CN116614306A - Attack detection rule generation method and device, electronic equipment and storage medium - Google Patents

Attack detection rule generation method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN116614306A
CN116614306A CN202310762490.8A CN202310762490A CN116614306A CN 116614306 A CN116614306 A CN 116614306A CN 202310762490 A CN202310762490 A CN 202310762490A CN 116614306 A CN116614306 A CN 116614306A
Authority
CN
China
Prior art keywords
attack
flow direction
data
feature
protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310762490.8A
Other languages
Chinese (zh)
Inventor
秦续强
于秉轩
秦纪伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202310762490.8A priority Critical patent/CN116614306A/en
Publication of CN116614306A publication Critical patent/CN116614306A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides an attack detection rule generation method, an attack detection rule generation device, electronic equipment and a storage medium, wherein the attack detection rule generation method comprises the following steps: acquiring an attack feature set; the attack feature set comprises first flow direction attack features and protocol keywords of each first flow direction attack feature; acquiring a second flow direction attack characteristic corresponding to the first flow direction attack characteristic according to the protocol keyword of the first flow direction attack characteristic; expanding the attack features in the attack feature set based on the second flow direction attack features to obtain an updated attack feature set; the updated attack feature set comprises updated attack features; generating an attack detection rule based on the updated attack feature and the protocol keyword corresponding to the updated attack feature; the attack detection rule is used for detecting whether the traffic data is network attack data. A bi-directional detection rule is generated by associating a first flow direction attack feature with a second flow direction attack feature.

Description

Attack detection rule generation method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of network security, and in particular, to a method and apparatus for generating an attack detection rule, an electronic device, and a storage medium.
Background
With the continuous development of the Internet, various network attack means are layered endlessly, and great challenges are brought to network security. In order to ensure the network security of enterprises, the network attack is discovered in time, so that more precious time is striven for further analysis, emergency disposal, evidence collection, tracing and the like. Currently, network attacks are found by detecting security-like devices in the most common way, and detection rules built into the security devices are the core of the detection. The current network attack detection rule is generated according to the loopholes in the network flow request message, the attack characteristics are single, and the detection accuracy of the generated network attack detection rule is low.
Disclosure of Invention
The embodiment of the application aims at a method, a device, electronic equipment and a storage medium for generating an attack detection rule, which are used for associating a first flow direction attack characteristic with a second flow direction attack characteristic, so that the network attack detection rule is generated aiming at the attack characteristic in a network flow request message, the network attack detection rule is generated according to the attack characteristic of a corresponding response part message, and the accuracy of the network attack detection rule is improved.
In a first aspect, an embodiment of the present application provides an attack detection rule generating method, including: acquiring an attack feature set; the attack feature set comprises first flow direction attack features and protocol keywords of each first flow direction attack feature; acquiring a second flow direction attack characteristic corresponding to the first flow direction attack characteristic according to the protocol keyword of the first flow direction attack characteristic; expanding the attack features in the attack feature set based on the second flow direction attack features to obtain an updated attack feature set; the updated attack feature set comprises updated attack features; generating an attack detection rule based on the updated attack feature and the protocol keyword corresponding to the updated attack feature; the attack detection rule is used for detecting whether the traffic data is network attack data.
In the implementation process, the first flow direction attack characteristics are associated with the corresponding second flow direction attack characteristics, the attack characteristics in the attack characteristic set are expanded by utilizing the second flow direction attack characteristics, the update attack characteristic set is obtained, and the richness and coverage rate of the attack characteristics are improved; and generating a network attack detection rule by utilizing the attack characteristics in the network flow request message and the attack characteristics of the response part message, wherein the attack characteristics of successful attack can be determined due to the correlation of the request message and the response message, and the accuracy of detecting the network attack by the detection rule is improved.
Optionally, in an embodiment of the present application, acquiring a second flow direction attack feature corresponding to the first flow direction attack feature according to a protocol keyword of the first flow direction attack feature includes: acquiring an execution command set containing protocol keywords from a flow log and an execution result data set corresponding to the execution command set; based on the protocol key words, carrying out association analysis on the execution command set and the first flow direction attack characteristics to obtain target execution results corresponding to the first flow direction attack characteristics; and obtaining second flow direction attack characteristics corresponding to the first flow direction attack characteristics according to the target execution result.
In the implementation process, the target execution result of the first flow direction attack feature is determined from the execution result data set through the execution command set and the corresponding execution result data set in the flow log, so that the second flow direction attack feature corresponding to the first flow direction attack feature can be determined, and a bidirectional detection rule is generated according to the associated attack feature.
Optionally, in an embodiment of the present application, based on a protocol keyword, performing association analysis on an execution command set and a first flow direction attack feature to obtain a target execution result corresponding to the first flow direction attack feature, where the method includes: matching the protocol keywords in the execution command with the protocol keywords of the first flow direction attack feature to obtain a target execution command associated with the first flow direction attack feature; and determining a target execution result corresponding to the first flow direction attack characteristic in the execution result data set according to the target execution command.
In the implementation process, the first flow direction attack feature is associated with the execution result data set through the protocol keyword in the execution command and the protocol keyword of the first flow direction attack feature in the flow log, and the target execution result corresponding to the first flow direction attack feature is determined.
Optionally, in an embodiment of the present application, obtaining, according to a target execution result, a second flow direction attack feature corresponding to the first flow direction attack feature includes: if the target execution result represents successful execution, determining an attack success message corresponding to the first flow attack characteristic from the flow log; extracting second flow direction attack characteristics corresponding to the first flow direction attack characteristics from the attack success message; the second flow attack characteristic comprises at least one of a status code, a class of response bodies, or a function of response bodies.
In the implementation process, the attack success message corresponding to the first flow attack characteristic is determined from the flow log through the target execution result, and the vulnerability attack message with the attack success is positioned. And extracting a second flow direction attack characteristic corresponding to the first flow direction attack characteristic from the attack success message, so that the first flow direction attack characteristic is associated with the second flow direction attack characteristic, and the richness of the attack characteristic is improved.
Optionally, in an embodiment of the present application, acquiring an attack feature set includes: determining a protocol keyword according to a transmission protocol of the flow log; information extraction is carried out on the network flow data acquired in advance based on the protocol keywords, and training data are generated; the training data comprises attack training data and safety training data; training the training data to obtain an attack detection model; detecting the data to be detected through an attack detection model, and determining predicted attack data from the data to be detected; and generating an attack characteristic set according to the predicted attack data and the attack data.
In the implementation process, the training data is obtained by extracting the information of the attack data and the safety data, and the attack detection model is obtained by continuously training the model by using the training data. The method comprises the steps of detecting data to be detected through an attack detection model, predicting predicted attack data representing the attack data in the data to be detected, updating an attack feature set through the predicted attack data to obtain the attack feature set, enabling data in the attack feature set to be richer, improving the efficiency of obtaining a sample set through the use of the model, and improving the detection accuracy of network attack detection rules through machine learning.
Optionally, in an embodiment of the present application, generating an attack detection rule based on the updated attack feature and a protocol key corresponding to the updated attack feature includes: converting the updated attack characteristics into preset format data; and generating grammar according to preset format data and protocol keywords corresponding to the updated attack characteristics and preset rules to generate attack detection rules.
In the implementation process, the updated attack characteristic set is utilized to generate grammar according to the preset rule, so that the generation efficiency of the network attack detection rule is improved. According to the first flow direction attack characteristic and the second flow direction attack characteristic, an attack detection rule of the request side and an attack detection rule of the response side are respectively generated, the generation of the bidirectional detection rule is realized, the problem of network attack detection omission of the response side is solved, and the accuracy rate and the detection rate of network attack discovery are improved.
Optionally, in an embodiment of the present application, after generating the attack detection rule based on the updated attack feature and the protocol key corresponding to the updated attack feature, the method further includes: checking the attack detection rule by using a detection engine to confirm whether the grammar of the attack detection rule is correct; if the grammar of the attack detection rule is correct, outputting a hit result of the attack detection rule by using the verification flow data through the detection engine; the hit result is used for representing the accuracy of the attack detection rule to detect whether the traffic data is network attack data.
In the implementation process, the accuracy of the attack detection rule is improved by carrying out grammar check and hit check on the generated attack detection rule, so that the accuracy of the attack detection rule for detecting the network attack is higher, normal and abnormal network behaviors are automatically identified and processed, and the false alarm rate is reduced.
In a second aspect, an embodiment of the present application further provides an attack detection rule generating device, including: the attack feature acquisition module is used for acquiring an attack feature set; the attack feature set comprises first flow direction attack features and protocol keywords of each first flow direction attack feature; the association module is used for acquiring a second flow direction attack characteristic corresponding to the first flow direction attack characteristic according to the protocol keyword of the first flow direction attack characteristic; the extended feature module is used for expanding the attack features in the attack feature set based on the second flow direction attack features to obtain an updated attack feature set; the updated attack feature set comprises updated attack features; the rule generation module is used for generating an attack detection rule based on the updated attack characteristics and the protocol keywords corresponding to the updated attack characteristics; the attack detection rule is used for detecting whether the traffic data is network attack data.
In a third aspect, an embodiment of the present application further provides an electronic device, including: a processor and a memory storing machine-readable instructions executable by the processor to perform the method as described above when executed by the processor.
In a fourth aspect, embodiments of the present application also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the method described above.
By associating the first flow direction attack characteristics with the corresponding second flow direction attack characteristics, the attack characteristics in the attack characteristic set are expanded by utilizing the second flow direction attack characteristics, so that an updated attack characteristic set is obtained, and the richness and coverage rate of the attack characteristics are improved; and generating a network attack detection rule by utilizing the attack characteristics in the network flow request message and the attack characteristics of the response part message, and improving the accuracy of the network attack detection rule.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of an attack detection rule generation method according to an embodiment of the present application;
FIG. 2 is a training data preprocessing method according to an embodiment of the present application;
FIG. 3 is a diagram illustrating an automated generation and analysis verification method of network attack detection rules according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an attack detection rule generating device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Embodiments of the technical scheme of the present application will be described in detail below with reference to the accompanying drawings. The following examples are only for more clearly illustrating the technical aspects of the present application, and thus are merely examples, and are not intended to limit the scope of the present application.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.
In the description of embodiments of the present application, the technical terms "first," "second," and the like are used merely to distinguish between different objects and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated, a particular order or a primary or secondary relationship. In the description of the embodiments of the present application, the meaning of "plurality" is two or more unless otherwise specifically defined.
The conventional network attack detection rule is only generated according to the known attack characteristics in the network traffic request message, i.e. the rule generation is irrelevant to the response message corresponding to the network traffic request. The network attack detection rule generated in this way can only detect that the vulnerable message exists in the request message, and the attack behavior possibly exists, but does not determine whether the attack feature carried in the request message is successful or not, and whether the attack behavior hits or not.
Therefore, the accuracy of the network attack detection rule in detecting the vulnerability of the real attack success is not high, and the alarm result of the network attack cannot be determined after the network attack is detected. Furthermore, the network attack detection rule generated by the existing method may have the condition that the attack behavior in the response message cannot be detected.
According to the method, the uplink attack characteristics and the downlink attack characteristics corresponding to the uplink attack characteristics are correlated, namely, the attack characteristics of the response message corresponding to the request message are also used as characteristics of the generation rules, so that the generation of the bidirectional network attack detection rules is realized. The richness and coverage rate of attack features are improved, and the accuracy of network attack detection rules is further improved.
And after the uplink attack feature and the downlink attack feature are associated, if the request message with the network attack is detected, the network attack result corresponding to the vulnerability can be predetermined through the associated downlink attack feature, so that the network security is improved.
Please refer to fig. 1, which illustrates a flowchart of a method for generating an attack detection rule according to an embodiment of the present application. The attack detection rule generation method provided by the embodiment of the application can be applied to electronic equipment, and the electronic equipment can comprise a terminal and a server; the terminal can be a smart phone, a tablet computer, a personal digital assistant (Personal Digital Assitant, PDA) and the like; the server may be an application server or a Web server. The attack detection rule generation method may include:
step S110: acquiring an attack feature set; the set of attack features includes first-flow-direction attack features, and protocol keys for each first-flow-direction attack feature.
Step S120: and acquiring a second flow direction attack characteristic corresponding to the first flow direction attack characteristic according to the protocol key word of the first flow direction attack characteristic.
Step S130: expanding the attack features in the attack feature set based on the second flow direction attack features to obtain an updated attack feature set; the updated attack feature set includes updated attack features.
Step S140: generating an attack detection rule based on the updated attack characteristics and the protocol keywords corresponding to the updated attack characteristics; the attack detection rule is used for detecting whether the traffic data is network attack data.
In step S110, the attack feature set is a set formed by a plurality of attack features, and the attack feature set may be in the form of an attack feature table, an attack feature text, an attack feature vector, or the like. The attack characteristics can comprise threat name, attack type, data flow direction, attack characteristics, protocol keywords and other information. Taking an attack characteristic table as an example, a threat name, an attack type, a data flow direction, an attack characteristic and a protocol keyword can be used as column labels of the attack characteristic table, and one piece of attack characteristic data is represented by one piece of data in the attack characteristic table.
The attack feature set comprises a first flow direction attack feature, wherein the first flow direction characterizes a data flow direction of the attack feature, and the data flow direction comprises uplink and downlink; uplink refers to the direction of sending data from a client or terminal device to a server or other network server; the downlink is the direction of returning data from the server or other network server to the client or terminal device.
The first flow direction attack characteristic can be an attack characteristic of an uplink attack or an attack characteristic of a downlink attack. An uplink attack generally refers to a network attack that may occur in the transmission of data from a mobile device to a base station or server; a downlink attack generally refers to a network attack that may occur in the transmission of data from a base station or server to a mobile device. It is to be appreciated that the attack feature set may also include both an upstream attack feature and a downstream attack feature.
The protocol key for the first flow-directed attack feature is determined based on the protocol in the traffic log, and the unused protocol may have a different protocol key. Taking the HTTP protocol as an example, the HTTP protocol key may include a path, parameters, encoded content, and the like.
The attack characteristic may be obtained by: network traffic data such as packets (packets) and flows (flows) are acquired from a network, and a feature extraction algorithm is used to extract useful information from the traffic data representing network attack data as attack features. Specifically, for example, information such as Payload (Payload), poC (Proof of Concept), exp (extract) and the like is collected, a feature extraction method is written into a scripting language by using a programming language, and feature extraction is performed on the collected information by using the scripting language to obtain attack features.
In step S120, the first flow direction attack feature is taken as an uplink attack feature, and the second flow direction attack feature is taken as a downlink attack feature as an example. The command execution result data set can be obtained from the flow log, the command execution result data set can determine the message of successful execution, and the first flow direction attack feature can determine the message containing the attack feature, so that the first flow direction attack feature in the attack feature set and the command execution result data set are subjected to association analysis, the successful attack message can be determined, and the second flow direction attack feature can be extracted from the successful attack message. The second flow direction attack characteristic is the downlink attack characteristic corresponding to the uplink attack characteristic.
Specifically, for example, the traffic log includes a first flow direction attack feature and a protocol keyword of the first flow direction attack feature, and the traffic log also includes an execution command set and a command execution result data set corresponding to the execution command set. The command execution also includes a protocol key, and therefore the first stream attack feature may be associated with the command execution result data set based on the protocol key.
And positioning an attack success message of the uplink attack feature based on the command execution result, acquiring response message content from the attack success message, and acquiring a second flow direction attack feature corresponding to the first flow direction attack feature from the response message content.
In step S130, a second flow direction attack feature is supplemented in the attack feature set, and a column label of the second flow direction attack feature is the same as a column label of the first flow direction attack feature. Taking an attack feature table as an example, attack features of different flow directions can be distinguished by different rows, specifically, for example, the attack features of the second flow direction can be written in the attack feature table, and corresponding column information is added, so that the expansion of the attack feature table is realized, and an updated attack feature set is obtained.
The updated attack feature set includes updated attack features, which may be a union of the first and second flow direction attack features.
In step S140, after the updated attack feature is obtained, a network detection rule is generated according to the rule syntax structure according to the updated attack feature and the corresponding protocol key. For example, the collected updated attack signatures and protocol keys are integrated together using a rule syntax structure. The attack detection rule is used for detecting whether the traffic data is network attack data.
In an alternative embodiment, since the updated attack feature includes both the first flow direction attack feature and the second flow direction attack feature, the attack detection rule of the request side and the attack detection rule of the response side can be respectively generated according to the first flow direction attack feature and the second flow direction attack feature, so that the generation of the bidirectional detection rule is realized. And the network data is detected by utilizing the bidirectional detection rule, so that the problem of missed detection of the network attack at the response side is solved, and the accuracy and the detection rate of the network attack are improved.
In the implementation process, the first flow direction attack characteristics are associated with the corresponding second flow direction attack characteristics, the attack characteristics in the attack characteristic set are expanded by utilizing the second flow direction attack characteristics, the update attack characteristic set is obtained, and the richness and coverage rate of the attack characteristics are improved; and generating a network attack detection rule by utilizing the attack characteristics in the network flow request message and the attack characteristics of the response part message, wherein the attack characteristics of successful attack can be determined due to the correlation of the request message and the response message, and the accuracy of detecting the network attack by the detection rule is improved.
Optionally, in an embodiment of the present application, acquiring a second flow direction attack feature corresponding to the first flow direction attack feature according to a protocol keyword of the first flow direction attack feature includes: acquiring an execution command set containing protocol keywords from a flow log and an execution result data set corresponding to the execution command set; based on the protocol key words, carrying out association analysis on the execution command set and the first flow direction attack characteristics to obtain target execution results corresponding to the first flow direction attack characteristics; and obtaining second flow direction attack characteristics corresponding to the first flow direction attack characteristics according to the target execution result.
In the specific implementation process: traffic log refers to a log that records network access traffic. The flow log obtaining mode specifically may be: and deploying a flow collector and a detection engine at the flow monitoring point, wherein the flow collector is used for collecting full flow data and alarm flow data, and the detection engine can be used for regular periodic test. The collected traffic data is parsed into traffic logs, and the content of the traffic logs can include time stamps, attack IPs and ports, target IPs and ports, protocol keywords, content thereof, and the like.
And acquiring an execution command set containing the protocol keywords from the flow log, and an execution result data set corresponding to the execution command set. The command execution result data set may be obtained by: and using batch commands, automatically executing a command set on a plurality of hosts, recording the execution result of each command, comparing a plurality of result contents executed by each command, retaining the same contents, and generating a command execution result data set. For example, ipconfig is a command line tool in the Windows operating system for displaying network configuration information of a computer. The same content as reserved for the ipconfig command execution result may be: windows IP configuration, ethernet adapter, connection specific DNS suffix, local link IPv6 address, IPv4 address, subnet mask, default gateway, etc.
Based on the protocol key words, the first flow direction attack feature and the command execution result data set can be associated, and then the target execution result corresponding to the first flow direction attack feature can be determined. The message of successful attack can be determined through the command execution result data set, and the message containing the attack characteristic can be determined through the first flow direction attack characteristic, so that the target execution result corresponding to the first flow direction attack characteristic is determined, and the alarm result of the first flow direction attack characteristic can be determined.
After the target execution result is obtained, locating an attack success message in the flow log through association analysis, and extracting a second flow direction attack characteristic corresponding to the first flow direction attack characteristic.
In the implementation process, the target execution result of the first flow direction attack feature is determined from the execution result data set through the execution command set and the corresponding execution result data set in the flow log, so that the second flow direction attack feature corresponding to the first flow direction attack feature can be determined, and a bidirectional detection rule is generated according to the associated attack feature.
Optionally, in an embodiment of the present application, based on a protocol keyword, performing association analysis on an execution command set and a first flow direction attack feature to obtain a target execution result corresponding to the first flow direction attack feature, where the method includes: matching the protocol keywords in the execution command with the protocol keywords of the first flow direction attack feature to obtain a target execution command associated with the first flow direction attack feature; and determining a target execution result corresponding to the first flow direction attack characteristic in the execution result data set according to the target execution command.
In the specific implementation process: the successful execution messages can be determined in the flow log through the command execution result data set, but the successful execution messages may not be successful attack messages, and may be successful operation commands or successful execution commands of operation and maintenance or operators. The first flow direction attack feature can find out the message with the attack feature, the execution result of the message can be the success of the attack or the failure of the attack, and the second flow direction attack feature can be extracted from the message with the success of the attack only if the execution result is determined to be the success of the attack.
It can be seen that by executing either the result data set or the first-flow attack feature alone, it is not possible to determine whether the first-flow attack feature is successful or not, nor is it possible to locate a message that the attack was successful. Therefore, association analysis is needed to be carried out on the first flow direction attack characteristic and the execution result data set, and the message of successful attack is determined according to the target execution result determined after successful association.
The process of correlating the first flow-direction attack feature with the execution result data set is as follows: and carrying out association analysis on the execution command and the first flow direction attack characteristic based on the keywords, for example, matching the protocol keywords in the execution command with the protocol keywords of the first flow direction attack characteristic, wherein the successfully matched execution command is the target execution command associated with the first flow direction attack characteristic. And determining a target execution result corresponding to the target execution command in the execution result data set according to the target execution command, namely, the target execution result corresponding to the first flow direction attack characteristic.
In the implementation process, the first flow direction attack feature is associated with the execution result data set through the protocol keyword in the execution command and the protocol keyword of the first flow direction attack feature in the flow log, and the target execution result corresponding to the first flow direction attack feature is determined.
Optionally, in an embodiment of the present application, obtaining, according to a target execution result, a second flow direction attack feature corresponding to the first flow direction attack feature includes: if the target execution result represents successful execution, determining an attack success message corresponding to the first flow attack characteristic from the flow log; extracting second flow direction attack characteristics corresponding to the first flow direction attack characteristics from the attack success message; the second flow attack characteristic comprises at least one of a status code, a class of response bodies, or a function of response bodies.
In the specific implementation process: if the target execution result represents successful execution, determining an attack success message corresponding to the first flow attack characteristic from the flow log through the target execution result. And then acquiring a message of a response part from the successful attack message, extracting the message of the response part, and extracting second flow attack characteristics corresponding to the first flow attack characteristics. The second flow attack characteristic comprises at least one of a status code, a class of response bodies, or a function of response bodies.
After the second flow direction attack feature is obtained, the corresponding second flow direction attack feature can be supplemented in the attack feature table, and an updated attack feature set is obtained. Taking the attack feature table as an example, as shown in table 1, two columns of "response status code" and "response body" may be newly added to the update attack feature table. The second row of data is a second stream attack feature corresponding to the first stream attack feature Spring random command execution vulnerability M1; the second row of data is a second stream attack feature corresponding to the first stream attack feature 'Spring random command execution vulnerability M2'.
Table 1 update attack characteristics table
In an optional embodiment, if the target execution result indicates that the execution fails, that is, the first flow direction attack feature fails to attack, there is no attack success message in the flow log, and thus the second flow direction attack feature corresponding to the first flow direction attack feature cannot be extracted. Under the condition that the first flow direction attack characteristic cannot be associated with the second flow direction attack characteristic, the second flow direction attack characteristic degree attack characteristic set is not required to be used for expansion, and the attack detection rule can be selectively generated according to the first flow direction attack characteristic.
In the implementation process, the attack success message corresponding to the first flow attack characteristic is determined from the flow log through the target execution result, and the vulnerability attack message which is successful in attack is positioned. And extracting a second flow direction attack characteristic corresponding to the first flow direction attack characteristic from the attack success message, so that the first flow direction attack characteristic is associated with the second flow direction attack characteristic, and the richness of the attack characteristic is improved.
Optionally, in an embodiment of the present application, acquiring an attack feature set includes: determining a protocol keyword according to a transmission protocol of the flow log; information extraction is carried out on the network flow data acquired in advance based on the protocol keywords, and training data are generated; the training data comprises attack training data and safety training data; training the training data to obtain an attack detection model; detecting the data to be detected through an attack detection model, and determining predicted attack data from the data to be detected; and generating an attack characteristic set according to the predicted attack data and the attack data.
In the specific implementation process: analyzing the collected flow data into a flow log, wherein the flow log comprises protocol keywords. Taking the HTTP protocol as an example, as shown in table 2, table 2 is an HTTP protocol parsing structure and a protocol key.
Table 2HTTP protocol parsing structure and protocol key
The network traffic data acquired in advance comprises normal traffic data and attack data; wherein the attack data may be Payload, poC and Exp. The manner of acquiring attack data may be: attack Payload, poC and Exp are collected and stored through existing threat information sources, such as Github, vulnerability management of various security vendors, security monitoring platforms, vulnerability sharing articles or attack scripts, etc. The network traffic data information can be collected in a mode of online vulnerability analysis and sharing of articles, local reproduction or client site collection and the like, and the file storage naming format can be threat name and attack type. Referring to an attack type configuration table shown in table 3, the attack type configuration table includes attack types of collected attack data, chinese names corresponding to the attack types and threat levels.
/>
Table 3 the attack type configuration table performs information extraction on the collected normal flow data and attack data to generate training data. An initialization attack signature table may be generated from training data based on the protocol key, the data in the initialization signature table being used to train the attack detection model.
The process of extracting information and generating the initialized feature table specifically includes splitting the obtained training data such as Payload, poC and Exp according to the protocol keywords, recording the split training data in a text form to a table, and generating the initialized attack feature table. The initialized attack characteristic table comprises threat names, attack types, data flow directions, attack characteristics and protocol keywords. Taking the HPPT protocol as an example, the HTTP key words comprise paths, parameters, coded contents and the like, splitting the contents of the corresponding protocol key word parts in attack data, and extracting and storing each split content. Table 4 is an initialized attack characteristic table, wherein each row of data represents a different data flow (request/response) of attack data, for example, the following table is the uplink/downlink (request/response) content of one sample, and different samples of the same threat name are distinguished by using M1 and M2 sequences.
Table 4 initializing attack characteristics table
Training labels are respectively added to attack training data and security training data in the training data, wherein the training labels can be normal service data and attack data, and the training labels of the attack training data can be set as attack types. Inputting training data added with labels into a preset network model, training the input samples and labels through a machine learning algorithm, and generating an attack detection model after training. The attack detection model is used for identifying input data and outputting whether the input data is attack data or not; the attack detection model may also be used to predict the attack type of the attack data. Among other things, machine learning algorithms include, but are not limited to XGBoost (eXtreme Gradient Boosting), naive bayes (Naive Bayesian algorithm), or multi-layer perceptrons (Multilayer Perceptron), among others.
After the attack detection model is obtained, the attack detection model can be used for detecting data to be detected, and the data to be detected can be some unknown sample flow data. The predicted attack data representing the attack data in the data to be detected can be predicted through the attack detection model, and the number of samples is enlarged by utilizing the predicted attack data.
And generating an attack feature set according to the predicted attack data and the attack data, wherein the attack feature set comprises an attack feature table. The process of generating the attack characteristic table specifically includes, for example, splitting predicted attack data according to a protocol keyword to obtain table data; comparing the content corresponding to each protocol keyword in the table data with the content of the corresponding protocol keyword in the initialized attack characteristic table to obtain a difference part, and adding the difference part into the initialized attack characteristic table; the difference portion may be separated from the original content by comma when added. The attack signature table after addition is shown in table 5:
table 5 attack characteristics table
Please refer to fig. 2, which illustrates a training data preprocessing method provided in an embodiment of the present application.
As an alternative embodiment, the training data comprises attack training data and security training data, wherein the attack training data is used as black samples and the security training data is used as white samples.
Preprocessing attack sample data and normal service access data, wherein the preprocessing can comprise at least one of decoding operation, unicode case operation, duplication removal operation and the like; the decoding operation is, for example, base64 decoding or URL decoding.
Taking Spring arbitrary command execution vulnerability M1 as an example: the original sample was "%5b%23this.getclass (). ForName (% e2%80%98java. Land.run time% E2%80% 99)% 3BgetRuntime (). Exec"; character transcription of the original sample "%5b%23this. Getslass (). For name (% e2%80%98java. Land. Run time% e2%80% 99)% 3bgetruntime (). Exec"; then performing URL decoding to obtain "[ # this. getrun (). Exec ", the preprocessing operation of the attack sample data is completed.
And (3) carrying out word splitting and duplication removal on the preprocessed sample by using N-Gram modeling and taking 2-Gram as an example to generate a combination of a plurality of words. Using the TF-IDF model, text is converted into a matrix of values, each row representing the number of samples, each column representing a word, and the number of non-repeated words in the sample representing the number of columns of the matrix. The TF-IDF model may count how frequently a term in a collection of text appears in each document.
The same sample data can be de-duplicated according to the statistical data, and the sample number can be enlarged according to the sample set generated by combining the generated words.
In the above example there is only one sample, which contains 50 different words, so a 1 x 50 matrix is output. Where TF-idf=tf denotes the number of occurrences of a word or attack feature in a document, and IDF reflects the frequency of occurrence of a word or attack feature in a document.
The training data after preprocessing may be divided into a sample set and a test set. The dividing ratio is determined according to actual requirements, for example, a sample is an 80% set, and a test set is 20%; or the samples were 70% of the set and the test set was 30%.
The preprocessed data can avoid the generation of the same rule by repeated data, improve the accuracy of training data and improve the rule generation efficiency.
In the implementation process, the training data is obtained by extracting the information of the attack data and the safety data, and the attack detection model is obtained by continuously training the model by using the training data. The data to be detected is detected through the model, predicted attack data representing the attack data in the data to be detected is predicted, and the predicted attack data is utilized to update the attack feature set, so that the data in the attack feature set is richer. And the efficiency of acquiring the sample set is improved through the use of the model, and the detection accuracy of the network attack detection rule is improved through machine learning.
Optionally, in an embodiment of the present application, generating an attack detection rule based on the updated attack feature and a protocol key corresponding to the updated attack feature includes: converting the updated attack characteristics into preset format data; and generating grammar according to preset format data and protocol keywords corresponding to the updated attack characteristics and preset rules to generate attack detection rules.
In the specific implementation process: and converting the attack characteristics in the attack characteristic set generated by the predicted attack data and the attack data in the embodiment to obtain the data in the preset format, wherein the conversion format can be json format or other formats.
And a preset format data transmission rule generation module automatically generates a network attack bidirectional detection rule according to a rule grammar structure according to the protocol keywords. Specifically, for example, the rule generation grammar format may be: the method includes the steps of "< action > < protocol type > < source IP > < source port > < flow symbol > < destination IP > < destination port > (msg:" < rule name > "; flow; protocol key 1; [ [ content: protocol key match content 1] [ protocol key 2; ] ] [ content: protocol key match content 2] [ flow tag ] < attack type > < rule number > < version > < other information >".
Where < action > defaults to alert (network attack detection), the protocol type can be identified from the protocol key, the source IP, the source port, the flow symbol, the target IP and the target port default to any any number, any rule name, flow, protocol key matching content, attack type can be obtained through inquiring an attack characteristic table, and the rule number and the version can be automatically added.
For example, in the attack feature table, the protocol is identified as http, http.method is POST; http.uri is users; http. user_agent is cpp-httplib/; the http.request_body contains [ #this.getclass (). For name (|22|java.lang.runtime|22|) and getperiod (). Exec. The method can be used for internally arranging information such as a self-defined rule number, an alarm category, an alarm level, an alarm result (a unidirectional detection rule is an attempt, a bidirectional detection rule is automatically allocated to success, failure and the like according to a response part) and the like according to a functional interface, and a request part detection rule (namely an uplink attack detection rule) automatically generated according to grammar is as follows: "alert http any any- > anyny (msg:" Spring arbitrary command execution vulnerability "; flow: to_server, establed; http.method; content:" POST "; nocase; http.ur;, content:" users "; nocase; http.user agent; content:" cpp-htplib/";" http.request_body ";" content: "[ # this is.getclass (). For name (| 22|java.lang.Run time|22 |)"; nocase; content: "getrun (). Exec"; flow bits: set, sprin; re reference: url, www.flame.com; claseype: web-vnesnery-cost-code-and instruction; "62;" time; "reference).
In the attack feature table, if the first flow direction attack feature has a corresponding second flow direction attack feature, namely, a response attack feature associated with the request is included, for example, http.stat_code is 500, http.response_body is java.land.reflection.transformation target expression, and a corresponding response part detection rule, namely, a downlink attack detection rule, is automatically generated according to grammar.
In the implementation process, the updated attack characteristic set is utilized to generate grammar according to the preset rule, so that the generation efficiency of the network attack detection rule is improved. According to the first flow direction attack characteristic and the second flow direction attack characteristic, an attack detection rule of the request side and an attack detection rule of the response side are respectively generated, the generation of the bidirectional detection rule is realized, the problem of network attack detection omission of the response side is solved, and the accuracy rate and the detection rate of network attack discovery are improved.
Optionally, in an embodiment of the present application, after generating the attack detection rule based on the updated attack feature and the protocol key corresponding to the updated attack feature, the method further includes: checking the attack detection rule by using a detection engine to confirm whether the grammar of the attack detection rule is correct; if the grammar of the attack detection rule is correct, outputting a hit result of the attack detection rule by using the verification flow data through the detection engine; the hit result is used for representing the accuracy of the attack detection rule to detect whether the traffic data is network attack data.
In the specific implementation process: in order to improve the accuracy of the attack detection rules, it is necessary to check the attack detection rules. The check includes a grammar check and a hit result.
Firstly, grammar checking is carried out, a detection engine is utilized to check the attack detection rule, whether the grammar of the attack detection rule is correct or not is confirmed, the rule with the grammar error can be regenerated, specifically, for example, the rule with the grammar error is returned to a rule generating module, and the rule is regenerated according to the attack characteristic table.
If the grammar of the attack detection rule is correct, outputting a hit result of the attack detection rule by using the verification flow data through the detection engine. The verification traffic data may be attack traffic data and normal traffic data which are retained by the detection engine replay detection. The alarm hit calculation method is shown in table 6:
wherein, hit results considered by true positive and true negative are true, namely the detection result is accurate; the hit results of the false positive and the false negative are false, and the detection result is inaccurate. The alarm hit rate can be calculated according to the number of true hit results, and the alarm hit rate is used for representing the accuracy of the rule.
As one implementation mode, under the condition that the alarm hit rate is lower than a first threshold value, directly discarding the rule to re-collect data and generate a new rule; under the condition that the alarm hit rate is greater than or equal to a first threshold value and lower than a second threshold value, returning the rule to a rule generating module, entering rule optimization processing, and adjusting the optimization rule through the rule optimization processing; and storing the rule under the condition that the alarm hit rate is greater than or equal to a second threshold value. The first threshold and the second threshold are set according to implementation requirements, and the embodiment of the application is not limited to this, for example, the first threshold is set to 50%, and the second threshold is set to 80%; the first threshold may also be set to 55%, the second threshold to 85%, etc. Based on the alarm hit rate, adding a confidence coefficient label to the rule, wherein the confidence coefficient label comprises high confidence coefficient, medium confidence coefficient and low confidence coefficient, and the rule with high confidence coefficient can be directly started. And comparing the new rule with the existing rules in the rule base, and deleting the repeated rule if the repeated rule appears.
In the implementation process, the accuracy of the attack detection rule is improved by carrying out grammar check and hit check on the generated attack detection rule, so that the accuracy of the attack detection rule for detecting the network attack is higher, normal and abnormal network behaviors are automatically identified and processed, and the false alarm rate is reduced.
Please refer to the method for automatically generating, analyzing and verifying the network attack detection rule according to the embodiment of the present application shown in fig. 3.
In an alternative embodiment, the collection module collects flow data for the flow monitoring points and parses the flow data into flow logs.
Meanwhile, the attack characteristics are collected and stored through a threat information source Payload, poC, exp, the attack characteristics are extracted through a scripting language (python), a vulnerability name, an attack type, a protocol keyword and a data flow are used as column labels to generate an attack characteristic table, and the collected information such as a network attack Payload, a PoC (Proof of Concept), an Exp (exploitation) and the like is subjected to text processing and a sequence label is added to generate an attack sample set.
And taking the attack sample set and the normal service access data as training data, extracting text features by using a word bag model, and training the model by using a machine learning algorithm.
And predicting the unknown sample by using the model, generating table data from the predicted black sample through a script, comparing the table data with an attack characteristic table, adding characteristic contents of different contents of the same key word, and updating the attack characteristic table.
Collecting and generating a command execution result data set, carrying out association analysis on the uplink attack characteristics of the attack characteristic table, the command execution result data set and the flow log, positioning to an attack success message, extracting the attack characteristics of the response part content of the hit message, and supplementing the corresponding downlink attack characteristics in the attack characteristic table.
And sending the attack characteristic table to a rule generation module, and generating a network attack detection rule according to the tag and the content and the rule grammar structure.
And sending the attack detection rule to a rule verification module, and finally outputting alarm hit condition and rule grammar error information by replaying the reserved attack flow data and normal flow data by the detection engine. Comparing the existing rules in the rule base, and de-duplicating the same rules; the alarm engine is simulated and operated to judge whether the rule grammar has errors, and if so, the rule is generated again according to the attack characteristic table; the hit rate of the alarm hit condition is less than a threshold value, and rule discarding is carried out to generate the re-collected data; the threshold value is less than or equal to the hit rate < threshold value, a manual optimization list is entered, and verification optimization is performed on the non-passing verification rule; the hit rate is more than or equal to a threshold value, and a confidence label is added according to the alarm hit condition. Uploading the rules to a rule base, loading new rules to a flow monitoring point engine, and periodically performing manual audit verification.
Please refer to fig. 4, which illustrates a schematic structural diagram of an attack detection rule generating device according to an embodiment of the present application; the embodiment of the application provides an attack detection rule generating device 200, which comprises:
an attack feature acquisition module 210, configured to acquire an attack feature set; the attack feature set comprises first flow direction attack features and protocol keywords of each first flow direction attack feature;
the association module 220 is configured to obtain a second flow direction attack feature corresponding to the first flow direction attack feature according to the protocol key of the first flow direction attack feature;
an extended feature module 230, configured to extend the attack feature in the attack feature set based on the second flow direction attack feature, to obtain an updated attack feature set; the updated attack feature set comprises updated attack features;
a rule generating module 240, configured to generate an attack detection rule based on the updated attack feature and the protocol key corresponding to the updated attack feature; the attack detection rule is used for detecting whether the traffic data is network attack data.
Optionally, in the embodiment of the present application, the attack detection rule generating device, the association module 220 is further configured to obtain an execution command set including the protocol key from the traffic log, and an execution result data set corresponding to the execution command set; based on the protocol key words, carrying out association analysis on the execution command set and the first flow direction attack characteristics to obtain target execution results corresponding to the first flow direction attack characteristics; and obtaining the second flow direction attack characteristic corresponding to the first flow direction attack characteristic according to the target execution result.
Optionally, in the embodiment of the present application, the attack detection rule generating device, the association module 220 is further configured to match a protocol keyword in the execution command with a protocol keyword of the first flow direction attack feature, so as to obtain a target execution command associated with the first flow direction attack feature; and determining the target execution result corresponding to the first flow direction attack characteristic in the execution result data set according to the target execution command.
Optionally, in the embodiment of the present application, the attack detection rule generating device, the association module 220, is further configured to determine, if the target execution result characterizes that the execution is successful, an attack success packet corresponding to the first flow direction attack feature from the flow log; extracting the second flow direction attack characteristics corresponding to the first flow direction attack characteristics from the attack success message; the second flow direction attack feature comprises at least one of a status code, a class of response bodies, or a function of response bodies.
Optionally, in the embodiment of the present application, the attack detection rule generating device acquires the attack feature module 210, and is specifically configured to determine the protocol key according to the transmission protocol of the traffic log; information extraction is carried out on the network flow data acquired in advance based on the protocol keywords, and training data are generated; the training data comprises attack training data and safety training data; training the training data to obtain an attack detection model; detecting the data to be detected through the attack detection model, and determining predicted attack data from the data to be detected; and generating the attack characteristic set according to the predicted attack data and the attack data.
Optionally, in the embodiment of the present application, the attack detection rule generating device, the rule generating module 240 is specifically configured to convert the updated attack feature into preset format data; and generating grammar according to the preset format data and the protocol keywords corresponding to the updated attack characteristics and preset rules, and generating the attack detection rules.
Optionally, in the embodiment of the present application, the attack detection rule generating device further includes a verification module, configured to verify the attack detection rule by using a detection engine, and confirm whether the syntax of the attack detection rule is correct; if the grammar of the attack detection rule is correct, outputting a hit result of the attack detection rule by using the verification flow data through the detection engine; the hit result is used for representing the accuracy of the attack detection rule to detect whether the traffic data is network attack data.
It should be understood that, the apparatus corresponds to the foregoing embodiment of the attack detection rule generating method, and is capable of executing the steps involved in the foregoing embodiment of the method, and specific functions of the apparatus may be referred to the foregoing description, and detailed descriptions thereof are omitted herein as appropriate to avoid redundancy. The device includes at least one software functional module that can be stored in memory in the form of software or firmware (firmware) or cured in an Operating System (OS) of the device.
Please refer to fig. 5, which illustrates a schematic structural diagram of an electronic device according to an embodiment of the present application. An electronic device 300 provided in an embodiment of the present application includes: a processor 310 and a memory 320, the memory 320 storing machine-readable instructions executable by the processor 310, which when executed by the processor 310 perform the method as described above.
The embodiment of the application also provides a storage medium, wherein a computer program is stored on the storage medium, and the computer program is executed by a processor to execute the method.
The storage medium may be implemented by any type of volatile or nonvolatile Memory device or combination thereof, such as static random access Memory (Static Random Access Memory, SRAM), electrically erasable Programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM), erasable Programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), programmable Read-Only Memory (PROM), read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk, or optical disk.
In the embodiments of the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The foregoing description is merely an optional implementation of the embodiment of the present application, but the scope of the embodiment of the present application is not limited thereto, and any person skilled in the art may easily think about changes or substitutions within the technical scope of the embodiment of the present application, and the changes or substitutions are covered by the scope of the embodiment of the present application.

Claims (10)

1. An attack detection rule generation method, comprising:
acquiring an attack feature set; the attack feature set comprises first flow direction attack features and protocol keywords of each first flow direction attack feature;
acquiring a second flow direction attack characteristic corresponding to the first flow direction attack characteristic according to the protocol keyword of the first flow direction attack characteristic;
expanding the attack features in the attack feature set based on the second flow direction attack features to obtain an updated attack feature set; the updated attack feature set comprises updated attack features;
Generating an attack detection rule based on the updated attack feature and the protocol keyword corresponding to the updated attack feature; the attack detection rule is used for detecting whether the traffic data is network attack data.
2. The method according to claim 1, wherein the obtaining, according to the protocol key of the first flow direction attack feature, a second flow direction attack feature corresponding to the first flow direction attack feature includes:
acquiring an execution command set containing the protocol key words from a flow log and an execution result data set corresponding to the execution command set;
based on the protocol key words, carrying out association analysis on the execution command set and the first flow direction attack characteristics to obtain target execution results corresponding to the first flow direction attack characteristics;
and obtaining the second flow direction attack characteristic corresponding to the first flow direction attack characteristic according to the target execution result.
3. The method according to claim 2, wherein the performing association analysis on the execution command set and the first flow direction attack feature based on the protocol keyword, to obtain a target execution result corresponding to the first flow direction attack feature, includes:
Matching the protocol keywords in the execution command with the protocol keywords of the first flow direction attack feature to obtain a target execution command associated with the first flow direction attack feature;
and determining the target execution result corresponding to the first flow direction attack characteristic in the execution result data set according to the target execution command.
4. The method according to claim 2, wherein the obtaining the second flow direction attack feature corresponding to the first flow direction attack feature according to the target execution result includes:
if the target execution result represents successful execution, determining an attack success message corresponding to the first flow direction attack characteristic from the flow log;
extracting the second flow direction attack characteristics corresponding to the first flow direction attack characteristics from the attack success message; the second flow direction attack feature comprises at least one of a status code, a class of response bodies, or a function of response bodies.
5. The method of claim 1, wherein the acquiring the set of attack signatures comprises:
determining the protocol key words according to the transmission protocol of the flow log;
information extraction is carried out on the network flow data acquired in advance based on the protocol keywords, and training data are generated; the training data comprises attack training data and safety training data;
Training the training data to obtain an attack detection model;
detecting the data to be detected through the attack detection model, and determining predicted attack data from the data to be detected;
and generating the attack characteristic set according to the predicted attack data and the attack data.
6. The method of claim 1, wherein the generating an attack detection rule based on the updated attack signature and the protocol key corresponding to the updated attack signature comprises:
converting the updated attack characteristics into preset format data;
and generating grammar according to the preset format data and the protocol keywords corresponding to the updated attack characteristics and preset rules, and generating the attack detection rules.
7. The method according to any one of claims 1-6, wherein after the generating an attack detection rule based on the updated attack signature and the protocol key corresponding to the updated attack signature, the method further comprises:
checking the attack detection rule by using a detection engine to confirm whether the grammar of the attack detection rule is correct;
If the grammar of the attack detection rule is correct, outputting a hit result of the attack detection rule by using the verification flow data through the detection engine; the hit result is used for representing the accuracy of the attack detection rule to detect whether the traffic data is network attack data.
8. An attack detection rule generation apparatus, comprising:
the attack feature acquisition module is used for acquiring an attack feature set; the attack feature set comprises first flow direction attack features and protocol keywords of each first flow direction attack feature;
the association module is used for acquiring a second flow direction attack characteristic corresponding to the first flow direction attack characteristic according to the protocol keyword of the first flow direction attack characteristic;
the extended feature module is used for expanding the attack features in the attack feature set based on the second flow direction attack features to obtain an updated attack feature set; the updated attack feature set comprises updated attack features;
the rule generation module is used for generating an attack detection rule based on the updated attack characteristics and the protocol keywords corresponding to the updated attack characteristics; the attack detection rule is used for detecting whether the traffic data is network attack data.
9. An electronic device, comprising: a processor and a memory storing machine-readable instructions executable by the processor to perform the method of any one of claims 1 to 7 when executed by the processor.
10. A computer-readable storage medium, characterized in that it has stored thereon a computer program which, when executed by a processor, performs the method according to any of claims 1 to 7.
CN202310762490.8A 2023-06-26 2023-06-26 Attack detection rule generation method and device, electronic equipment and storage medium Pending CN116614306A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310762490.8A CN116614306A (en) 2023-06-26 2023-06-26 Attack detection rule generation method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310762490.8A CN116614306A (en) 2023-06-26 2023-06-26 Attack detection rule generation method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116614306A true CN116614306A (en) 2023-08-18

Family

ID=87683780

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310762490.8A Pending CN116614306A (en) 2023-06-26 2023-06-26 Attack detection rule generation method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116614306A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116992450A (en) * 2023-09-27 2023-11-03 北京安天网络安全技术有限公司 File detection rule determining method and device, electronic equipment and storage medium
CN118555140A (en) * 2024-07-29 2024-08-27 上海斗象信息科技有限公司 Construction method of attack detection model and attack detection method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116992450A (en) * 2023-09-27 2023-11-03 北京安天网络安全技术有限公司 File detection rule determining method and device, electronic equipment and storage medium
CN116992450B (en) * 2023-09-27 2024-01-23 北京安天网络安全技术有限公司 File detection rule determining method and device, electronic equipment and storage medium
CN118555140A (en) * 2024-07-29 2024-08-27 上海斗象信息科技有限公司 Construction method of attack detection model and attack detection method

Similar Documents

Publication Publication Date Title
CN116614306A (en) Attack detection rule generation method and device, electronic equipment and storage medium
US20170126724A1 (en) Log analyzing device, attack detecting device, attack detection method, and program
CN111858242A (en) System log anomaly detection method and device, electronic equipment and storage medium
US11568133B2 (en) Method and apparatus for detecting anomalies in mission critical environments
CN113704772B (en) Safety protection processing method and system based on user behavior big data mining
JPWO2019013266A1 (en) Determination device, determination method, and determination program
CN113486343A (en) Attack behavior detection method, device, equipment and medium
CN116827656A (en) Network information safety protection system and method thereof
CN114422271A (en) Data processing method, device, equipment and readable storage medium
Ikeuchi et al. Recovery command generation towards automatic recovery in ict systems by seq2seq learning
CN111309584A (en) Data processing method and device, electronic equipment and storage medium
CN111383660B (en) Website bad information monitoring system and monitoring method thereof
KR20220036099A (en) Method for automatically diagnosing and correcting speech translation errors
CN117499287A (en) Web testing method, device, storage medium and proxy server
CN112436969A (en) Internet of things equipment management method, system, equipment and medium
CN113691489A (en) Malicious domain name detection feature processing method and device and electronic equipment
CN111460436B (en) Unstructured data operation method and system based on blockchain
CN115587007A (en) Robertta-based weblog security detection method and system
Kalaki et al. Anomaly detection on OpenStack logs based on an improved robust principal component analysis model and its projection onto column space
US11120009B2 (en) Method and a device for detecting an anomaly
CN114003737A (en) Double-record examination assisting method, device, equipment and medium based on artificial intelligence
US20200159998A1 (en) Method and apparatus for detecting anomalies in mission critical environments using statistical language modeling
Liu et al. An efficient massive log discriminative algorithm for anomaly detection in cloud
CN117171800B (en) Sensitive data identification method and device based on zero trust protection system
CN111953544B (en) Fault detection method, device, equipment and storage medium of server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination