CN115314322A - Vulnerability detection confirmation method, device, equipment and storage medium based on flow - Google Patents
Vulnerability detection confirmation method, device, equipment and storage medium based on flow Download PDFInfo
- Publication number
- CN115314322A CN115314322A CN202211229440.5A CN202211229440A CN115314322A CN 115314322 A CN115314322 A CN 115314322A CN 202211229440 A CN202211229440 A CN 202211229440A CN 115314322 A CN115314322 A CN 115314322A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- alarm
- response
- attack
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000001514 detection method Methods 0.000 title claims abstract description 30
- 238000012790 confirmation Methods 0.000 title claims abstract description 9
- 230000004044 response Effects 0.000 claims abstract description 112
- 238000012545 processing Methods 0.000 claims description 9
- 238000004458 analytical method Methods 0.000 claims description 7
- 238000007689 inspection Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 description 9
- 230000006399 behavior Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 8
- 238000004590 computer program Methods 0.000 description 8
- 238000010200 validation analysis Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a method, a device, equipment and a storage medium for vulnerability detection confirmation based on flow. The method comprises the steps of collecting network interface flow of a target server; analyzing a request message and a response message in the network interface flow to obtain flow characteristics corresponding to the request message and flow characteristics corresponding to the response message; based on the flow characteristics corresponding to the request message and the flow characteristics corresponding to the response message, matching identification is carried out in a preset exploit attack characteristic library and an exploit response characteristic library, an exploit attack alarm and an exploit response alarm are generated, and an alarm table is written in; and when the alarm table comprises a vulnerability attack alarm and a vulnerability response alarm corresponding to the same vulnerability, determining that the target server has the corresponding vulnerability and the vulnerability is utilized. In this way, the situation that the target server has the vulnerability and the vulnerability is successfully utilized can be accurately determined.
Description
Technical Field
The present invention relates to the field of vulnerability detection, and in particular, to a method, an apparatus, a device, and a storage medium for vulnerability detection confirmation based on traffic.
Background
A vulnerability is a flaw in the hardware, software, the specific implementation of a protocol, or the operating system security policy that enables an attacker to gain unauthorized access to or destroy the system.
Therefore, in order to ensure the security of the device, it is necessary to detect the exploit attack, but in the current detection scheme, it is not possible to accurately judge whether the exploit attack is successful or not based on the flow rate determination, or whether the exploit attack is successful or not based on the response status code determination, and the false alarm is high.
Therefore, the effect of the existing scheme is poor when judging whether the vulnerability exploitation is successful.
Disclosure of Invention
The invention provides a method, a device, equipment and a storage medium for detecting and confirming a vulnerability based on flow.
According to a first aspect of the present invention, a method for confirming vulnerability detection based on traffic is provided, the method comprising:
acquiring network interface flow of a target server, wherein the network interface flow comprises a request message and a response message;
analyzing a request message and a response message in the network interface flow to obtain flow characteristics corresponding to the request message and flow characteristics corresponding to the response message;
based on the flow characteristics corresponding to the request message and the flow characteristics corresponding to the response message, matching and identifying in a preset exploit attack characteristic library and an exploit response characteristic library to generate an exploit attack alarm and an exploit response alarm, and writing the exploit attack alarm and the exploit response alarm into an alarm table;
and when the alarm table comprises a vulnerability attack alarm and a vulnerability response alarm corresponding to the same vulnerability, determining that the target server has the corresponding vulnerability and the vulnerability is utilized.
In some implementations of the first aspect, the method further comprises:
and when the data stream of the same channel corresponding to the vulnerability exploitation attack alarm exists in the flow characteristics corresponding to the response message obtained through analysis, determining that the target server has a corresponding vulnerability and the vulnerability is exploited.
In some implementation manners of the first aspect, when the alarm table includes an exploit attack alarm and an exploit response alarm corresponding to the same vulnerability, determining that the target server has a corresponding vulnerability and the vulnerability is exploited includes:
and when the identifier of the exploit attack alarm and the identifier of the exploit response alarm in the alarm table correspond to the same vulnerability, determining that the target server has the corresponding vulnerability and the vulnerability is exploited.
In some implementations of the first aspect, the method further comprises:
determining the severity level of the vulnerability based on a preset vulnerability scoring system according to the vulnerability attack alarm and the vulnerability response alarm corresponding to the vulnerability response alarm in the alarm table;
and generating alarm prompt information corresponding to the vulnerability according to the vulnerability attack alarm times, the vulnerability response alarm times and the severity level of the vulnerability corresponding to the same vulnerability in the alarm table, and displaying the alarm prompt information.
In some implementation manners of the first aspect, generating alarm prompt information corresponding to a vulnerability according to the vulnerability attack alarm frequency, the vulnerability response alarm frequency and the severity level of the vulnerability corresponding to the same vulnerability in the alarm table includes:
determining the alarm grade of the vulnerability according to the vulnerability exploitation attack alarm times, vulnerability response alarm times and a preset grade time relation table corresponding to the same vulnerability in the alarm table;
and generating alarm prompt information corresponding to the loophole according to the alarm grade and the severity grade of the loophole.
In some implementation manners of the first aspect, analyzing a request packet and a response packet in a network interface traffic includes:
and performing Deep Packet Inspection (DPI) on the request message and the response message in the network interface flow.
According to a second aspect of the present invention, there is provided a device for confirming vulnerability detection based on traffic, the device comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring network interface traffic of a target server, and the network interface traffic comprises a request message and a response message;
the analysis module is used for analyzing the request message and the response message in the network interface flow to obtain the flow characteristic corresponding to the request message and the flow characteristic corresponding to the response message;
the alarm generating module is used for carrying out matching identification in a preset vulnerability attack characteristic library and a vulnerability response characteristic library based on the flow characteristics corresponding to the request message and the flow characteristics corresponding to the response message, generating a vulnerability attack alarm and a vulnerability response alarm, and writing the vulnerability attack alarm and the vulnerability response alarm into an alarm table;
and the determining module is used for determining that the target server has the corresponding vulnerability and the vulnerability is utilized when the alarm table comprises the vulnerability attack alarm and the vulnerability response alarm corresponding to the same vulnerability.
In some implementation manners of the second aspect, the determining module is further configured to determine that a corresponding vulnerability exists in the target server and the vulnerability is exploited when a data stream of the same channel corresponding to the exploit attack alarm exists in the traffic characteristics corresponding to the analyzed response packet.
According to a third aspect of the invention, an electronic device is provided. The electronic device includes: a memory having a computer program stored thereon, and a processor that, when executing the program, implements the method for traffic-based vulnerability detection validation as described above in relation to the first aspect, and in some implementations of the first aspect.
According to a fourth aspect of the present invention, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the first aspect as described above, and some implementations of the first aspect, a method for traffic-based vulnerability detection validation.
According to the method, the device, the equipment and the storage medium for detecting and confirming the vulnerability based on the flow, which are provided by the invention, after the attack behavior is captured, the exploit attack alarm and the exploit response alarm in the alarm table are also judged, and when the alarm table comprises the exploit attack alarm and the exploit response alarm corresponding to the same vulnerability, the condition that the corresponding vulnerability exists in the target server and the vulnerability is utilized can be determined, so that the technical scheme provided by the invention not only can capture the exploit attack behavior, but also can accurately determine the condition that the vulnerability exists in the target server and the vulnerability is successfully utilized.
It should be understood that the statements herein reciting aspects are not intended to limit the critical or essential features of any embodiment of the invention, nor are they intended to limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of various embodiments of the present invention will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. The accompanying drawings are included to provide a further understanding of the present invention, and are not intended to limit the invention to the form disclosed, wherein like reference numerals designate like or similar elements, and wherein:
fig. 1 is a schematic flow chart of a method for confirming vulnerability detection based on traffic according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a vulnerability detection and verification apparatus based on traffic according to an embodiment of the present invention;
FIG. 3 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter associated objects are in an "or" relationship.
A vulnerability is a flaw in the hardware, software, the specific implementation of a protocol, or the operating system security policy that enables an attacker to gain unauthorized access to or destroy the system.
Therefore, in order to ensure the security of the device, it is necessary to detect the exploit attack, but in the current detection scheme, it is not possible to accurately judge whether the exploit attack is successful or not based on the flow rate determination, or whether the exploit attack is successful or not based on the response status code determination, and the false alarm is high. Moreover, the scheme based on vulnerability scanner or POC/EXP scanning detection is an active detection mode, and the scanning is required to be performed manually and periodically.
Therefore, the effect of the existing scheme is poor when judging whether the vulnerability exploitation is successful.
The invention provides a vulnerability detection confirmation method, a device, equipment and a storage medium based on flow, wherein the method comprises the steps of collecting network interface flow of a target server, wherein the network interface flow comprises a request message and a response message; analyzing a request message and a response message in network interface flow to obtain flow characteristics corresponding to the request message and flow characteristics corresponding to the response message; based on the flow characteristics corresponding to the request message and the flow characteristics corresponding to the response message, matching identification is carried out in a preset exploit attack characteristic library and an exploit response characteristic library, an exploit attack alarm and an exploit response alarm are generated, and an alarm table is written in; and when the alarm table comprises the exploit attack alarm and the exploit response alarm corresponding to the same vulnerability, determining that the target server has the corresponding vulnerability and the vulnerability is exploited. According to the technical scheme, after the attack behavior is captured, the vulnerability exploitation attack alarm and the vulnerability response alarm in the alarm table are judged, and when the alarm table comprises the vulnerability attack alarm and the vulnerability response alarm corresponding to the same vulnerability, the target server is determined to have the corresponding vulnerability and the vulnerability is exploited, so that the technical scheme of the invention can accurately determine the conditions that the target server has the corresponding vulnerability and is successfully exploited.
The technical solutions provided by the embodiments of the present invention are described below with reference to the accompanying drawings.
Fig. 1 is a schematic flow diagram of a method for confirming vulnerability detection based on traffic according to an embodiment of the present invention, and as shown in fig. 1, the method for confirming vulnerability detection based on traffic may specifically include:
s101: and acquiring the network interface flow of the target server, wherein the network interface flow comprises a request message and a response message.
That is to say, the collected network interface traffic may be specifically divided into two directions, one is a request direction from the attack end to the target server, and the other is a response direction from the target server to the attack end.
S102: and analyzing the request message and the response message in the network interface flow to obtain the flow characteristic corresponding to the request message and the flow characteristic corresponding to the response message.
S103: and based on the flow characteristics corresponding to the request message and the flow characteristics corresponding to the response message, performing matching identification in a preset exploit attack characteristic library and an exploit response characteristic library to generate an exploit attack alarm and an exploit response alarm, and writing the exploit attack alarm and the exploit response alarm into an alarm table, such as alert-label.
S104: and when the alarm table comprises the exploit attack alarm and the exploit response alarm corresponding to the same vulnerability, determining that the target server has the corresponding vulnerability and the vulnerability is exploited.
That is, in S104, it is actually the association between the attack characteristic alarm and the response characteristic alarm in alert-tab to determine that the target server has the corresponding vulnerability and the vulnerability is utilized, where the association refers to the attack characteristic alarm and the response characteristic alarm that have the same vulnerability.
In the technical scheme shown in fig. 1, after the attack behavior is captured, the exploit attack alarm and the exploit response alarm in the alarm table are also judged, and when the alarm table comprises the exploit attack alarm and the exploit response alarm corresponding to the same exploit, the condition that the corresponding exploit exists in the target server and the exploit is utilized can be determined.
In an embodiment, the request message and the response message in the network interface traffic in S102 may also be analyzed to obtain a traffic characteristic corresponding to the request message and a traffic characteristic corresponding to the response message, which are written into a flow-table of the traffic table, so as to perform a subsequent vulnerability determination process.
In one embodiment, considering that some existing detection systems for vulnerability attacks can only collect vulnerability attack alarms but cannot collect vulnerability response alarms, the vulnerability can be identified according to the traffic characteristics corresponding to the response messages obtained through analysis. Specifically, when the data stream of the same channel corresponding to the exploit attack alarm exists in the flow characteristics corresponding to the analyzed response message, it may be determined that the target server has the corresponding exploit and the exploit is exploited. The same channel refers to the same channel between the attack end and the target server, and in the channel, the direction of the data stream can be sent from the attack end to the target server, and also can be sent from the target server to the attack end. That is to say, the process may be understood as the association between the attack characteristic alarm in the alert-table and the flow characteristic in the flow-table, where the association refers to the existence of a data flow of the same channel corresponding to the exploit attack alarm in the flow characteristic in the flow-table, so as to determine that the target server has a corresponding exploit and the exploit is used.
Specifically, in the determining process of S104, in the process of determining that the alarm table includes the exploit attack alarm and the exploit response alarm corresponding to the same vulnerability, it may be determined that the corresponding vulnerability exists in the target server and the vulnerability is exploited according to a condition that the identifier of the exploit attack alarm and the identifier of the exploit response alarm in the alarm table correspond to the same vulnerability. That is, when the identifier of the exploit attack alarm and the identifier of the exploit response alarm in the alarm table correspond to the same exploit, it may be determined that the target server has the corresponding exploit and the exploit is exploited, where the identifier may be, for example, an ID.
In addition, in order to carry out risk rating on the vulnerability and alarm according to vulnerability risk, occurrence frequency and the like so as to realize further analysis based on the vulnerability, in one embodiment, the severity level of the vulnerability can be determined based on a preset vulnerability scoring system according to the vulnerability attack alarm and the vulnerability response alarm in an alarm table; and then generating alarm prompt information corresponding to the vulnerability according to the vulnerability attack alarm times, vulnerability response alarm times and vulnerability severity level corresponding to the same vulnerability in the alarm table, and displaying the alarm prompt information. The preset vulnerability scoring system can be a cvss general vulnerability scoring system.
In addition, in the process of generating alarm prompt information according to the number of times of vulnerability attack alarm, the number of times of vulnerability response alarm and the severity level of the vulnerability corresponding to the same vulnerability in the alarm table, the number of times of vulnerability attack alarm and the number of times of vulnerability response alarm can be judged based on a preset level number relation table, the alarm level of the vulnerability is determined, and then the alarm prompt information corresponding to the vulnerability is generated according to the alarm level and the severity level of the vulnerability and displayed to prompt a user to respond in time. Wherein, in the relation table of the grade times, the alarm grades corresponding to different alarm times are stored.
In an embodiment, in the process of analyzing the request packet and the response packet in the network interface traffic, deep Packet Inspection (DPI) may be specifically performed on the request packet and the response packet in the network interface traffic.
In the method for detecting and confirming the vulnerability based on the flow, after the attack behavior is captured, the situation that the corresponding vulnerability exists in the target server and the vulnerability is utilized is determined by further analyzing based on the obtained alarm table and the flow table, so that the technical scheme of the invention not only can capture the vulnerability attack behavior, but also can accurately determine the situation that the vulnerability exists in the target server and the vulnerability is utilized successfully.
Corresponding to the method for confirming vulnerability detection based on traffic shown in fig. 1, the invention also provides a device for confirming vulnerability detection based on traffic.
As shown in fig. 2, the apparatus for confirming vulnerability detection based on traffic may include:
the acquisition module 201 is configured to acquire network interface traffic of a target server, where the network interface traffic includes a request message and a response message;
the analysis module 202 is configured to analyze a request message and a response message in network interface traffic to obtain a traffic characteristic corresponding to the request message and a traffic characteristic corresponding to the response message;
the alarm generating module 203 is configured to perform matching identification in a preset exploit attack feature library and an exploit response feature library based on a flow feature corresponding to the request message and a flow feature corresponding to the response message, generate an exploit attack alarm and an exploit response alarm, and write the exploit attack alarm and the exploit response alarm into an alarm table;
the determining module 204 is configured to determine that a corresponding vulnerability exists in the target server and the vulnerability is exploited when the alarm table includes a vulnerability attack alarm and a vulnerability response alarm corresponding to the same vulnerability.
In an embodiment, the determining module 204 may be further configured to determine that a corresponding vulnerability exists in the target server and the vulnerability is exploited when a data stream of the same channel corresponding to the exploit attack alarm exists in the traffic feature corresponding to the analyzed response packet.
In an embodiment, the determining module 204 may be further configured to determine that a corresponding vulnerability exists in the target server and the vulnerability is exploited, when the identifier of the exploit attack alarm and the identifier of the exploit response alarm in the alarm table correspond to the same vulnerability.
In an embodiment, the apparatus may further include an alarm prompt information display module, and the determination module 204 may be further configured to determine a severity level of the vulnerability based on a preset vulnerability scoring system according to vulnerabilities corresponding to the vulnerability attack alarm and the vulnerability response alarm in the alarm table;
and the alarm prompt information display module can be used for generating alarm prompt information according to the vulnerability attack alarm times, vulnerability response alarm times and vulnerability severity level corresponding to the same vulnerability in the alarm table, and displaying the alarm prompt information.
In an embodiment, the parsing module 202 may be further configured to perform deep packet inspection DPI on a request packet and a response packet in a network interface traffic.
In the vulnerability detection and confirmation device based on the flow, after the attack behavior is captured, the situation that the target server has the corresponding vulnerability and the vulnerability is utilized is further determined based on the obtained alarm table and the flow table for analysis, so that the technical scheme not only can capture the vulnerability attack behavior, but also can accurately determine the situation that the target server has the vulnerability and the vulnerability is successfully utilized.
It can be understood that each module in the vulnerability detection confirmation apparatus based on traffic shown in fig. 2 has a function of implementing each step in fig. 1, and can achieve the corresponding technical effect, and for brevity, no further description is provided herein.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the described module may refer to the corresponding process in the foregoing method embodiment, and is not described herein again.
The invention also provides an electronic device, a readable storage medium and a computer program product according to the embodiments of the invention.
FIG. 3 shows a schematic block diagram of an electronic device 300 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic devices may also represent various forms of mobile devices, such as personal digital processors, cellular telephones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
The device 300 comprises a computing unit 301 which may perform various suitable actions and processes in accordance with a computer program stored in a Read Only Memory (ROM) 302 or a computer program loaded from a storage unit 308 into a Random Access Memory (RAM) 303. In the RAM303, various programs and data necessary for the operation of the device 300 can also be stored. The computing unit 301, the ROM302, and the RAM303 are connected to each other via a bus 304. An input/output (I/O) interface 305 is also connected to bus 304.
Various components in device 300 are connected to I/O interface 305, including: an input unit 306 such as a keyboard, a mouse, or the like; an output unit 307 such as various types of displays, speakers, and the like; a storage unit 308 such as a magnetic disk, optical disk, or the like; and a communication unit 309 such as a network card, modem, wireless communication transceiver, etc. The communication unit 309 allows the device 300 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present invention may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user may provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server combining a blockchain.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solutions disclosed in the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A vulnerability detection confirmation method based on flow is characterized by comprising the following steps:
collecting network interface flow of a target server, wherein the network interface flow comprises a request message and a response message;
analyzing the request message and the response message in the network interface flow to obtain the flow characteristic corresponding to the request message and the flow characteristic corresponding to the response message;
based on the flow characteristics corresponding to the request message and the flow characteristics corresponding to the response message, matching identification is carried out in a preset vulnerability attack characteristic library and a vulnerability response characteristic library, a vulnerability attack alarm and a vulnerability response alarm are generated, and an alarm table is written in;
and when the alarm table comprises a vulnerability attack alarm and a vulnerability response alarm corresponding to the same vulnerability, determining that the target server has a corresponding vulnerability and the vulnerability is utilized.
2. The method of claim 1, further comprising:
and when the data stream of the same channel corresponding to the vulnerability exploiting attack alarm exists in the flow characteristics corresponding to the analyzed response message, determining that the target server has a corresponding vulnerability and the vulnerability is exploited.
3. The method of claim 1, wherein when the alarm table includes an exploit attack alarm and an exploit response alarm corresponding to a same vulnerability, determining that the target server has a corresponding vulnerability and the vulnerability is exploited comprises:
and when the identifier of the exploit attack alarm and the identifier of the exploit response alarm in the alarm table correspond to the same vulnerability, determining that the target server has the corresponding vulnerability and the vulnerability is exploited.
4. The method of claim 1, further comprising:
determining the severity level of the vulnerability based on a preset vulnerability scoring system according to the vulnerability attack alarm and the vulnerability response alarm corresponding to the vulnerability response alarm in the alarm table;
and generating alarm prompt information corresponding to the loophole according to the loophole utilization attack alarm times, the loophole utilization response alarm times and the severity level of the loophole corresponding to the same loophole in the alarm table, and displaying the alarm prompt information.
5. The method according to claim 4, wherein generating alarm prompt information corresponding to the vulnerability according to the vulnerability attack alarm times, vulnerability response alarm times and vulnerability severity level corresponding to the same vulnerability in the alarm table comprises:
determining the alarm level of the vulnerability according to the relation table of the vulnerability exploitation attack alarm times, vulnerability response alarm times and preset level times corresponding to the same vulnerability in the alarm table;
and generating alarm prompt information corresponding to the vulnerability according to the alarm level and the severity level of the vulnerability.
6. The method of claim 1, wherein parsing the request and response packets in the network interface traffic comprises:
and performing Deep Packet Inspection (DPI) on the request message and the response message in the network interface flow.
7. A traffic-based vulnerability detection confirmation apparatus, the apparatus comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring network interface traffic of a target server, and the network interface traffic comprises a request message and a response message;
the analysis module is used for analyzing the request message and the response message in the network interface flow to obtain the flow characteristic corresponding to the request message and the flow characteristic corresponding to the response message;
the alarm generating module is used for carrying out matching identification in a preset vulnerability attack characteristic library and a vulnerability response characteristic library based on the flow characteristics corresponding to the request message and the flow characteristics corresponding to the response message, generating a vulnerability attack alarm and a vulnerability response alarm, and writing the vulnerability attack alarm and the vulnerability response alarm into an alarm table;
and the determining module is used for determining that the target server has the corresponding vulnerability and the vulnerability is utilized when the alarm table comprises the vulnerability attack alarm and the vulnerability response alarm corresponding to the same vulnerability.
8. The apparatus according to claim 7, wherein the determining module is further configured to determine that a corresponding vulnerability exists in the target server and the vulnerability is exploited when a data stream of the same channel corresponding to the exploit attack alarm exists in the traffic feature corresponding to the parsed response packet.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-6.
10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method according to any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211229440.5A CN115314322A (en) | 2022-10-09 | 2022-10-09 | Vulnerability detection confirmation method, device, equipment and storage medium based on flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211229440.5A CN115314322A (en) | 2022-10-09 | 2022-10-09 | Vulnerability detection confirmation method, device, equipment and storage medium based on flow |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115314322A true CN115314322A (en) | 2022-11-08 |
Family
ID=83866356
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211229440.5A Pending CN115314322A (en) | 2022-10-09 | 2022-10-09 | Vulnerability detection confirmation method, device, equipment and storage medium based on flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115314322A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115801468A (en) * | 2023-02-09 | 2023-03-14 | 南京聚铭网络科技有限公司 | Zero-day vulnerability attack detection method and device and storage medium |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070094735A1 (en) * | 2005-10-26 | 2007-04-26 | Cohen Matthew L | Method to consolidate and prioritize web application vulnerabilities |
| CN107659583A (en) * | 2017-10-27 | 2018-02-02 | 深信服科技股份有限公司 | A kind of method and system attacked in detection thing |
| CN110881043A (en) * | 2019-11-29 | 2020-03-13 | 杭州迪普科技股份有限公司 | Method and device for detecting web server vulnerability |
| CN111049784A (en) * | 2018-10-12 | 2020-04-21 | 北京奇虎科技有限公司 | Network attack detection method, device, equipment and storage medium |
| CN112819336A (en) * | 2021-02-03 | 2021-05-18 | 国家电网有限公司 | Power monitoring system network threat-based quantification method and system |
| CN113114680A (en) * | 2021-04-13 | 2021-07-13 | 中国工商银行股份有限公司 | Detection method and detection device for file uploading vulnerability |
| CN113472803A (en) * | 2021-07-13 | 2021-10-01 | 杭州安恒信息技术股份有限公司 | Vulnerability attack state detection method and device, computer equipment and storage medium |
| CN114070629A (en) * | 2021-11-16 | 2022-02-18 | 南京南瑞信息通信科技有限公司 | Safety arrangement and automatic response method, device and system for APT (advanced persistent threat) attack |
| CN114417349A (en) * | 2021-12-20 | 2022-04-29 | 深信服科技股份有限公司 | Attack result determination method, device, electronic equipment and storage medium |
| CN114465710A (en) * | 2022-01-21 | 2022-05-10 | 安徽华云安科技有限公司 | Vulnerability detection method, device, equipment and storage medium based on flow |
| CN114817934A (en) * | 2022-05-13 | 2022-07-29 | 扬州大学 | Vulnerability severity assessment method and system based on vulnerability event argument |
-
2022
- 2022-10-09 CN CN202211229440.5A patent/CN115314322A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070094735A1 (en) * | 2005-10-26 | 2007-04-26 | Cohen Matthew L | Method to consolidate and prioritize web application vulnerabilities |
| CN107659583A (en) * | 2017-10-27 | 2018-02-02 | 深信服科技股份有限公司 | A kind of method and system attacked in detection thing |
| CN111049784A (en) * | 2018-10-12 | 2020-04-21 | 北京奇虎科技有限公司 | Network attack detection method, device, equipment and storage medium |
| CN110881043A (en) * | 2019-11-29 | 2020-03-13 | 杭州迪普科技股份有限公司 | Method and device for detecting web server vulnerability |
| CN112819336A (en) * | 2021-02-03 | 2021-05-18 | 国家电网有限公司 | Power monitoring system network threat-based quantification method and system |
| CN113114680A (en) * | 2021-04-13 | 2021-07-13 | 中国工商银行股份有限公司 | Detection method and detection device for file uploading vulnerability |
| CN113472803A (en) * | 2021-07-13 | 2021-10-01 | 杭州安恒信息技术股份有限公司 | Vulnerability attack state detection method and device, computer equipment and storage medium |
| CN114070629A (en) * | 2021-11-16 | 2022-02-18 | 南京南瑞信息通信科技有限公司 | Safety arrangement and automatic response method, device and system for APT (advanced persistent threat) attack |
| CN114417349A (en) * | 2021-12-20 | 2022-04-29 | 深信服科技股份有限公司 | Attack result determination method, device, electronic equipment and storage medium |
| CN114465710A (en) * | 2022-01-21 | 2022-05-10 | 安徽华云安科技有限公司 | Vulnerability detection method, device, equipment and storage medium based on flow |
| CN114817934A (en) * | 2022-05-13 | 2022-07-29 | 扬州大学 | Vulnerability severity assessment method and system based on vulnerability event argument |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115801468A (en) * | 2023-02-09 | 2023-03-14 | 南京聚铭网络科技有限公司 | Zero-day vulnerability attack detection method and device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101707601B (en) | Invasion defence detection method and device and gateway equipment | |
| CN112953971B (en) | Network security flow intrusion detection method and system | |
| US11444861B2 (en) | Method and apparatus for detecting traffic | |
| CN113726607B (en) | Network detection method and device, electronic equipment and storage medium | |
| US20180183819A1 (en) | System to detect machine-initiated events in time series data | |
| CN114024884B (en) | Test method, test device, electronic equipment and storage medium | |
| CN112953938A (en) | Network attack defense method and device, electronic equipment and readable storage medium | |
| CN115883187A (en) | Method, device, equipment and medium for identifying abnormal information in network traffic data | |
| CN115314322A (en) | Vulnerability detection confirmation method, device, equipment and storage medium based on flow | |
| CN110955890B (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
| CN117609992A (en) | Data disclosure detection method, device and storage medium | |
| CN115296917B (en) | Asset exposure surface information acquisition method, device, equipment and storage medium | |
| CN114584391B (en) | Method, device, equipment and storage medium for generating abnormal flow processing strategy | |
| CN113904853B (en) | Intrusion detection method, device, electronic equipment and medium of network system | |
| CN115396142A (en) | Information access method and device based on zero trust, computer equipment and medium | |
| CN114124555A (en) | Message playback method and device, electronic equipment and computer readable medium | |
| CN112583817A (en) | Network oscillation monitoring and early warning method, device and medium | |
| CN115102728B (en) | Scanner identification method, device, equipment and medium for information security | |
| CN115378746B (en) | Network intrusion detection rule generation method, device, equipment and storage medium | |
| CN115576852B (en) | Quality evaluation method, device, equipment and storage medium of fuzzy test case | |
| CN114598524B (en) | Method, device, equipment and storage medium for detecting agent tool | |
| US12101342B2 (en) | System and method for monitoring network activity for detecting data exfiltration events | |
| CN113596051B (en) | Detection method, detection apparatus, electronic device, medium, and computer program | |
| CN110768969B (en) | Test method and device based on network data monitoring and readable storage medium | |
| CN115664726A (en) | Malicious beacon communication detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20221108 |