A CN114726579 A CN 114726579A
- Authority
- CN
- China
- Prior art keywords
- access request
- transmission layer
- request corresponding
- access
- fingerprint
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 230000002159 abnormal effect Effects 0.000 claims abstract description 75
- 230000005540 biological transmission Effects 0.000 claims abstract description 48
- 238000012546 transfer Methods 0.000 claims abstract description 6
- 238000001514 detection method Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 11
- 238000004458 analytical method Methods 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 abstract description 4
- 230000007123 defense Effects 0.000 description 12
- 238000012545 processing Methods 0.000 description 9
- 230000006399 behavior Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The present disclosure provides a method, an apparatus, a device, a storage medium, and a program product for defending against network attacks, which relate to the field of computer technologies, and in particular, to a CC defending attack technical scenario in the field of network security technologies. The specific implementation scheme is as follows: acquiring a transport layer client handshake packet of an encrypted hypertext transfer security protocol request; analyzing the transport layer client handshake packet to obtain a server name indication and client field characteristics; determining an access request corresponding to the transmission layer fingerprint characteristics under the indication of the server name, wherein the transmission layer fingerprint characteristics are generated according to the field characteristics of the client; detecting an abnormal access request corresponding to the fingerprint characteristics of the transmission layer based on the access request corresponding to the fingerprint characteristics of the transmission layer; and intercepting an abnormal access request corresponding to the fingerprint characteristics of the transmission layer. The CC attack of HTTPS can be defended more effectively through the method and the device.
Description
Technical Field
The disclosure relates to the technical field of computers, in particular to a CC defense attack technical scene in the technical field of network security.
Background
The technology for defending against attack of encrypted traffic CC (Challenge black hole) is mainly to discover and block an encrypted HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer) Layer DDoS (Distributed Denial of Service) attack initiated by a hacker in large-scale network traffic.
In order to accurately identify a CC attack initiated by a hacker, in the current network attack detection, HTTPS analysis is usually performed on 7-layer traffic under an HTTPS protocol. The method comprises the steps of obtaining page access frequency of HTTPS through HTTPS analysis, judging IP (Internet Protocol Address) with high access frequency as IP of CC attack, and blocking the IP judged as the CC attack to defend the CC attack.
Disclosure of Invention
The present disclosure provides a method, apparatus, device, storage medium, and program product for defending against cyber attacks.
According to an aspect of the present disclosure, there is provided a method of defending against a cyber attack, including:
acquiring a transport layer client handshake packet of an encrypted hypertext transfer security protocol request; analyzing the transport layer client handshake packet to obtain a server name indication and client field characteristics; determining an access request corresponding to the transmission layer fingerprint characteristics under the indication of the server name, wherein the transmission layer fingerprint characteristics are generated according to the field characteristics of the client; detecting an abnormal access request corresponding to the fingerprint characteristics of the transmission layer based on the access request corresponding to the fingerprint characteristics of the transmission layer; and intercepting an abnormal access request corresponding to the fingerprint characteristics of the transmission layer.
According to another aspect of the present disclosure, there is provided an apparatus for defending against cyber attacks, including:
the system comprises an acquisition unit, a transmission layer client handshake package and a processing unit, wherein the acquisition unit is used for acquiring a transport layer client handshake package of an encrypted hypertext transfer security protocol request; the analysis unit is used for analyzing the transport layer client handshake packet to obtain a server name indication and client field characteristics; a determining unit, configured to determine an access request corresponding to a transport layer fingerprint feature indicated by the server name, where the transport layer fingerprint feature is generated according to the client field feature; and the detection unit is used for detecting the abnormal access request corresponding to the fingerprint characteristics of the transmission layer based on the access request corresponding to the fingerprint characteristics of the transmission layer and intercepting the abnormal access request corresponding to the fingerprint characteristics of the transmission layer.
According to another aspect of the present disclosure, there is provided an electronic device including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method described above.
According to another aspect of the present disclosure, there is provided a non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the above-described method.
According to another aspect of the present disclosure, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the method described above.
The method for defending against network attacks can defend against CC attacks of HTTPS more effectively.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present disclosure, nor do they limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The drawings are included to provide a better understanding of the present solution and are not to be construed as limiting the present disclosure. Wherein:
FIG. 1 is a flow chart of a method of defending against cyber attacks, shown in an exemplary embodiment according to the present disclosure;
fig. 2 is a flowchart illustrating a method for detecting an abnormal access request corresponding to TLS fingerprint features based on an access request corresponding to TLS fingerprint features according to an exemplary embodiment of the present disclosure;
fig. 3 is a flowchart illustrating a method for detecting an abnormal access request corresponding to a TLS fingerprint feature based on an access request corresponding to the TLS fingerprint feature according to an exemplary embodiment of the present disclosure;
FIG. 4 is a schematic diagram of an implementation of a method for defending against cyber attacks according to an exemplary embodiment of the present disclosure;
FIG. 5 is a block diagram of an apparatus for defending against cyber attacks according to an exemplary embodiment of the present disclosure;
fig. 6 is a block diagram of an electronic device for implementing a method of defending against cyber attacks according to an embodiment of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below with reference to the accompanying drawings, in which various details of the embodiments of the disclosure are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
The method for defending network attacks provided by the embodiment of the disclosure is applied to CC attack detection and defense scenes of HTTPS, for example, CC attack detection and defense in a cloud computing platform environment, CC attack detection and defense in large-flow enterprises and the like are carried out.
In the related technology, in the CC attack detection and defense of HTTPS, IP access is determined mainly by decrypting the traffic of the HTTPS, so as to judge whether an access source is CC attack or not and block the CC attack. The method for judging CC attack mainly comprises the following situations:
1. and determining the number of access requests sent by the same source IP address in unit time. If the number of the access requests sent by the same source IP address is larger than the set number threshold, the IP address is judged to have the attack behavior, and the access requests sent by the IP address are shielded.
2. And determining the total number of data packets or the number of access requests reaching the same port or different ports of the same target server in unit time. If the total number of data packets or the number of access requests reaching the same port or different ports of the same target server in unit time reaches a certain threshold value, the server is judged to be abnormal or attacked.
3. And determining the number of requests for accessing the same page by the same source IP address in unit time. If the number of requests for accessing the same page by the same source IP address in unit time reaches a certain threshold value, the IP address is judged to have an attack behavior, and the access request sent by the IP address is shielded.
However, the above traffic through decrypted HTTPS requires a large amount of machine resources. In addition, simply determining the traffic flow corresponding to the IP address may generate a false alarm when the traffic flow is sudden, for example, a service party performs an activity promotion, and this determination method is invalid. Further, in an IP sharing scenario, since the same IP address may correspond to multiple access requests, the access requests of non-attack behavior may be masked.
In view of this, the present disclosure provides a method for defending against network attacks, in which a TLS (Transport Layer Security) client handshake packet of an HTTPS request is extracted. The Client handshake packet is also referred to as a Client Hello packet. And extracting an SNI (Server Name Indication) domain Name and a Client field feature for generating TLS fingerprint features from the TLS Client Hello packet. Generating TLS fingerprint features based on the client field features for the extracted SNI domain name. The CC defense is performed by TLS fingerprinting of encrypted traffic of HTTPS.
As an exemplary embodiment, fig. 1 is a flowchart illustrating a method for defending against cyber attacks according to an exemplary embodiment of the present disclosure. Referring to fig. 1, the method for defending against network attacks includes the following steps S101 to S104.
In step S101, a TLS client handshake package of the encrypted HTTPS request is acquired.
Wherein the TLS client handshake packet is in clear text. The TLS client handshake packet includes SNI and client field characteristics.
SNI is an extension of the TLS protocol, which is used in HTTPS. The SNI is used to specify the hostname or domain name of the website during the TLS handshake. Based on the SNI, a website visited by the client device may be determined.
The client field features are primarily the field features used to generate TLS fingerprints for identifying the client. For example, Version (TLS Version), acceptable passwords (Ciphers), extended lists (Extensions), Elliptic Curve passwords (Elliptic currves), and Elliptic Curve password Formats (Elliptic currve Point Formats). And splicing the client field characteristics extracted from the TLS client handshake packet to finally generate TLS fingerprint characteristics. The TLS fingerprint feature is sometimes identified by a MD5 hash value (hash). Among them, the TLS fingerprint feature extraction technique is also called as the TLS fingerprint technique.
It is to be appreciated that if there is no TLS extension (TLS Extensions) in the Client Hello packet, the value of the Client field feature used to generate the TLS fingerprint feature is null.
In step S102, the TLS client handshake packet is parsed to obtain the SNI and client field characteristics.
The SNI obtained by analyzing the TLS client handshake packet may be one or multiple SNIs.
And analyzing the client field characteristics obtained by the TLS client handshake packet for generating TLS fingerprint characteristics. For example, generating an MD5 hash.
In step S103, an access request corresponding to the TLS fingerprint under SNI is determined.
In the embodiment of the disclosure, if there are multiple SNIs obtained by analyzing the TLS client handshake packet, the access request corresponding to the TLS fingerprint feature under each SNI is determined in real time for the multiple SNIs.
The access request corresponding to the TLS fingerprint may be understood as an access request sent by the client identified by the TLS fingerprint to the server indicated by the SNI.
In step S104, based on the access request corresponding to the TLS fingerprint feature, an abnormal access request corresponding to the TLS fingerprint feature is detected, and the abnormal access request corresponding to the TLS fingerprint feature is intercepted.
In the embodiment of the present disclosure, an abnormal access request corresponding to the TLS fingerprint feature may be understood as an access request with a CC attack behavior, or may also be understood as a malicious request.
In the embodiment of the disclosure, the TLS fingerprint feature is generated according to the client field feature obtained by analyzing the TLS client handshake packet, and the abnormal access request corresponding to the TLS fingerprint feature is detected based on the access request corresponding to the TLS fingerprint feature without analyzing the HTTPS encrypted traffic packet (TLS fingerprint feature), so that resources can be saved compared to a way of decrypting the HTTPS traffic packet.
Furthermore, as the TLS fingerprint characteristics can uniquely identify the client side for access, the abnormal access request is detected to carry out CC defense attack based on the TLS fingerprint characteristics, and the abnormal access request can be accurately determined. When the abnormal access interception is carried out, the abnormal access request corresponding to the TLS fingerprint characteristics is intercepted, and the access requests corresponding to the whole IP address are not intercepted, so that the accurate interception of the abnormal access request can be realized, and the normal access request without attack behavior is prevented from being intercepted.
It can be understood that, in the embodiment of the present disclosure, the CC defense attack is implemented at the TLS layer, which is equivalent to performing analysis of four-layer traffic. The traditional method based on IP address is a decryption analysis of seven-layer flow.
The following describes an implementation process for detecting an abnormal access request corresponding to the TLS fingerprint feature based on an access request corresponding to the TLS fingerprint feature.
In an implementation manner, in the embodiment of the present disclosure, it may be detected whether an access request corresponding to a TLS fingerprint is an abnormal access request based on the number of access requests corresponding to the TLS fingerprint.
As an exemplary embodiment, fig. 2 is a flowchart illustrating a method for detecting an abnormal access request corresponding to a TLS fingerprint feature based on an access request corresponding to the TLS fingerprint feature according to an exemplary embodiment of the present disclosure. Referring to fig. 2, the method for detecting an abnormal access request corresponding to the TLS fingerprint feature based on the access request corresponding to the TLS fingerprint feature includes the following steps.
In step S201, the number of access requests corresponding to the TLS fingerprint feature in a specified time period is obtained.
The specified time period in the embodiment of the present disclosure may be predefined. For example, it may be a time unit of the order of seconds.
Further, the access request obtained in the embodiment of the present disclosure may be a newly created access request.
In the embodiment of the present disclosure, an abnormal access request is determined by determining that the access request suddenly and greatly increases. In the embodiment of the present disclosure, a threshold value of the number of access requests determined to be abnormal may be set.
If the number of access requests corresponding to the TLS fingerprint feature in the specified time period is greater than the number threshold, step S202a is executed. If the number of access requests corresponding to the TLS fingerprint feature in the specified time period is less than or equal to the number threshold, step S202b is executed.
In step S202a, if the number of access requests corresponding to the TLS fingerprint is greater than the number threshold in the specified time period, it is determined that the access request corresponding to the TLS fingerprint is an abnormal access request.
In step S202b, if the number of access requests corresponding to the TLS fingerprint is less than or equal to the number threshold in the specified time period, it is determined that the access request corresponding to the TLS fingerprint is a normal access request.
In one example, the number threshold may be set to 80% for access requests that are newly created.
And if the new access request corresponding to the TLS fingerprint feature is larger than 80% of the total access request proportion, determining that the client corresponding to the TLS fingerprint feature initiates an abnormal access request, and intercepting the request if CC attack behavior exists.
And if the new access request corresponding to the TLS fingerprint feature accounts for less than or equal to 80% of the total access request, determining that the client corresponding to the TLS fingerprint feature initiates a normal access request, and performing normal access without CC (challenge collapsar) attack behavior.
In the embodiment of the disclosure, the number of access requests corresponding to the TLS fingerprint features in a specified time period is counted, and the access requests suddenly and greatly increased in a short time can be determined by comparing the number of the access requests with the number threshold. The access requests suddenly and greatly increased in a short time have the risk of CC attack, so that the access requests corresponding to the TLS fingerprint features of which the number of the access requests corresponding to the TLS fingerprint features is larger than a number threshold value in a specified time period are determined as abnormal access requests, and the CC defense attack can be effectively carried out.
In the related art, the number of access requests may increase drastically in the case of a short burst or the like. However, in the normal access request, the number of accesses may be increased, but the access is not frequent, so the access rate is relatively low. However, for the CC attack of the abnormal access request, frequent access may be performed, and the access rate is relatively high. Therefore, in order to accurately identify the abnormal access request, the embodiment of the present disclosure may determine the abnormal access request by counting the access rate of the access request corresponding to the TLS fingerprint feature in unit time.
In one implementation, in the embodiment of the present disclosure, an access request whose access rate per unit time is greater than an access rate threshold may be determined as an abnormal access request.
For example, in the embodiment of the present disclosure, for an access request whose number of access requests corresponding to the TLS fingerprint is greater than the number threshold in a specified time period, it may be further determined whether the access rate in unit time of the access request whose number of access requests is greater than the number threshold is greater than the access rate threshold, and if the access rate is greater than the threshold, it may be determined that the access request corresponding to the TLS fingerprint is an abnormal access request. If the access rate is smaller than the threshold, the access request corresponding to the TLS fingerprint feature may be a normal access request.
As an exemplary embodiment, fig. 3 is a flowchart illustrating a method for detecting an abnormal access request corresponding to a TLS fingerprint feature based on an access request corresponding to the TLS fingerprint feature according to an exemplary embodiment of the present disclosure. Referring to fig. 3, the method for detecting an abnormal access request corresponding to the TLS fingerprint feature based on the access request corresponding to the TLS fingerprint feature includes the following steps S301 to S302.
In step S301, the number of access requests corresponding to the TLS fingerprint feature in a specified time period is obtained.
In step S302, if the number of access requests corresponding to the TLS fingerprint is greater than the number threshold in the specified time period, and the access rate per unit time is greater than the access rate threshold, it is determined that the access request corresponding to the TLS fingerprint is an abnormal access request.
In the embodiment of the disclosure, under the condition that the number of the access requests is greater than the number threshold, whether the access rate per unit time is greater than the access rate threshold is further determined, so that the abnormal access request for the CC attack can be more accurately determined, and the accurate determination of the CC defense attack is improved.
In one example, during a short activity, there may be a large number of client access requests for a server indicated by a certain SNI. But normal access requests are sent through different clients. For example, a total of M clients send M access requests in 1s, and the access rate for each client is 1. But M access requests may be sent within 1s for the client initiating the CC attack, which has an access rate M. Therefore, in the embodiment of the disclosure, by determining whether the access rate of the access request corresponding to the TLS fingerprint feature in unit time is greater than the access rate threshold, the abnormal access request sent by the client initiating the CC attack can be accurately identified in a scene where traffic volume suddenly increases, such as a sales promotion activity, and the like, so as to effectively perform the CC defense attack.
In another implementation manner of the embodiment of the present disclosure, when detecting whether the access request corresponding to the TLS fingerprint is an abnormal access request based on the access request corresponding to the TLS fingerprint, the determination may be performed based on a black list and/or a white list.
In an example, in the embodiment of the present disclosure, a TLS fingerprint feature white list and/or a TLS fingerprint feature black list may be set.
And the access request corresponding to the TLS fingerprint features in the TLS fingerprint feature white list is a normal access request, and CC attack cannot be carried out.
And the access request corresponding to the TLS fingerprint features of the TLS fingerprint feature blacklist is an abnormal access request, and a CC attack behavior exists.
In an implementation manner of this disclosure, if it is detected that the TLS fingerprint feature belongs to the preset TLS fingerprint feature white list, it is determined that the access request corresponding to the TLS fingerprint feature is a normal access request.
In the embodiment of the disclosure, by setting the TLS fingerprint white list, when a normal access request and an abnormal access request are determined, the normal access request is determined directly based on the TLS fingerprint white list without performing other complex processing logic for determination. In addition, in the embodiment of the disclosure, by setting the TLS fingerprint feature white list, a large number of accesses of specified TLS fingerprint features can be realized, and a scene requiring a large number of accesses is satisfied.
In an implementation manner of the embodiment of the present disclosure, when the determination of the abnormal access request is performed based on the number of access requests and the access rate, it may be further determined that the TLS fingerprint does not belong to a preset TLS fingerprint white list. It can also be understood that, if the TLS fingerprint belongs to the preset TLS fingerprint white list, even if the number of access requests corresponding to the TLS fingerprint is greater than the number threshold in a specified time period, or the access rate per unit time is greater than the access rate threshold, the access request corresponding to the TLS fingerprint is not determined as an abnormal access request. Or if the number of the access requests corresponding to the TLS fingerprint features is greater than the number threshold within a specified time period, the access rate in unit time is greater than the access rate threshold, and the TLS fingerprint features do not belong to a preset TLS fingerprint feature white list, determining that the access requests corresponding to the TLS fingerprint features are abnormal access requests.
In the embodiment of the disclosure, when determining the abnormal access request based on the number of the access requests and the access rate, it may be further determined that the TLS fingerprint features do not belong to the preset TLS fingerprint feature white list, and it may be prevented that the TLS fingerprint features in the white list are erroneously determined as the abnormal access request when the client corresponding to the TLS fingerprint features accesses the server in a large number.
Based on the access request corresponding to the TLS fingerprint feature, when detecting an abnormal access request corresponding to the TLS fingerprint feature, it may be detected whether the TLS fingerprint feature belongs to a preset TLS fingerprint feature blacklist. And if the TLS fingerprint features are detected to belong to a preset TLS fingerprint feature blacklist, determining that the access request corresponding to the TLS fingerprint features is an abnormal access request.
In the embodiment of the disclosure, the access request corresponding to the TLS fingerprint feature is determined to be an abnormal access request based on the TLS fingerprint feature blacklist, and complex processing logics of the access request, the access rate and the like are not needed, so that the method is simpler and more efficient.
If it is detected that the TLS fingerprint feature does not belong to the preset TLS fingerprint feature blacklist, whether the access request corresponding to the TLS fingerprint feature is an abnormal access request may be further determined based on the above-described manner of determining whether the access request corresponding to the TLS fingerprint feature is an abnormal access request.
In the embodiment of the present disclosure, the TLS fingerprint feature blacklist may be preset. In the embodiment of the present disclosure, the TLS fingerprint feature determined as the abnormal access request may be added to a preset TLS fingerprint feature blacklist to update the TLS fingerprint feature blacklist, and when the abnormal access request is determined in the subsequent process, the TLS fingerprint feature blacklist may be directly determined as the abnormal access request based on the TLS fingerprint feature blacklist.
Based on the method for defending against network attacks provided by the embodiment of the present disclosure, fig. 4 is a schematic diagram of an implementation process of the method for defending against network attacks shown in an exemplary implementation manner of the present disclosure.
Referring to fig. 4, the four-layer traffic is parsed and the TLS client handshake packet requested by the HTTPS is extracted. The domain name of the SNI is extracted from the TLS client handshake packet, and a corresponding TLS fingerprint md5 hash (TLS fingerprint feature) is generated through the fields of the TLS. And analyzing the access request quantity of the TLS fingerprints md5 hash under different SNIs in real time to judge whether the TLS fingerprint features are abnormal TLS fingerprint features or not. When the number of access requests corresponding to one or several TLS fingerprints md5 hash suddenly increases greatly, for example, the determination criterion is more than 80% of new requests. And the TLS fingerprint md5 hash of the suddenly greatly increased access is not in the TLS fingerprint feature white list, and the access request of the TLS fingerprint md5 hash is intercepted to block the defense. When one or more TLS fingerprints md5 hash hit the TLS fingerprint feature blacklist, the interception is directly carried out. And when the TLS fingerprint md5 hash is in the TLS fingerprint feature white list of the TLS fingerprint white list, directly releasing the TLS fingerprint and carrying out normal access.
According to the method for defending against network attacks, the abnormal access request is determined through TLS fingerprint characteristics, seven layers of flow analysis are not needed, and resource consumption can be reduced. In addition, in the embodiment of the disclosure, the abnormal access request is determined according to the access rate of the TLS fingerprint feature, so that CC attack of HTTPS can be accurately identified and defended in an emergency. In addition, in the embodiment of the present disclosure, the abnormal access request corresponding to the TLS fingerprint feature is intercepted, and not all access requests are intercepted for the IP dimension, so that the shared IP can be distinguished, and the false interception is prevented.
Based on the same conception, the embodiment of the disclosure also provides a device for defending network attacks.
It is understood that, in order to implement the above functions, the apparatus for defending against network attacks provided by the embodiments of the present disclosure includes a hardware structure and/or a software module for performing each function. The disclosed embodiments can be implemented in hardware or a combination of hardware and computer software, in combination with the exemplary elements and algorithm steps disclosed in the disclosed embodiments. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
As an exemplary embodiment, fig. 5 is a block diagram of an apparatus 500 for defending against cyber attacks according to an exemplary embodiment of the present disclosure. Referring to fig. 5, the apparatus 500 for defending against network attacks includes an obtaining unit 501, a parsing unit 502, a determining unit 503, and a detecting unit 504.
An obtaining unit 501, configured to obtain a TLS client handshake packet of the encrypted HTTPS request. The parsing unit 502 is configured to parse the TLS client handshake packet to obtain the SNI and the client field characteristics. A determining unit 503, configured to determine an access request corresponding to a TLS fingerprint feature under SNI, where the TLS fingerprint feature is generated according to a client field feature. The detecting unit 504 is configured to detect an abnormal access request corresponding to the TLS fingerprint feature based on the access request corresponding to the TLS fingerprint feature, and intercept the abnormal access request corresponding to the TLS fingerprint feature.
The detecting unit 504 detects an abnormal access request corresponding to the TLS fingerprint feature based on the access request corresponding to the TLS fingerprint feature in the following manner:
and acquiring the number of access requests corresponding to the TLS fingerprint characteristics in a specified time period. And if the number of the access requests corresponding to the TLS fingerprint features is larger than the number threshold value in the specified time period, determining that the access requests corresponding to the TLS fingerprint features are abnormal access requests.
The detection unit 504 is further configured to: and determining that the access rate of the access requests of which the number of the access requests is greater than the number threshold in unit time is greater than the access rate threshold.
The detection unit 504 is further configured to: and determining that the TLS fingerprint characteristics do not belong to a preset TLS fingerprint characteristic white list.
The detecting unit 504 detects an abnormal access request corresponding to the TLS fingerprint feature based on the access request corresponding to the TLS fingerprint feature in the following manner: and if the TLS fingerprint features are detected to belong to a preset TLS fingerprint feature blacklist, determining that the access request corresponding to the TLS fingerprint features is an abnormal access request.
The detection unit 504 is further configured to: and if the TLS fingerprint features are detected to belong to a preset TLS fingerprint feature white list, determining that the access request corresponding to the TLS fingerprint features is a normal access request.
The specific manner in which the various modules perform operations has been described in detail in relation to the apparatus of the present disclosure above, and will not be elaborated upon here.
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the personal information of the related user all accord with the regulations of related laws and regulations, and do not violate the good customs of the public order.
The present disclosure also provides an electronic device, a readable storage medium, and a computer program product according to embodiments of the present disclosure.
FIG. 6 illustrates a schematic block diagram of an example electronic device 600 that can be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 6, the apparatus 600 includes a computing unit 601, which can perform various appropriate actions and processes according to a computer program stored in a Read Only Memory (ROM)602 or a computer program loaded from a storage unit 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data required for the operation of the device 600 can also be stored. The calculation unit 601, the ROM 602, and the RAM 603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
A number of components in the device 600 are connected to the I/O interface 605, including: an input unit 606 such as a keyboard, a mouse, or the like; an output unit 607 such as various types of displays, speakers, and the like; a storage unit 608, such as a magnetic disk, optical disk, or the like; and a communication unit 609 such as a network card, modem, wireless communication transceiver, etc. The communication unit 609 allows the device 600 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The computing unit 601 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of the computing unit 601 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. The computing unit 601 performs the various methods and processes described above, such as a method of defending against a network attack. For example, in some embodiments, the method of defending against network attacks may be implemented as a computer software program tangibly embodied in a machine-readable medium, such as storage unit 608. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 600 via the ROM 602 and/or the communication unit 609. When the computer program is loaded into RAM 603 and executed by the computing unit 601, one or more steps of the method of defending against a cyber-attack described above may be performed. Alternatively, in other embodiments, the computing unit 601 may be configured by any other suitable means (e.g., by means of firmware) to perform a method of defending against network attacks.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, Field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server combining a blockchain.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present disclosure may be executed in parallel, sequentially, or in different orders, as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved, and the present disclosure is not limited herein.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.
Claims (15)
1. A method of defending against cyber attacks, comprising:
acquiring a transport layer client handshake packet of an encrypted hypertext transfer security protocol request;
analyzing the transport layer client handshake packet to obtain a server name indication and client field characteristics;
determining an access request corresponding to the transmission layer fingerprint characteristics under the indication of the server name, wherein the transmission layer fingerprint characteristics are generated according to the field characteristics of the client;
detecting an abnormal access request corresponding to the fingerprint characteristics of the transmission layer based on the access request corresponding to the fingerprint characteristics of the transmission layer;
and intercepting an abnormal access request corresponding to the fingerprint characteristics of the transmission layer.
2. The method of claim 1, wherein the detecting an abnormal access request corresponding to a transport layer fingerprint feature based on an access request corresponding to a transport layer fingerprint feature comprises:
acquiring the number of access requests corresponding to the transmission layer fingerprint characteristics in a specified time period;
and if the number of the access requests corresponding to the transmission layer fingerprint characteristics is larger than a number threshold value in a specified time period, determining that the access requests corresponding to the transmission layer fingerprint characteristics are abnormal access requests.
3. The method of claim 2, further comprising:
determining that the access rate of the access requests with the number of the access requests larger than the number threshold in unit time is larger than the access rate threshold.
4. The method of claim 2 or 3, further comprising:
and determining that the transmission layer fingerprint characteristics do not belong to a preset transmission layer fingerprint characteristic white list.
5. The method of claim 1, wherein the detecting an abnormal access request corresponding to a transport layer fingerprint feature based on an access request corresponding to a transport layer fingerprint feature comprises:
and if the transmission layer fingerprint characteristics are detected to belong to a preset transmission layer fingerprint characteristic blacklist, determining that the access request corresponding to the transmission layer fingerprint characteristics is an abnormal access request.
6. The method of claim 1, further comprising:
and if the transmission layer fingerprint characteristics are detected to belong to a preset transmission layer fingerprint characteristic white list, determining that the access request corresponding to the transmission layer fingerprint characteristics is a normal access request.
7. An apparatus for defending against cyber attacks, comprising:
the acquiring unit is used for acquiring a transport layer client handshake packet of the encrypted hypertext transfer security protocol request;
the analysis unit is used for analyzing the transport layer client handshake packet to obtain a server name indication and client field characteristics;
a determining unit, configured to determine an access request corresponding to a transport layer fingerprint feature indicated by the server name, where the transport layer fingerprint feature is generated according to the client field feature;
and the detection unit is used for detecting the abnormal access request corresponding to the fingerprint characteristics of the transmission layer based on the access request corresponding to the fingerprint characteristics of the transmission layer and intercepting the abnormal access request corresponding to the fingerprint characteristics of the transmission layer.
8. The apparatus according to claim 7, wherein the detecting unit detects the abnormal access request corresponding to the transmission layer fingerprint feature based on the access request corresponding to the transmission layer fingerprint feature by:
acquiring the number of access requests corresponding to the transmission layer fingerprint characteristics in a specified time period;
and if the number of the access requests corresponding to the transmission layer fingerprint characteristics is larger than a number threshold value in a specified time period, determining that the access requests corresponding to the transmission layer fingerprint characteristics are abnormal access requests.
9. The apparatus of claim 8, the detection unit to further:
determining that the access rate of the access requests with the number of the access requests larger than the number threshold in unit time is larger than the access rate threshold.
10. The apparatus of claim 8 or 9, the detection unit further to:
and determining that the transmission layer fingerprint characteristics do not belong to a preset transmission layer fingerprint characteristic white list.
11. The apparatus according to claim 7, wherein the detecting unit detects the abnormal access request corresponding to the transmission layer fingerprint feature based on the access request corresponding to the transmission layer fingerprint feature by:
and if the transmission layer fingerprint characteristics are detected to belong to a preset transmission layer fingerprint characteristic blacklist, determining that the access request corresponding to the transmission layer fingerprint characteristics is an abnormal access request.
12. The apparatus of claim 7, the detection unit to further:
and if the transmission layer fingerprint characteristics are detected to belong to a preset transmission layer fingerprint characteristic white list, determining that the access request corresponding to the transmission layer fingerprint characteristics is a normal access request.
13. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein, the first and the second end of the pipe are connected with each other,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-6.
14. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method of any one of claims 1-6.
15. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210227278.7A CN114726579B (en) | 2022-03-08 | 2022-03-08 | Method, device, equipment, storage medium and program product for defending network attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210227278.7A CN114726579B (en) | 2022-03-08 | 2022-03-08 | Method, device, equipment, storage medium and program product for defending network attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114726579A true CN114726579A (en) | 2022-07-08 |
| CN114726579B CN114726579B (en) | 2024-02-09 |
Family
ID=82237184
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210227278.7A Active CN114726579B (en) | 2022-03-08 | 2022-03-08 | Method, device, equipment, storage medium and program product for defending network attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114726579B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116232767A (en) * | 2023-05-06 | 2023-06-06 | 杭州美创科技股份有限公司 | DDoS defense method, device, computer equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170302703A1 (en) * | 2013-06-05 | 2017-10-19 | Palo Alto Networks, Inc. | Destination domain extraction for secure protocols |
| WO2020176945A1 (en) * | 2019-03-05 | 2020-09-10 | Red Piranha Limited | Network data traffic identification |
| CN112583774A (en) * | 2019-09-30 | 2021-03-30 | 北京观成科技有限公司 | Method and device for detecting attack flow, storage medium and electronic equipment |
| CN113452656A (en) * | 2020-03-26 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Method and device for identifying abnormal behaviors |
| CN113630367A (en) * | 2020-05-07 | 2021-11-09 | 北京观成科技有限公司 | Anonymous traffic identification method and device and electronic equipment |
| CN113726818A (en) * | 2021-11-01 | 2021-11-30 | 北京微步在线科技有限公司 | Method and device for detecting lost host |
-
2022
- 2022-03-08 CN CN202210227278.7A patent/CN114726579B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170302703A1 (en) * | 2013-06-05 | 2017-10-19 | Palo Alto Networks, Inc. | Destination domain extraction for secure protocols |
| WO2020176945A1 (en) * | 2019-03-05 | 2020-09-10 | Red Piranha Limited | Network data traffic identification |
| CN112583774A (en) * | 2019-09-30 | 2021-03-30 | 北京观成科技有限公司 | Method and device for detecting attack flow, storage medium and electronic equipment |
| CN113452656A (en) * | 2020-03-26 | 2021-09-28 | 百度在线网络技术(北京)有限公司 | Method and device for identifying abnormal behaviors |
| CN113630367A (en) * | 2020-05-07 | 2021-11-09 | 北京观成科技有限公司 | Anonymous traffic identification method and device and electronic equipment |
| CN113726818A (en) * | 2021-11-01 | 2021-11-30 | 北京微步在线科技有限公司 | Method and device for detecting lost host |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116232767A (en) * | 2023-05-06 | 2023-06-06 | 杭州美创科技股份有限公司 | DDoS defense method, device, computer equipment and storage medium |
| CN116232767B (en) * | 2023-05-06 | 2023-08-15 | 杭州美创科技股份有限公司 | DDoS defense method, device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114726579B (en) | 2024-02-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10095866B2 (en) | System and method for threat risk scoring of security threats | |
| CA2968201C (en) | Systems and methods for malicious code detection | |
| US8805995B1 (en) | Capturing data relating to a threat | |
| US9369479B2 (en) | Detection of malware beaconing activities | |
| US8839435B1 (en) | Event-based attack detection | |
| US10666680B2 (en) | Service overload attack protection based on selective packet transmission | |
| US20140380478A1 (en) | User centric fraud detection | |
| US20150350174A1 (en) | Controlling application programming interface transactions based on content of earlier transactions | |
| US11824878B2 (en) | Malware detection at endpoint devices | |
| CN106685899B (en) | Method and device for identifying malicious access | |
| CN111786966A (en) | Method and device for browsing webpage | |
| CN113408948A (en) | Network asset management method, device, equipment and medium | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| CN114726579B (en) | Method, device, equipment, storage medium and program product for defending network attack | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| KR101494329B1 (en) | System and Method for detecting malignant process | |
| He et al. | A novel method to detect encrypted data exfiltration | |
| CN115883170A (en) | Network flow data monitoring and analyzing method and device, electronic equipment and storage medium | |
| CN113904843B (en) | Analysis method and device for abnormal DNS behaviors of terminal | |
| CN113709136B (en) | Access request verification method and device | |
| CN113328976B (en) | Security threat event identification method, device and equipment | |
| CN114448706A (en) | Single package authorization method and device, electronic equipment and storage medium | |
| CN112637171A (en) | Data traffic processing method, device, equipment, system and storage medium | |
| CN113726799B (en) | Processing method, device, system and equipment for application layer attack | |
| EP3989519B1 (en) | Method for tracing malicious endpoints in direct communication with an application back end using tls fingerprinting technique |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |