CN115426181A - Network intrusion detection method and related equipment - Google Patents
Network intrusion detection method and related equipment Download PDFInfo
- Publication number
- CN115426181A CN115426181A CN202211063627.2A CN202211063627A CN115426181A CN 115426181 A CN115426181 A CN 115426181A CN 202211063627 A CN202211063627 A CN 202211063627A CN 115426181 A CN115426181 A CN 115426181A
- Authority
- CN
- China
- Prior art keywords
- information
- detection
- decoding
- target message
- url
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 156
- 238000000034 method Methods 0.000 claims abstract description 41
- 238000010606 normalization Methods 0.000 claims abstract description 19
- 230000005540 biological transmission Effects 0.000 claims abstract description 13
- 230000000903 blocking effect Effects 0.000 claims description 11
- 238000010586 diagram Methods 0.000 description 7
- 238000004590 computer program Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides a network intrusion detection method and related equipment, and mainly aims to solve the problems that a fraud means of a coding confusion type cannot be accurately detected in the current intrusion detection mode based on plaintext transmission, and only a few URL codes or Base64 codes of one to two times can be analyzed, so that attacks of a part of special codes or multiple coding modes cannot be detected, and an attacker can achieve escape detection after the attacks. Wherein, the method comprises the following steps: carrying out conventional detection on target message information; performing URL standardization detection on the detected target message information; decoding the target message information subjected to the URL normalization detection; and matching the target message information subjected to the decoding operation with a preset rule base according to a preset rule.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a network intrusion detection method and related devices.
Background
With the development of the internet, network security is more and more emphasized by people, and then a series of security protection products are produced, and common security protection products in the market comprise IDS, IPS, WAF and the like, but meanwhile, the attack means and the attack mode of an attacker are also continuously and correspondingly upgraded. In the current intrusion detection mode based on plaintext transmission, the content of a data packet is matched with a character string by referring to a rule base of an intrusion detection system, and corresponding alarm information is generated when the content is matched with the content which is in line with the content.
However, sometimes such a detection method does not completely fit services, and the detection method can only analyze a few URL codes or Base64 codes from one to two times, so that a part of attacks of special codes or multiple coding modes cannot be detected, and an attacker can achieve the purpose of escape detection after the attacks.
Disclosure of Invention
In view of the above problems, the present invention provides a network intrusion detection method and related devices, and aims to solve the problems that in the current intrusion detection method based on plaintext transmission, a coding confusion type fraud cannot be detected accurately, and only a few first-to-second URL codes or Base64 codes can be analyzed, so that a part of attacks in a special coding mode or a plurality of coding modes cannot be detected, and an attacker can achieve escape detection after the attack. In order to solve at least one of the above technical problems, in a first aspect, the present invention provides a network intrusion detection method, including:
carrying out conventional detection on target message information;
performing URL normative detection on the target message information after the conventional detection;
decoding the target message information subjected to the URL normalization detection;
and matching the target message information subjected to decoding operation with a preset rule base according to a preset rule.
Optionally, the method further includes:
if the target message information conforms to the URL normative detection, multilayer coding and decoding are carried out;
and if the target message information does not accord with the URL normative detection, performing special coding and decoding.
Optionally, if the target packet information conforms to the URL normative detection, performing multi-layer encoding and decoding, including:
judging whether URL coding information exists or not, if the URL coding information exists, marking correspondingly, and transmitting the URL coding information to a decoding area for decoding operation, wherein the URL coding information is determined according to whether target message information contains "%";
judging whether Base64 coded information exists or not, if so, marking correspondingly, and transmitting the marked information to a decoding area for decoding, wherein the Base64 coded information is determined according to whether the target message information contains character strings of numbers and letters, "+", "/" and a "=" symbol as a suffix;
judging whether Unicode coding information exists or not, if so, marking correspondingly, and transmitting the Unicode coding information to a decoding area for decoding operation, wherein the Unicode coding information contains character strings according to whether the message contains the character strings of "& #119" and "& # digits" and the character strings of "; "is determined for suffix combination;
judging whether MD5 encrypted coding information exists, if so, marking correspondingly, and transmitting the information to a decoding area for decoding operation, wherein the MD5 encrypted coding information is determined according to whether the message contains a 16-system character string with a fixed length of 32 bits.
Optionally, the method further includes:
carrying out corresponding classified decoding on the information subjected to the corresponding marking;
performing secondary encoding information detection based on the classified decoding;
and detecting and re-marking the corresponding mark according to the secondary coding information until the target message information does not correspond to any mark.
Optionally, if the target packet information does not meet the URL normative detection, performing special encoding and decoding, including:
comparing and analyzing the captured sample data;
obtaining the target message information coding rule by comparison after coding and decoding;
and carrying out decryption and escape according to the target message information encoding rule to obtain the real message information content or ASCII code information, and decoding again.
Optionally, the method further includes:
if the result of the detection of the target message information according to the conventional detection is an attack message which is not subjected to coding confusion, directly performing blocking operation on the target message to generate warning information;
if the result of the detection of the target message information according to the conventional detection is the confused coded attack message, performing the mixed decoding and/or the escape and then decoding operation on the target message for multiple times;
matching the message information acquired after the operation with the preset rule feature library, and if the message information is matched with the preset rule feature in the rule library, performing blocking operation;
optionally, the method further includes:
the conventional detection is based on the intrusion detection of plaintext transmission, the intrusion detection is realized by character string matching according to the information content of the target message by referring to a rule base of an intrusion detection system,
the predetermined rule base is obtained according to the existing intrusion detection system,
and the URL normative detection is to carry out URL coding normative and validity detection on the basis of target message information which is not detected by the intrusion detection.
In a second aspect, an embodiment of the present invention further provides a management apparatus for network intrusion detection, including:
a reading unit, configured to read the target packet information;
the analysis unit is used for decoding the read target message information after judging the coding type;
the detection unit is used for detecting the URL normalization of the target message and detecting whether the target message information decoded by the analysis unit is matched with a preset rule in a preset rule base or not so as to determine to perform blocking or releasing operation;
and the matching unit is used for matching the target message information subjected to the decoding operation with a preset rule base according to a preset rule.
To achieve the above object, according to a third aspect of the present invention, there is provided a computer-readable storage medium including a stored program, wherein the method of network intrusion detection described above is implemented when the program is executed by a processor.
In order to achieve the above object, according to a fourth aspect of the present invention, there is provided an electronic device comprising at least one processor, and at least one memory connected to the processor; the processor is used for calling the program instructions in the memory and executing the network intrusion detection method.
By means of the technical scheme, the network intrusion detection method and the related equipment provided by the invention have the advantages that for the current intrusion detection mode based on plaintext transmission, the coding confusion type fraud means cannot be accurately detected, only a few URL codes or Base64 codes of one to two times can be analyzed, so that the attack of a part of special codes or multiple coding modes cannot be detected, and an attacker can achieve the problem of escape detection after the attack; performing URL normalization detection on the detected target message information; decoding the target message information subjected to the URL normalization detection; and matching the target message information subjected to decoding operation with a preset rule base according to a preset rule.
Accordingly, the management apparatus, device and computer-readable storage medium for network intrusion detection provided by the embodiments of the present invention also have the above technical effects.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a schematic flow chart illustrating a network intrusion detection method according to an embodiment of the present invention;
FIG. 2 is a block diagram illustrating a network intrusion detection device according to an embodiment of the present invention;
fig. 3 is a block diagram illustrating a network intrusion detection electronic device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
In order to solve the problem that a coding confusion type fraud method cannot be accurately detected in the current intrusion detection mode based on plaintext transmission, and only a few URL codes or Base64 codes of one to two times can be analyzed, so that a part of attacks of special codes or multiple coding modes cannot be detected, the embodiment of the invention provides a network intrusion detection method, as shown in fig. 1, the method comprises the following steps:
s101, carrying out conventional detection on target message information.
During normal operation, a user initiates a request to the server, and the server returns a message containing information required by the user to the user client after receiving the request; for an attacker who tries to acquire some user privacy information or server information, the attacker can perform an interception operation between the client and the server, modify the originally transmitted parameters to the information that the attacker wants to acquire, and then initiate an attack attempt.
Therefore, the message at this time is detected by the DPI equipment to identify various protocols and application information, and then is detected by the IPS, and various key fields, such as URI, are analyzed from the message flowing through the IPS engine. The URI content can not judge whether an attack instruction exists or not, the engine can search in an IPS rule base of the URI content, and if a matched rule can be found in the rule base, the URI content is indicated to have the attack instruction. At which point the engine tells the device to block the action and generate a log.
S102, carrying out URL standard detection on the target message information after the conventional detection.
An attacker can modify the normalization of the URL in a series of disguised confusion modes in order to avoid detection; here, a judgment can be made on the URL first, and a rough confusion escape manner of the URL is detected so as to perform corresponding processing.
S103, decoding the target message information subjected to the URL normalization detection.
Decoding in a special coding mode: an attacker can encode by using variable replacement, character string array and other confusion modes; and acquiring a certain amount of samples, analyzing the alphabet or the replacement mode corresponding to the samples according to the rules among the decoded characters, restoring the alphabet or the replacement mode through the password table, and then performing decoding matching operation again.
Multilayer coding and decoding: in order to evade the detected attack action, an attacker encodes attack contents for multiple times or encodes the attack contents in a mixed manner by multiple encoding modes to realize escape; and then, carrying out corresponding decoding operation according to the detected character information, and carrying out the above circular detection until the data is completely decoded and then carrying out matching with the preset rule in the preset rule base.
And S104, matching the target message information subjected to the decoding operation with a preset rule base according to a preset rule.
By means of the technical scheme, the network intrusion detection method provided by the invention can not accurately detect the encoding confusion type fraud means for the current intrusion detection mode based on plaintext transmission, only can analyze a few of one-to-two URL (uniform resource locator) codes or Base64 codes, so that the attack of a part of special codes or multiple encoding modes can not be detected, and an attacker can achieve the problem of escape detection after attack; performing URL standardization detection on the detected target message information; decoding the target message information subjected to the URL normalization detection; and matching the target message information subjected to decoding operation with a preset rule base according to a preset rule.
In some embodiments, the above method further comprises:
if the target message information conforms to the URL normative detection, multilayer coding and decoding are carried out;
and if the target message information does not accord with the URL normative detection, performing special coding and decoding.
For example, how to determine whether the target packet information conforms to the URL normative detection includes: using regularization to detect whether the url is legal, the code is as follows:
in some embodiments, if the target packet information complies with the URL normative detection, then performing multi-layer encoding and decoding, including:
judging whether URL coding information exists or not, if so, marking correspondingly, and transmitting the URL coding information to a decoding area for decoding operation, wherein the URL coding information is determined according to whether target message information contains "%";
URL encoding is a format for converting special characters in URLs that are not ASCII characters into a well-defined representation that is generally accepted by Web browsers and servers because URLs can only display special characters on Web browsers and servers using the ASCII character set (16 systems). If the URL contains characters outside the ASCII set, it must be converted to ASCII characters before it can be displayed. In URL encoding, non-ASCII characters will be replaced with "%" followed by hexadecimal number format.
Illustratively, the target packet is: www.baidu.com/123
After URL coding: www.baidu.com%20%2F123
At this time the space is replaced with% 20, "/" is replaced with% 2F, and the space position in the ASCI character set is 20 hexadecimal numbers. Therefore,% 20 may be used instead of spaces when passing the request to the server. Furthermore, in the encoding detection pool, if the data packet is detected to contain character information such as 20% or 2F, the URL encoding is determined to be used, namely, the URL encoding tag is marked, and the data packet is sent to a corresponding decoding area for decoding.
Judging whether Base64 coded information exists or not, if so, marking correspondingly, and transmitting the marked information to a decoding area for decoding, wherein the Base64 coded information is determined according to whether the target message information contains character strings of numbers and letters, "+", "/" and a "=" symbol as a suffix;
base64 encoding encodes any byte sequence data into an ASCII string using 64 printable ASCII characters (a-Z, 0-9, +, /) with a "=" symbol used as a suffix. Base64 divides the input character string into bytes, obtains the binary value corresponding to each byte (if the bit is less than 8, the high bit is complemented by 0), then connects the binary values in series, divides the input character string into groups according to 6 bits (because 2^6= 64), and finally complements 0 at the end if the bit is less than 6. Each set of binary values is converted to decimal, and then the corresponding symbols are found in the table and are concatenated to form the Base64 coding result.
Illustratively, the target packet is: www.baidu.com
After Base64 encoding: d3d3LmJhaWR1LmNvbQ =
Therefore, in the encoding detection pool, a string of character strings in the data packet is detected to be a combination of numbers and letters, +,/and a character string with a "=" symbol as a suffix, the data packet is judged to be encoded by Base64, namely, the data packet is labeled by Base64 and sent to a corresponding decoding area for decoding.
Judging whether Unicode coding information exists or not, if so, marking correspondingly, and transmitting the Unicode coding information to a decoding area for decoding operation, wherein the Unicode coding information contains character strings according to whether the message contains the character strings of "& #119" and "& # digits" and the character strings of "; "determined for a suffix combination;
unicode is a character encoding scheme, which sets a uniform and unique binary code for each character in each language to realize the requirements of cross-language and cross-platform text conversion and processing.
Unicode is a character encoding scheme established by the international organization that can accommodate all the words and symbols in the world. Current Unicode characters are organized into 17 groups, 0x0000 to 0x10FFFF, each group called planes (planes), with 65536 code bits per Plane, for a total of 1114112.
Illustratively, the target packet is: www.baidu.com
After Unicode encoding:
w;w;w;.;b;a;i;d;u;.;c;o;m;
therefore, in the encoding detection pool, it is detected that a string of character strings in the data packet is in the & #119 format & # + digits; "is a character string of a suffix", then it is determined that the Unicode code is used, i.e. the Unicode code is labeled, and the character string is sent to a corresponding decoding area for decoding.
Judging whether MD5 encrypted coding information exists, if so, marking correspondingly, and transmitting the information to a decoding area for decoding operation, wherein the MD5 encrypted coding information is determined according to whether the message contains a 16-system character string with a fixed length of 32 bits. The MD5 code is a 128-bit feature code obtained by performing mathematical transformation on original information according to a disclosed MD5 algorithm, and the feature code is irreversible and has high discreteness; the MD5 code is typically used for encrypted storage of passwords, digital signatures, file integrity verification, and the like. The MD5 encryption algorithm is a one-way encryption means, belongs to Hash encryption in the field of computer security, and uses a Hash algorithm. The MD5 encryption is followed by a string, which is a 32-bit string of fixed length. The MD5 changes the original data into a 16-byte array, and then represents the 16-byte array by 16, and the 16-byte string is the final result of encryption.
Illustratively, the target packet is: www.baidu.com
After MD5 encryption coding: dab19e82e1f9a681ee73346d3e7a575e
Therefore, in the encoding detection pool, when a string of character strings in the data packet is detected to be a 16-system character string with a fixed length of 32 bits, it is determined that the MD5 encryption encoding is used, that is, an MD5 encoding tag is marked, and the data packet is sent to a corresponding decoding area for decoding.
In some embodiments, the above method further comprises:
carrying out corresponding classified decoding on the information subjected to the corresponding marking;
performing secondary encoding information detection based on the classified decoding;
and detecting and carrying out corresponding marking again according to the secondary coding information until the target message information does not correspond to any mark.
In an embodiment, if the target packet information does not meet the URL normative detection, performing special encoding and decoding, further includes:
comparing and analyzing the captured sample data;
obtaining the target message information coding rule by comparison after coding and decoding;
and carrying out decryption and escape according to the target message information encoding rule to obtain the real message information content or ASCII code information, and decoding again.
Further, as an implementation of the method shown in fig. 1, an embodiment of the present invention further provides a network intrusion detection apparatus, which is used for implementing the method shown in fig. 1. The embodiment of the apparatus corresponds to the embodiment of the method, and for convenience of reading, details in the embodiment of the apparatus are not repeated one by one, but it should be clear that the apparatus in the embodiment can correspondingly implement all the contents in the embodiment of the method. As shown in fig. 2, the apparatus includes: a reading unit 21, an analyzing unit 22 and a detecting unit 23, wherein
A reading unit 21, configured to read the target packet information;
the analysis unit 22 is configured to decode the read target message information after determining the coding type;
a detecting unit 23, configured to detect the URL normalization of the target packet, and detect whether the target packet information decoded by the parsing unit matches a preset rule in a preset rule base, so as to determine to perform a blocking or releasing operation;
and a matching unit 24, configured to perform matching according to a preset rule on the decoded target packet information and a preset rule base.
By means of the technical scheme, the network intrusion detection device provided by the invention can not accurately detect the encoding confusion type fraud means for the current intrusion detection mode based on plaintext transmission, only can analyze a few URL codes or Base64 codes which are one to two times, so that a part of attacks of special codes or multiple coding modes can not be detected, and an attacker can achieve the problem of escape detection after the attack; performing URL normalization detection on the detected target message information; decoding the target message information subjected to the URL normalization detection; and matching the target message information subjected to decoding operation with a preset rule base according to a preset rule.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be set to be one or more than one, the network intrusion detection method is realized by adjusting kernel parameters, the problems that a fraud means of a coding confusion type cannot be accurately detected in the current intrusion detection mode based on plaintext transmission, and only a few URL codes or Base64 codes of one to two times can be analyzed, so that a part of attacks of special codes or multiple coding modes cannot be detected, and an attacker can achieve escape detection after the attacks.
An embodiment of the present invention provides a computer-readable storage medium, where the computer-readable storage medium includes a stored program, and the program is executed by a processor to implement the network intrusion detection method.
The embodiment of the invention provides a processor, which is used for running a program, wherein the network intrusion detection method is executed when the program runs.
The embodiment of the invention provides electronic equipment, which comprises at least one processor and at least one memory connected with the processor; the processor is configured to call the program instruction in the memory, and execute the following network intrusion detection method:
carrying out conventional detection on target message information;
performing URL standard detection on the target message information after the conventional detection;
decoding the target message information subjected to the URL normalization detection;
and matching the target message information subjected to decoding operation with a preset rule base according to a preset rule.
Optionally, the method further includes:
if the target message information conforms to the URL normative detection, multilayer coding and decoding are carried out;
and if the target message information does not accord with the URL normative detection, performing special coding and decoding.
Optionally, if the target packet information conforms to the URL normative detection, performing multi-layer encoding and decoding, including:
judging whether URL coding information exists or not, if so, marking correspondingly, and transmitting the URL coding information to a decoding area for decoding operation, wherein the URL coding information is determined according to whether target message information contains "%";
judging whether Base64 coded information exists or not, if so, marking correspondingly, and transmitting the information to a decoding area for decoding, wherein the Base64 coded information is determined by judging whether the character string contained in the target message information is a number and a letter, "+", "/" and taking a "=" symbol as a suffix;
judging whether Unicode coding information exists or not, if so, marking correspondingly, and transmitting the Unicode coding information to a decoding area for decoding operation, wherein the Unicode coding information comprises a character string of "& #119", a "& # number" and a "&"; "determined for a suffix combination;
judging whether MD5 encrypted coding information exists, if so, marking correspondingly, and transmitting the information to a decoding area for decoding operation, wherein the MD5 encrypted coding information is determined according to whether the message contains a 16-system character string with a fixed length of 32 bits.
Optionally, the method further includes:
carrying out corresponding classified decoding on the information subjected to the corresponding marking;
performing secondary coded information detection based on the classified decoding;
and detecting and carrying out corresponding marking again according to the secondary coding information until the target message information does not correspond to any mark.
Optionally, if the target packet information does not meet the URL normative detection, performing special encoding and decoding, including:
comparing and analyzing the captured sample data;
obtaining the target message information coding rule by comparison after coding and decoding;
and carrying out decryption and escape according to the target message information encoding rule to obtain the real message information content or ASCII code information, and decoding again.
Optionally, the method further includes:
if the result of the detection of the target message information according to the conventional detection is an attack message which is not subjected to coding confusion, directly performing blocking operation on the target message to generate warning information;
if the result of the detection of the target message information according to the conventional detection is the confused coded attack message, performing the mixed decoding and/or the escape and then decoding operation on the target message for multiple times;
matching the message information acquired after the operation with the preset rule feature library, and if the message information is matched with the preset rule feature in the rule library, performing blocking operation;
optionally, the method further includes:
the conventional detection is intrusion detection based on plaintext transmission;
the intrusion detection is realized by referring the information content of the target message to a rule base of an intrusion detection system for character string matching;
the preset rule base is obtained according to the existing intrusion detection system;
and the URL normative detection is based on that the target message information which is not detected by the intrusion detection is subjected to URL coding normative and validity detection.
An embodiment of the present invention provides an electronic device 30, as shown in fig. 3, the electronic device includes at least one processor 301, at least one memory 302 connected to the processor, and a bus 303; wherein, the processor 301 and the memory 302 complete the communication with each other through the bus 303; the processor 301 is configured to call program instructions in the memory to perform the network intrusion detection method described above.
The intelligent electronic device herein may be a PC, PAD, mobile phone, etc.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a flow management electronic device:
carrying out conventional detection on target message information;
performing URL standard detection on the target message information after the conventional detection;
decoding the target message information subjected to the URL normalization detection;
and matching the target message information subjected to decoding operation with a preset rule base according to a preset rule.
Optionally, the method further includes:
if the target message information conforms to the URL normative detection, multilayer coding and decoding are carried out;
and if the target message information does not accord with the URL normative detection, performing special coding and decoding.
Optionally, if the target packet information conforms to the URL normative detection, performing multi-layer encoding and decoding, including:
judging whether URL coding information exists or not, if so, marking correspondingly, and transmitting the URL coding information to a decoding area for decoding operation, wherein the URL coding information is determined according to whether target message information contains "%";
judging whether Base64 coded information exists or not, if so, marking correspondingly, and transmitting the information to a decoding area for decoding, wherein the Base64 coded information is determined by judging whether the character string contained in the target message information is a number and a letter, "+", "/" and taking a "=" symbol as a suffix;
judging whether Unicode coding information exists or not, if so, marking correspondingly, and transmitting the Unicode coding information to a decoding area for decoding operation, wherein the Unicode coding information contains character strings according to whether the message contains the character strings of "& #119" and "& # digits" and the character strings of "; "is determined for suffix combination;
judging whether MD5 encrypted coding information exists, if so, marking correspondingly, and transmitting the information to a decoding area for decoding operation, wherein the MD5 encrypted coding information is determined according to whether the message contains a 16-system character string with a fixed length of 32 bits.
Optionally, the method further includes:
carrying out corresponding classified decoding on the information subjected to the corresponding marking;
performing secondary encoding information detection based on the classified decoding;
and detecting and re-marking the corresponding mark according to the secondary coding information until the target message information does not correspond to any mark.
Optionally, if the target packet information does not meet the URL normative detection, performing special encoding and decoding, including:
comparing and analyzing the captured sample data;
obtaining the target message information coding rule by comparison after coding and decoding;
and carrying out decryption and escape according to the target message information encoding rule to obtain the real message information content or ASCII code information, and decoding again.
Optionally, the method further includes:
if the result of the detection of the target message information according to the conventional detection is an attack message which is not subjected to coding confusion, directly performing blocking operation on the target message to generate warning information;
if the result of detecting the target message information according to the conventional detection is a confused coding attack message, performing the mixed decoding and/or the escape and then decoding operation on the target message for multiple times;
matching the message information acquired after the operation with the preset rule feature library, and if the message information is matched with the preset rule feature in the rule library, performing blocking operation;
optionally, the method further includes:
the conventional detection is intrusion detection based on plaintext transmission;
the intrusion detection is realized by matching character strings according to the information content of the target message by referring to a rule base of an intrusion detection system;
the preset rule base is obtained according to the existing intrusion detection system;
and the URL normalization detection is based on that the target message information which is not detected by the intrusion detection is subjected to URL coding normalization and validity detection.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, electronic devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor or other programmable flow management electronic device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable flow management electronic device, create means for implementing the functions specified in the flow diagram flow or flows and/or block diagram block or blocks.
In a typical configuration, an electronic device includes one or more processors (CPUs), memory, and a bus. The electronic device may also include input/output interfaces, network interfaces, and the like.
The memory may include volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM), including at least one memory chip. The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer-readable storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage electronic devices, or any other non-transmission medium that can be used to store information that can be accessed by computing electronic devices. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or electronic device that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or electronic device. Without further limitation, an element defined by the phrases "comprising one of 8230; \8230;" 8230; "does not exclude the presence of additional like elements in a process, method, article, or electronic device that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable computer-readable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of the present application shall be included in the scope of the claims of the present application.
Claims (10)
1. A method for network intrusion detection, comprising:
carrying out conventional detection on target message information;
performing URL standard detection on the target message information after the conventional detection;
decoding the target message information subjected to the URL normalization detection;
and matching the target message information subjected to decoding operation with a preset rule base according to a preset rule.
2. The method according to claim 1, wherein said performing a decoding operation on the target packet information after performing the URL normalization detection comprises:
if the target message information conforms to the URL normative detection, multilayer coding and decoding are carried out;
and if the target message information does not accord with the URL normative detection, performing special coding and decoding.
3. The method of claim 2, wherein if the target packet information complies with the URL normalization detection, then performing multi-layer codec, comprising:
judging whether URL coding information exists or not, if the URL coding information exists, marking correspondingly, and transmitting the URL coding information to a decoding area for decoding operation, wherein the URL coding information is determined according to whether target message information contains "%";
judging whether Base64 coded information exists or not, if so, marking correspondingly, and transmitting the information to a decoding area for decoding, wherein the Base64 coded information is determined by judging whether the character string contained in the target message information is a number and a letter, "+", "/" and taking a "=" symbol as a suffix;
judging whether Unicode coding information exists or not, if so, marking correspondingly, and transmitting the Unicode coding information to a decoding area for decoding operation, wherein the Unicode coding information contains character strings according to whether the message contains the character strings of "& #119" and "& # digits" and the character strings of "; "determined for a suffix combination;
judging whether MD5 encrypted coding information exists or not, if so, marking correspondingly, and transmitting the information to a decoding area for decoding operation, wherein the MD5 encrypted coding information is determined according to whether the message contains a 16-system character string with the fixed length of 32 bits or not.
4. The method of claim 3, further comprising:
carrying out corresponding classified decoding on the information subjected to the corresponding marking;
performing secondary encoding information detection based on the classified decoding;
and detecting and carrying out corresponding marking again according to the secondary coding information until the target message information does not correspond to any mark.
5. The method of claim 2, wherein if the target packet information does not comply with the URL normative detection, performing special encoding/decoding comprises:
comparing and analyzing according to the captured sample data;
obtaining the target message information coding rule by comparison after coding and decoding;
and carrying out decryption and escape according to the target message information encoding rule to obtain the real message information content or ASCII code information, and decoding again.
6. The method of claim 1, further comprising:
if the result of the detection of the target message information according to the conventional detection is an attack message which is not subjected to coding confusion, directly performing blocking operation on the target message to generate warning information;
if the result of the detection of the target message information according to the conventional detection is the confused coded attack message, performing the mixed decoding and/or the escape and then decoding operation on the target message for multiple times;
matching the message information acquired after the operation with the preset rule feature library, and if the message information is matched with the preset rule feature in the rule library, performing blocking operation;
and if the rule is not matched with the preset rule characteristics in the rule base, performing release operation.
7. The method of claim 1,
the conventional detection is based on the intrusion detection of plaintext transmission, the intrusion detection is realized by character string matching according to the information content of the target message by referring to a rule base of an intrusion detection system,
the preset rule base is obtained according to the existing intrusion detection system,
and the URL normative detection is to carry out URL coding normative and validity detection on the basis of target message information which is not detected by the intrusion detection.
8. A management apparatus for network intrusion detection, comprising:
a reading unit, configured to read the target packet information;
the analysis unit is used for decoding the read target message information after judging the coding type;
the detection unit is used for detecting the URL normalization of the target message and detecting whether the target message information decoded by the analysis unit is matched with a preset rule in a preset rule base or not so as to determine to perform blocking or releasing operation;
and the matching unit is used for matching the target message information subjected to the decoding operation with a preset rule base according to a preset rule.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium comprises a stored program, wherein the program when executed by a processor implements the method of network intrusion detection according to any one of claims 1 to 7.
10. An electronic device, comprising at least one processor, and at least one memory coupled to the processor; wherein the processor is configured to invoke program instructions in the memory to perform the method of network intrusion detection according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211063627.2A CN115426181A (en) | 2022-08-31 | 2022-08-31 | Network intrusion detection method and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211063627.2A CN115426181A (en) | 2022-08-31 | 2022-08-31 | Network intrusion detection method and related equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115426181A true CN115426181A (en) | 2022-12-02 |
Family
ID=84200518
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211063627.2A Pending CN115426181A (en) | 2022-08-31 | 2022-08-31 | Network intrusion detection method and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115426181A (en) |
-
2022
- 2022-08-31 CN CN202211063627.2A patent/CN115426181A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10374789B2 (en) | Encrypting and decrypting information | |
| US11580760B2 (en) | Visual domain detection systems and methods | |
| CN112468520B (en) | Data detection method, device and equipment and readable storage medium | |
| CN106027228B (en) | Encryption and decryption method and encryption and decryption system for webpage identifier | |
| CN112131564B (en) | Method, device, equipment and medium for encrypting data communication | |
| CN111756522A (en) | Data processing method and system | |
| CN108075888B (en) | Dynamic URL generation method and device, storage medium and electronic equipment | |
| CN109698831B (en) | Data protection method and device | |
| Bala Krishna et al. | Product authentication using QR codes: a mobile application to combat counterfeiting | |
| Hamdan et al. | AH4S: an algorithm of text in text steganography using the structure of omega network | |
| CN113098865B (en) | Browser fingerprint acquisition method and device, electronic equipment and storage medium | |
| CN118094580A (en) | Information security management system and method based on Internet of things | |
| CN116680673B (en) | Identity verification method and device for display and computer equipment | |
| CN116055067B (en) | Weak password detection method, device, electronic equipment and medium | |
| CN116561777A (en) | Data processing method and device | |
| CN115426181A (en) | Network intrusion detection method and related equipment | |
| Wilson et al. | Detection of steganographic techniques on twitter | |
| CN103699841B (en) | Intercept the method and apparatus that coding is bypassed | |
| CN110598426B (en) | Data communication method, device, equipment and storage medium based on information security | |
| CN114741692A (en) | Method, system, equipment and readable storage medium for back door flow identification | |
| CN114826628A (en) | Data processing method and device, computer equipment and storage medium | |
| TWI750252B (en) | Method and device for recording website access log | |
| Chapman | {SAD}{THUG}: Structural Anomaly Detection for Transmissions of High-value Information Using Graphics | |
| Panwar et al. | Text Steganography Based on Parallel Encryption Using Cover Text (PECT) | |
| Tharakan et al. | Security enhancement and monitoring for data sensing networks using a novel asymmetric mirror-key data encryption method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |