CN116192508A - Vulnerability detection method and system based on message detection - Google Patents

Vulnerability detection method and system based on message detection Download PDF

Info

Publication number
CN116192508A
CN116192508A CN202310175115.3A CN202310175115A CN116192508A CN 116192508 A CN116192508 A CN 116192508A CN 202310175115 A CN202310175115 A CN 202310175115A CN 116192508 A CN116192508 A CN 116192508A
Authority
CN
China
Prior art keywords
message
test
attack
response data
vulnerability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310175115.3A
Other languages
Chinese (zh)
Inventor
徐梦
屈碧莹
李雪武
余顺怀
刘冯政
刘生寒
钱扬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Branch Of China Southern Power Grid Digital Power Grid Group Co ltd
Original Assignee
Guangdong Branch Of China Southern Power Grid Digital Power Grid Group Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Branch Of China Southern Power Grid Digital Power Grid Group Co ltd filed Critical Guangdong Branch Of China Southern Power Grid Digital Power Grid Group Co ltd
Priority to CN202310175115.3A priority Critical patent/CN116192508A/en
Publication of CN116192508A publication Critical patent/CN116192508A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a vulnerability detection method and system based on message detection, which relate to the technical field of information security, and the method comprises the following steps: step one: constructing an attack test message; step two: sending the attack test message to a target test server, and monitoring the operation of the target test server; step three: and acquiring test response data of the target test server, matching the test response data with attack test characteristics corresponding to the attack test message, and generating vulnerability attack alarm information when the matching is successful. The application also discloses a vulnerability detection system based on message detection. According to the method and the device, whether the current server has the loopholes or not can be rapidly obtained, and efficient loophole detection is further achieved, and the defects that the existing message-based loophole detection technology is low in detection efficiency and high in error rate are overcome.

Description

Vulnerability detection method and system based on message detection
Technical Field
The application relates to the technical field of information security, in particular to a vulnerability detection method and system based on message detection.
Background
In a network environment, there are various network attacks at any time, so security defense for a network is particularly important. While vulnerabilities are defects in hardware, software, protocol implementations, or operating system security policies that enable an attacker to access or destroy the system without authorization, detection of vulnerability attacks is required to ensure device security.
With the deep research of security organizations and individuals on loopholes and the development of related computer technologies, various loophole detection and analysis technologies are developed, and the technology is used independently or in combination, so that the technology is suitable for the loophole detection and analysis requirements of the same or different detection and analysis objects, application scenes and the like. Some current vulnerability detection and analysis methods have advantages and disadvantages for different detection and analysis objects, application scenes and the like. The message-based detection is a common vulnerability detection technology. The existing message-based vulnerability detection has the problems of lower detection efficiency and higher error rate.
Disclosure of Invention
The purpose of the application is to provide a message detection-based vulnerability detection method and system, so as to solve the problems of low detection efficiency and high error rate of the existing message-based vulnerability detection technology provided in the background technology.
In order to achieve the above object, in a first aspect, the present application discloses a vulnerability detection method based on message detection, the method comprising the following steps:
step one: constructing an attack test message;
step two: sending the attack test message to a target test server, and monitoring the operation of the target test server;
step three: and acquiring test response data of the target test server, matching the test response data with attack test characteristics corresponding to the attack test message, and generating vulnerability attack alarm information when the matching is successful.
Preferably, the third step further includes: and when the matching is unsuccessful, sending the request data after the security processing to the target test server, acquiring retest response data after the target test server simultaneously responds to the attack test message and the request data, comparing the acquired retest response data with original response data, wherein the original response data is a response message when the target test server responds to the request data, and when the comparison result is that the difference between the retest response data and the original response data meets a judgment threshold value, generating vulnerability attack alarm information.
Preferably, the determination threshold includes: a preset data format and a data length difference value.
Preferably, the variability includes: the retest response data is in a different data format than the original response data and/or the retest response data is different from the original response data in data length.
Preferably, the first step specifically includes:
constructing test message content which can be operated by the target test server through deep learning based on construction conditions, wherein the construction conditions comprise an IP address, a domain name and a program function of the target test server;
and simulating the response of the target test server to the content of the test message through a simulator, and obtaining a test response message.
Preferably, the third step further includes: and matching the test response data with the test message content, and generating vulnerability attack warning information when the test response data is successfully matched with the attack test characteristics corresponding to the attack test message and/or the test response data is successfully matched with the test message content.
Preferably, the third step further includes: traversing all vulnerability attack alarm information, counting the same vulnerability attack alarm times and vulnerability response alarm times, and generating and displaying corresponding alarm prompt information.
In order to achieve the above objective, in a second aspect, the present application discloses a vulnerability detection system based on message detection, which is applicable to the above vulnerability detection method based on message detection, including:
the message test module is configured to generate an attack test message and send the attack test message to the target test server;
and the vulnerability detection module is configured to match the test response data generated by the target test server in response to the attack test message with the attack test characteristics corresponding to the attack test message, and generate vulnerability attack warning information when the matching is successful.
Preferably, the message test module is further configured to construct test message content that can be run by the target test server through deep learning based on construction conditions, wherein the construction conditions include an IP address, a domain name, and a program function of the target test server;
and simulating the response of the target test server to the content of the test message through a simulator, and obtaining a test response message.
Preferably, the vulnerability detection module is further configured to send request data after security processing to the target test server when the matching is unsuccessful, obtain retest response data after the target test server responds to the attack test message and the request data at the same time, compare the obtained retest response data with original response data, where the original response data is a response message when the target test server responds to the request data, and generate vulnerability attack alarm information when the comparison result is that the difference between the retest response data and the original response data meets a decision threshold.
The beneficial effects are that: according to the vulnerability detection method and system based on message detection, the attack is initiated to the target test server by constructing the attack test message aiming at the target test server, when the target test server requests a corresponding network, the target test server responds to the attack test message to generate corresponding test response data, when a vulnerability exists, the test response data generated by the target test server can be different from the response data under the security condition (when the vulnerability does not exist), whether the vulnerability exists in the current server or not can be rapidly obtained based on comparison of the two data, and therefore efficient vulnerability detection is achieved. Meanwhile, based on the acquisition of test response data, the accuracy of whether the target test server has the loopholes or not can be improved, so that misjudgment is avoided, and the detection efficiency and the detection quality are improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a vulnerability detection method based on message detection in an embodiment of the present application.
Fig. 2 is a block diagram of a vulnerability detection system based on message detection in an embodiment of the present application.
Detailed Description
The following description of the technical solutions in the embodiments of the present application will be clear and complete, and it is obvious that the described embodiments are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
In this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
In a first aspect, the present embodiment discloses a message detection-based vulnerability detection method shown in fig. 1, which includes the following steps:
step one: constructing an attack test message;
step two: sending the attack test message to a target test server, and monitoring the operation of the target test server;
step three: and acquiring test response data of the target test server, matching the test response data with attack test characteristics corresponding to the attack test message, and generating vulnerability attack alarm information when the matching is successful.
It should be noted that the target test server may be a certain web page, a program or a host.
Wherein, the first step specifically comprises:
constructing test message content which can be operated by the target test server through deep learning based on construction conditions, wherein the construction conditions comprise an IP address, a domain name and a program function of the target test server;
and simulating the response of the target test server to the content of the test message through a simulator, and obtaining a test response message.
Specifically, in the third step, the third step further includes: and when the matching is unsuccessful, sending the request data after the security processing to the target test server, acquiring retest response data after the target test server simultaneously responds to the attack test message and the request data, comparing the acquired retest response data with original response data, wherein the original response data is a response message when the target test server responds to the request data, and when the comparison result is that the difference between the retest response data and the original response data meets a judgment threshold value, generating vulnerability attack alarm information.
The decision threshold includes: the difference between the preset data format and the preset data length comprises the following steps: the retest response data is in a different data format than the original response data and/or the retest response data is different from the original response data in data length.
Further, the third step further includes: and matching the test response data with the test message content, and generating vulnerability attack warning information when the test response data is successfully matched with the attack test characteristics corresponding to the attack test message and/or the test response data is successfully matched with the test message content.
The third step further comprises: traversing all vulnerability attack alarm information, counting the same vulnerability attack alarm times and vulnerability response alarm times, and generating and displaying corresponding alarm prompt information.
In a second aspect, this embodiment further discloses a vulnerability detection system based on message detection, which is applicable to the above-mentioned vulnerability detection method based on message detection, as shown in fig. 2, and includes:
the message test module is configured to generate an attack test message and send the attack test message to the target test server;
and the vulnerability detection module is configured to match the test response data generated by the target test server in response to the attack test message with the attack test characteristics corresponding to the attack test message, and generate vulnerability attack warning information when the matching is successful.
Further, the message test module is further configured to construct test message content that can be run by the target test server through deep learning based on construction conditions, wherein the construction conditions comprise an IP address, a domain name and a program function of the target test server;
and simulating the response of the target test server to the content of the test message through a simulator, and obtaining a test response message.
The vulnerability detection module is further configured to send request data after security processing to the target test server when the matching is unsuccessful, acquire retest response data after the target test server simultaneously responds to the attack test message and the request data, compare the acquired retest response data with original response data, wherein the original response data is a response message when the target test server responds to the request data, and generate vulnerability attack warning information when the comparison result is that the difference between the retest response data and the original response data meets a determination threshold value
In the embodiments provided herein, it should be understood that the disclosed systems and methods may be implemented in other ways. For example, the system embodiments described above are merely illustrative, e.g., the division of the elements is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interface, system or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
Those of ordinary skill in the art will appreciate that all or a portion of the steps of implementing the above embodiments may be implemented by hardware, or may be implemented by a program to instruct related hardware, where the program may be stored in a computer readable storage medium, where the storage medium may be a read-only memory, a magnetic disk or optical disk, etc.
Finally, it should be noted that: the foregoing description is only a preferred embodiment of the present application, and although the present application has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the technical solutions described in the foregoing embodiments, or equivalents may be substituted for some of the technical features thereof, and any modifications, equivalents, improvements or changes that fall within the spirit and principles of the present application are intended to be included in the scope of protection of the present application.

Claims (10)

1. A vulnerability detection method based on message detection is characterized by comprising the following steps:
step one: constructing an attack test message;
step two: sending the attack test message to a target test server, and monitoring the operation of the target test server;
step three: and acquiring test response data of the target test server, matching the test response data with attack test characteristics corresponding to the attack test message, and generating vulnerability attack alarm information when the matching is successful.
2. The message detection-based vulnerability detection method as set forth in claim 1, wherein the third step further comprises: and when the matching is unsuccessful, sending the request data after the security processing to the target test server, acquiring retest response data after the target test server simultaneously responds to the attack test message and the request data, comparing the acquired retest response data with original response data, wherein the original response data is a response message when the target test server responds to the request data, and when the comparison result is that the difference between the retest response data and the original response data meets a judgment threshold value, generating vulnerability attack alarm information.
3. The message detection-based vulnerability detection method of claim 2, wherein the decision threshold comprises: a preset data format and a data length difference value.
4. The message detection-based vulnerability detection method of claim 3, wherein the variability comprises: the retest response data is in a different data format than the original response data and/or the retest response data is different from the original response data in data length.
5. The method for detecting vulnerabilities based on message detection according to claim 1, wherein the first step specifically comprises:
constructing test message content which can be operated by the target test server through deep learning based on construction conditions, wherein the construction conditions comprise an IP address, a domain name and a program function of the target test server;
and simulating the response of the target test server to the content of the test message through a simulator, and obtaining a test response message.
6. The message detection-based vulnerability detection method as set forth in claim 5, wherein the third step further comprises: and matching the test response data with the test message content, and generating vulnerability attack warning information when the test response data is successfully matched with the attack test characteristics corresponding to the attack test message and/or the test response data is successfully matched with the test message content.
7. The message detection-based vulnerability detection method as set forth in claim 1, wherein the third step further comprises: traversing all vulnerability attack alarm information, counting the same vulnerability attack alarm times and vulnerability response alarm times, and generating and displaying corresponding alarm prompt information.
8. A vulnerability detection system based on message detection is characterized by comprising:
the message test module is configured to generate an attack test message and send the attack test message to the target test server;
and the vulnerability detection module is configured to match the test response data generated by the target test server in response to the attack test message with the attack test characteristics corresponding to the attack test message, and generate vulnerability attack warning information when the matching is successful.
9. The message detection-based vulnerability detection system of claim 8, wherein the message test module is further configured to construct test message content that the target test server is capable of running by deep learning based on construction conditions, the construction conditions comprising IP address, domain name, program function of the target test server;
and simulating the response of the target test server to the content of the test message through a simulator, and obtaining a test response message.
10. The vulnerability detection system based on message detection of claim 8, wherein the vulnerability detection module is further configured to send the request data after security processing to the target test server when the matching is unsuccessful, obtain retest response data after the target test server responds to the attack test message and the request data simultaneously, and compare the obtained retest response data with original response data, where the original response data is a response message when the target test server responds to the request data, and generate vulnerability attack alarm information when a comparison result is that a difference between the retest response data and the original response data meets a decision threshold.
CN202310175115.3A 2023-02-24 2023-02-24 Vulnerability detection method and system based on message detection Pending CN116192508A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310175115.3A CN116192508A (en) 2023-02-24 2023-02-24 Vulnerability detection method and system based on message detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310175115.3A CN116192508A (en) 2023-02-24 2023-02-24 Vulnerability detection method and system based on message detection

Publications (1)

Publication Number Publication Date
CN116192508A true CN116192508A (en) 2023-05-30

Family

ID=86434304

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310175115.3A Pending CN116192508A (en) 2023-02-24 2023-02-24 Vulnerability detection method and system based on message detection

Country Status (1)

Country Link
CN (1) CN116192508A (en)

Similar Documents

Publication Publication Date Title
US9800594B2 (en) Method and system for detecting unauthorized access attack
US9311476B2 (en) Methods, systems, and media for masquerade attack detection by monitoring computer user behavior
CN111917740B (en) Abnormal flow alarm log detection method, device, equipment and medium
US20170078318A1 (en) Method and system of distinguishing between human and machine
CN107733581B (en) Rapid internet asset feature detection method and device based on whole network environment
CN109995750B (en) Network attack defense method and electronic equipment
US20220030029A1 (en) Phishing Protection Methods and Systems
CN107666468B (en) Network security detection method and device
US10505979B2 (en) Detection and warning of imposter web sites
CN113472772B (en) Network attack detection method and device, electronic equipment and storage medium
CN112769775B (en) Threat information association analysis method, system, equipment and computer medium
CN113259197A (en) Asset detection method and device and electronic equipment
CN112804369A (en) Network system, network access security detection method and device and related equipment
KR20160087187A (en) Cyber blackbox system and method thereof
CN108156127B (en) Network attack mode judging device, judging method and computer readable storage medium thereof
US11770402B2 (en) Systems and methods for network device discovery and vulnerability assessment
WO2024113953A1 (en) C2 server identification method and apparatus, electronic device, and readable storage medium
CN115051867B (en) Illegal external connection behavior detection method and device, electronic equipment and medium
US8095980B2 (en) Detecting malicious behavior in data transmission of a de-duplication system
CN116192508A (en) Vulnerability detection method and system based on message detection
US10484422B2 (en) Prevention of rendezvous generation algorithm (RGA) and domain generation algorithm (DGA) malware over existing internet services
CN113852625B (en) Weak password monitoring method, device, equipment and storage medium
CN115643044A (en) Data processing method, device, server and storage medium
CN115001724B (en) Network threat intelligence management method, device, computing equipment and computer readable storage medium
CN111371917B (en) Domain name detection method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination