CN116663003A - Attack detection method, attack detection device, computer equipment and storage medium - Google Patents

Attack detection method, attack detection device, computer equipment and storage medium Download PDF

Info

Publication number
CN116663003A
CN116663003A CN202310796510.3A CN202310796510A CN116663003A CN 116663003 A CN116663003 A CN 116663003A CN 202310796510 A CN202310796510 A CN 202310796510A CN 116663003 A CN116663003 A CN 116663003A
Authority
CN
China
Prior art keywords
dependency
target
attack detection
poisoning
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310796510.3A
Other languages
Chinese (zh)
Inventor
傅秀妍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Property and Casualty Insurance Company of China Ltd
Original Assignee
Ping An Property and Casualty Insurance Company of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Property and Casualty Insurance Company of China Ltd filed Critical Ping An Property and Casualty Insurance Company of China Ltd
Priority to CN202310796510.3A priority Critical patent/CN116663003A/en
Publication of CN116663003A publication Critical patent/CN116663003A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The application belongs to the field of big data and the field of financial science and technology, and relates to an attack detection method, which comprises the following steps: if a dependency update request corresponding to the target software is received, performing dependency detection on the target software based on dependency information in the dependency update request, and judging whether the target dependency belongs to a new software dependency; if yes, determining a detection scene corresponding to the target dependence based on the user information in the dependence updating request; and carrying out the poisoning attack detection processing on the target dependence based on the attack detection rule corresponding to the detection scene, and generating a poisoning attack detection result corresponding to the target dependence. The application also provides an attack detection device, computer equipment and a storage medium. In addition, the present application relates to blockchain technology, in which dependency information may be stored. The application can be applied to a poisoning attack detection scene in the field of financial science and technology, and provides a detection mode capable of effectively identifying the risk of an open source software supply chain poisoning attack.

Description

Attack detection method, attack detection device, computer equipment and storage medium
Technical Field
The present application relates to the field of big data technologies and financial technologies, and in particular, to an attack detection method, an attack detection device, a computer device, and a storage medium.
Background
In the development of project-dependent management of financial and technological companies, such as insurance companies, banks, etc., there are many well-established tools and methods that currently exist to help developers optimize project dependence. For example, maven, gradle, etc. dependency management tools can automatically install and manage project dependencies; dependency version management tools such as npm and Composer can manage dependent versions and avoid dependency conflicts.
The supply chain of early software is relatively fixed, the problem of safety of the supply chain is not required to be considered, with the development of the Internet and the increasingly strong trend of open sources, modern software develops a large amount of open source projects which are dependent on abundance, a typical front-end project can directly and indirectly depend on the open source projects in hundreds of levels, the development efficiency is improved, the specific management complexity is further brought, and more risks are brought to the safety aspect of the supply chain. Unlike the security problem caused by the software vulnerability itself, supply chain poisoning attacks are one way of attacking the supply chain, the most common way of risk of such attacks being by relying on updates introduced into the project, which is objectively difficult to detect. The objective is to implant malicious code in the supply chain to break the security of the supply chain. An attacker may impersonate the identity of the provider, provide the customer with a product or service with malicious code, and then wait for the customer to use the product or service and then cause damage. Supply chain poisoning attacks can have serious consequences such as data leakage, system paralysis, etc. Thus, the developer should take care to protect the security of the supply chain from supply chain poisoning attacks. However, there is no dependency management tool combining with the security features of the software supply chain in the market, so it is highly desirable to provide a detection method capable of effectively detecting the risk of the poisoning attack of the software supply chain to protect the security of the supply chain from the poisoning attack of the supply chain.
Disclosure of Invention
The embodiment of the application aims to provide an attack detection method, an attack detection device, computer equipment and a storage medium, so as to solve the technical problems that the existing market does not have a dependency management tool combined with the safety characteristics of a software supply chain, and therefore, the detection method capable of effectively detecting the risk of a poisoning attack of the software supply chain is needed to protect the safety of the supply chain and avoid the influence of the poisoning attack of the supply chain.
In order to solve the above technical problems, the embodiment of the present application provides an attack detection method, which adopts the following technical scheme:
judging whether a dependency update request corresponding to target software triggered by a user is received or not; wherein, the dependency update request carries the user information of the user and the dependency information of the target dependency;
if the dependency update request is received, acquiring the dependency information from the dependency update request;
based on the dependency information, performing dependency detection on the target software, and judging whether the target dependency belongs to a new software dependency;
if the new software dependence exists, acquiring the user information from the dependence updating request;
determining a detection scene corresponding to the target dependency based on the user information;
And acquiring an attack detection rule corresponding to the detection scene, and carrying out a poisoning attack detection process on the target dependence based on the attack detection rule to generate a poisoning attack detection result corresponding to the target dependence.
Further, the detection scene comprises an active maintenance scene or an inactive maintenance scene; the step of obtaining an attack detection rule corresponding to the detection scene, performing a poisoning attack detection process on the target dependency based on the attack detection rule, and generating a poisoning attack detection result corresponding to the target dependency specifically includes:
if the detection scene is the non-active maintenance scene, acquiring a first attack detection rule corresponding to the non-active maintenance scene;
acquiring submitting flow data of the target software;
and carrying out poisoning attack analysis on the submitted flow data based on the first attack detection rule, and generating a poisoning attack detection result corresponding to the target dependence.
Further, the step of performing a poisoning attack analysis on the submitted flow data based on the first attack detection rule, and generating a poisoning attack detection result corresponding to the target dependency specifically includes:
Acquiring first user information of a creating user corresponding to the target dependency from the submitting flow data;
acquiring second user information of a submitting user corresponding to the target dependency from the submitting flow data;
acquiring preset submitting judgment logic;
analyzing the first user information and the second user information based on the submission judging logic, and performing poisoning attack analysis on the target dependence based on the obtained analysis result to generate a poisoning attack detection result corresponding to the target dependence.
Further, the detection scene comprises an active maintenance scene or an inactive maintenance scene; the step of obtaining an attack detection rule corresponding to the detection scene, performing a poisoning attack detection process on the target dependency based on the attack detection rule, and generating a poisoning attack detection result corresponding to the target dependency specifically includes:
if the processing scene is the active maintenance scene, acquiring a second attack detection rule corresponding to the active maintenance scene;
acquiring submission frequency data corresponding to the target dependency;
acquiring user number data of the target software;
And carrying out poisoning attack analysis on the using frequency data and the using personnel data based on the second attack detection rule, and generating a poisoning attack detection result corresponding to the target dependence.
Further, the step of performing a poisoning attack analysis on the usage frequency data and the usage personnel data based on the second attack detection rule, and generating a poisoning attack detection result corresponding to the target dependency specifically includes:
acquiring appointed submitting frequency data in a preset time period from the using frequency data;
acquiring average submission frequency data of a specified item corresponding to the target dependency;
judging whether the difference value between the appointed submitting frequency data and the average submitting frequency data accords with a preset numerical fluctuation interval or not;
if the value fluctuation interval is met, judging whether the user data is larger than a preset value threshold value or not;
if the target dependence is larger than the numerical threshold, generating a poisoning attack detection result of the target dependence with the risk of the poisoning attack, otherwise, generating a poisoning attack detection result of the target dependence without the risk of the poisoning attack.
Further, after the step of obtaining the attack detection rule corresponding to the detection scenario, and performing a poisoning attack detection process on the target dependency based on the attack detection rule, generating a poisoning attack detection result corresponding to the target dependency, the method further includes:
Judging whether the target dependence exists or not according to the detection result of the poisoning attack;
if yes, acquiring preset dependent updating flow information;
and updating the target software based on the dependency updating flow information and the target dependency.
Further, after the step of obtaining the attack detection rule corresponding to the detection scenario, and performing a poisoning attack detection process on the target dependency based on the attack detection rule, generating a poisoning attack detection result corresponding to the target dependency, the method further includes:
judging whether the target dependence exists a risk of the poisoning attack or not according to the poisoning attack detection result;
if yes, obtaining abnormal information corresponding to the target dependence;
generating corresponding early warning information based on the abnormal information and the dependent information;
acquiring communication information of a management user;
and pushing the early warning information to the management user based on the communication information.
In order to solve the above technical problems, the embodiment of the present application further provides an attack detection device, which adopts the following technical scheme:
the first judging module is used for judging whether a user-triggered dependency update request corresponding to the target software is received or not; wherein, the dependency update request carries the user information of the user and the dependency information of the target dependency;
The first acquisition module is used for acquiring the dependency information from the dependency update request if the dependency update request is received;
the second judging module is used for carrying out dependency detection on the target software based on the dependency information and judging whether the target dependency belongs to new software dependency or not;
the second acquisition module is used for acquiring the user information from the dependency update request if the new software dependency exists;
a determining module, configured to determine a detection scenario corresponding to the target dependency based on the user information;
the detection module is used for acquiring an attack detection rule corresponding to the detection scene, carrying out poisoning attack detection processing on the target dependence based on the attack detection rule, and generating a poisoning attack detection result corresponding to the target dependence.
In order to solve the above technical problems, the embodiment of the present application further provides a computer device, which adopts the following technical schemes:
judging whether a dependency update request corresponding to target software triggered by a user is received or not; wherein, the dependency update request carries the user information of the user and the dependency information of the target dependency;
If the dependency update request is received, acquiring the dependency information from the dependency update request;
based on the dependency information, performing dependency detection on the target software, and judging whether the target dependency belongs to a new software dependency;
if the new software dependence exists, acquiring the user information from the dependence updating request;
determining a detection scene corresponding to the target dependency based on the user information;
and acquiring an attack detection rule corresponding to the detection scene, and carrying out a poisoning attack detection process on the target dependence based on the attack detection rule to generate a poisoning attack detection result corresponding to the target dependence.
In order to solve the above technical problems, an embodiment of the present application further provides a computer readable storage medium, which adopts the following technical schemes:
judging whether a dependency update request corresponding to target software triggered by a user is received or not; wherein, the dependency update request carries the user information of the user and the dependency information of the target dependency;
if the dependency update request is received, acquiring the dependency information from the dependency update request;
based on the dependency information, performing dependency detection on the target software, and judging whether the target dependency belongs to a new software dependency;
If the new software dependence exists, acquiring the user information from the dependence updating request;
determining a detection scene corresponding to the target dependency based on the user information;
and acquiring an attack detection rule corresponding to the detection scene, and carrying out a poisoning attack detection process on the target dependence based on the attack detection rule to generate a poisoning attack detection result corresponding to the target dependence.
Compared with the prior art, the embodiment of the application has the following main beneficial effects:
in the embodiment of the application, after receiving the dependency update request corresponding to the target software triggered by the user, whether the target dependency belongs to the new software dependency is intelligently judged according to the dependency information carried in the dependency update request, if the target dependency is detected to belong to the new software dependency, a detection scene corresponding to the target dependency is further determined based on the user information carried in the dependency update request, and then the target dependency is subjected to the poisoning attack detection processing based on the attack detection rule corresponding to the detection scene, so as to generate the poisoning attack detection result corresponding to the target dependency. The application provides a detection mode capable of effectively identifying the risk of the open source software supply chain poisoning attack, which can effectively discover and reduce the risk of the open source software supply chain poisoning attack based on the use of attack detection rules, improves the processing efficiency and processing accuracy of target-dependent poisoning attack detection, and ensures the accuracy of the generated poisoning attack detection result.
Drawings
In order to more clearly illustrate the solution of the present application, a brief description will be given below of the drawings required for the description of the embodiments of the present application, it being apparent that the drawings in the following description are some embodiments of the present application, and that other drawings may be obtained from these drawings without the exercise of inventive effort for a person of ordinary skill in the art.
FIG. 1 is an exemplary system architecture diagram in which the present application may be applied;
FIG. 2 is a flow chart of one embodiment of an attack detection method according to the present application;
FIG. 3 is a schematic diagram of an embodiment of an attack detection device according to the present application;
FIG. 4 is a schematic structural diagram of one embodiment of a computer device in accordance with the present application.
Detailed Description
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs; the terminology used in the description of the applications herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application; the terms "comprising" and "having" and any variations thereof in the description of the application and the claims and the description of the drawings above are intended to cover a non-exclusive inclusion. The terms first, second and the like in the description and in the claims or in the above-described figures, are used for distinguishing between different objects and not necessarily for describing a sequential or chronological order.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
In order to make the person skilled in the art better understand the solution of the present application, the technical solution of the embodiment of the present application will be clearly and completely described below with reference to the accompanying drawings.
As shown in fig. 1, a system architecture 100 may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 is used as a medium to provide communication links between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The user may interact with the server 105 via the network 104 using the terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications, such as a web browser application, a shopping class application, a search class application, an instant messaging tool, a mailbox client, social platform software, etc., may be installed on the terminal devices 101, 102, 103.
The terminal devices 101, 102, 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablet computers, electronic book readers, MP3 players (Moving Picture Experts Group Audio Layer III, dynamic video expert compression standard audio plane 3), MP4 (Moving Picture Experts Group Audio Layer IV, dynamic video expert compression standard audio plane 4) players, laptop and desktop computers, and the like.
The server 105 may be a server providing various services, such as a background server providing support for pages displayed on the terminal devices 101, 102, 103.
It should be noted that, the attack detection method provided by the embodiment of the present application is generally executed by a server/terminal device, and accordingly, the attack detection device is generally disposed in the server/terminal device.
The embodiment of the application can acquire and process the related data based on the artificial intelligence technology. Among these, artificial intelligence (Artificial Intelligence, AI) is the theory, method, technique and application system that uses a digital computer or a digital computer-controlled machine to simulate, extend and extend human intelligence, sense the environment, acquire knowledge and use knowledge to obtain optimal results.
Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
With continued reference to FIG. 2, a flow chart of one embodiment of an attack detection method according to the present application is shown. The order of the steps in the flowchart may be changed and some steps may be omitted according to various needs. The attack detection method provided by the embodiment of the application can be applied to any scene needing to carry out attack detection of a software supply chain, and can be applied to products of the scenes, for example, the attack detection of the software supply chain in a digital security scene in the field of finance and technology. The attack detection method comprises the following steps:
Step S201, judging whether a user-triggered dependency update request corresponding to target software is received.
In this embodiment, the electronic device (e.g., the server/terminal device shown in fig. 1) on which the attack detection method operates may acquire the dependency update request through a wired connection manner or a wireless connection manner. It should be noted that the wireless connection may include, but is not limited to, 3G/4G/5G connection, wiFi connection, bluetooth connection, wiMAX connection, zigbee connection, UWB (ultra wideband) connection, and other now known or later developed wireless connection. The specific implementation subject of the attack detection method may be a dependency management tool. The dependence management tool can be applied to various business systems, and the business systems can be insurance systems, banking systems, transaction systems, order systems and the like. The dependency update request carries user information of the user and dependency information of target dependencies. The user information may include a name or a user number of the user. The dependency information may include a dependency name. The target dependency is a dependency required for updating the target software. After the user actively triggers the dependency update process, the detection process of the target dependency is triggered.
Step S202, if the dependency update request is received, acquiring the dependency information from the dependency update request.
In this embodiment, the information analysis may be performed on the dependency update request to extract the required dependency information from the dependency update request.
Step S203, determining whether the target dependency belongs to a new software dependency based on the dependency detection of the dependency information on the target software.
In this embodiment, by acquiring the specified dependency information of all the software dependencies included in the target software, it is possible to determine whether the specified dependency information has the dependency information; if the dependency information exists in the appointed dependency information, judging that the target dependency does not belong to new software dependency; and if the dependency information does not exist in the specified dependency information, determining that the target dependency belongs to a new software dependency. If the target dependency does not belong to the new software dependency, the target dependency is the existing dependency in the target software, and then the standard dependency analysis flow needs to be judged. Specifically, whether an updated record corresponding to the target dependency exists on the network is judged. If the record does not exist, the target dependence does not need to be updated, so that the condition that the attack does not exist is not met, and the execution of the poisoning attack detection flow is stopped. If the record exists, namely the target dependence has the requirement of updating dependence, triggering a non-subjective poisoning detection system and a subjective poisoning logic detection system at the same time to finish the poisoning attack detection processing of the target dependence. Wherein the non-subjective poisoning detection system corresponds to the first attack detection rule, and the subjective poisoning logic detection system corresponds to the second attack detection rule.
Step S204, if the new software dependence is included, the user information is acquired from the dependence updating request.
In this embodiment, the information analysis may be performed on the dependent update request to extract the required user information from the dependent update request.
Step S205, determining a detection scenario corresponding to the target dependency based on the user information.
In this embodiment, the detection scenario includes an active maintenance scenario or an inactive maintenance scenario. The user information can be used for inquiring information of a preset project side information base, and whether the user information exists in the project side information base or not can be judged; if the user information exists in the project side information base, the user information indicates that the user belongs to a relevant user of the project side, namely a maintainer, and the detection scene corresponding to the target dependence is judged to belong to an active maintenance scene; and if the user information does not exist in the project side information base, indicating that the user does not belong to the relevant user of the project side, namely a non-maintainer, and judging that the detection scene corresponding to the target dependence belongs to the non-active maintenance scene.
Step S206, obtaining an attack detection rule corresponding to the detection scene, and carrying out a poisoning attack detection process on the target dependence based on the attack detection rule to generate a poisoning attack detection result corresponding to the target dependence.
In this embodiment, the attack detection rule includes a first attack detection rule corresponding to the inactive maintenance scenario or a second attack detection rule corresponding to the active maintenance scenario. The foregoing obtains an attack detection rule corresponding to the detection scenario, performs a poisoning attack detection process on the target dependency based on the attack detection rule, and generates a specific implementation process of a poisoning attack detection result corresponding to the target dependency. The attack detection method provided by the implementation is a set of general flow design, and is not limited to a management system depending on a front end npm alone, and client ends such as Gradle of Andorid, iOS CocoaPods and rear end java items such as Maven and the like can be used in an optimized mode.
Firstly, judging whether a user-triggered dependency update request corresponding to target software is received or not; if the dependency update request is received, acquiring the dependency information from the dependency update request; then, based on the dependency information, performing dependency detection on the target software, and judging whether the target dependency belongs to a new software dependency; if the new software dependence exists, acquiring the user information from the dependence updating request; subsequently determining a detection scene corresponding to the target dependence based on the user information; finally, an attack detection rule corresponding to the detection scene is obtained, and the target dependence is subjected to poisoning attack detection processing based on the attack detection rule, so that a poisoning attack detection result corresponding to the target dependence is generated. After receiving a dependency update request corresponding to target software triggered by a user, the method intelligently judges whether target dependency belongs to new software dependency according to dependency information carried in the dependency update request, if the target dependency is detected to belong to the new software dependency, a detection scene corresponding to the target dependency is further determined based on the user information carried in the dependency update request, and then a poisoning attack detection process is carried out on the target dependency based on an attack detection rule corresponding to the detection scene, so that a poisoning attack detection result corresponding to the target dependency is generated. The application provides a detection mode capable of effectively identifying the risk of the open source software supply chain poisoning attack, which can effectively discover and reduce the risk of the open source software supply chain poisoning attack based on the use of attack detection rules, improves the processing efficiency and processing accuracy of target-dependent poisoning attack detection, and ensures the accuracy of the generated poisoning attack detection result.
In some optional implementations, the detection scenario includes an active maintenance scenario or an inactive maintenance scenario; step S206 includes the steps of:
and if the detection scene is the non-active maintenance scene, acquiring a first attack detection rule corresponding to the non-active maintenance scene.
In this embodiment, the non-active maintenance scenario refers to a scenario that is not a maintainer and is utilized, that is, the user is not a maintainer. Attack detection rules may also be referred to as attack detection architecture. The specific detection points of the attack detection system are designed mainly according to the existing attack, and along with the technical development and the realization of a new poisoning attack mode, more features and detection logic can be added, so that more information is provided for a user to judge whether the user is poisoned or not.
And acquiring the submitting flow data of the target software.
In this embodiment, the above-mentioned submission flow data may include data such as first user information of the creating user corresponding to the target dependency, second user information of the submitting user corresponding to the target dependency, and the like. The user information may include nicknames, mailboxes, and the like. The open source item corresponding to the target dependency can be found from the version management git and the corresponding main stream open source platform gitub, and the submitting flow data of the open source item can be extracted.
And carrying out poisoning attack analysis on the submitted flow data based on the first attack detection rule, and generating a poisoning attack detection result corresponding to the target dependence.
In this embodiment, the foregoing detailed implementation process of performing the attack analysis on the submitted flow data based on the first attack detection rule to generate the attack detection result corresponding to the target dependency will be described in further detail in the following detailed embodiments, which are not described herein.
After the detection scene is detected to be the non-active maintenance scene, a first attack detection rule corresponding to the non-active maintenance scene is obtained; then acquiring the submitting flow data of the target software; and then carrying out poisoning attack analysis on the submitted flow data based on the first attack detection rule, and generating a poisoning attack detection result corresponding to the target dependence. According to the application, after the detection scene is detected to be the non-active maintenance scene, the submitting flow data of the target software is intelligently acquired, and then the first attack detection rule matched with the non-active maintenance scene is used for carrying out the poisoning attack analysis on the submitting flow data so as to generate the poisoning attack detection result corresponding to the target dependence, the processing efficiency and the processing accuracy of the target-dependent poisoning attack detection are effectively improved based on the use of the first attack detection rule, and the accuracy of the generated poisoning attack detection result is ensured.
In some optional implementations of this embodiment, the subjecting the submitted flow data to a poisoning attack analysis based on the first attack detection rule generates a poisoning attack detection result corresponding to the target dependency, including the following steps:
and acquiring first user information of the creating user corresponding to the target dependency from the submitting flow data.
In this embodiment, the first user information may refer to information such as a nickname and a mailbox of the creating user.
And acquiring second user information of the submitting user corresponding to the target dependency from the submitting flow data.
In this embodiment, the above-mentioned submitting user may refer to the user who has counted and calculated the most relevant data on which the submitting target depends. The second user information may refer to information such as a nickname and a mailbox of the submitting user.
And acquiring preset submission judging logic.
In this embodiment, the above-described commit judging logic includes processing logic that comprehensively makes a judgment as to whether the maintainer of the target dependency has changed, based on the first user information of the creating user of the target dependency and the second user information of the submitting user.
Analyzing the first user information and the second user information based on the submission judging logic, and performing poisoning attack analysis on the target dependence based on the obtained analysis result to generate a poisoning attack detection result corresponding to the target dependence.
In this embodiment, based on the process of analyzing the first user information and the second user information by the submission determination logic, specifically, whether the maintainer of the target dependency is consistent with the information of the creating user and the submitting user of the target dependency in the last several version updates may be detected, if so, a result of detecting a poisoning attack in which the target dependency has a risk of a poisoning attack may be generated, and if not, a result of detecting a poisoning attack in which the target dependency does not have a risk of a poisoning attack may be generated.
The method comprises the steps of obtaining first user information of a creating user corresponding to the target dependency from the submitting flow data; then second user information of the submitting user corresponding to the target dependency is acquired from the submitting flow data; then acquiring preset submitting judgment logic; and analyzing the first user information and the second user information based on the submission judging logic, and analyzing the target-dependent poisoning attack based on the obtained analysis result to generate a poisoning attack detection result corresponding to the target dependence. According to the application, after the detection scene is detected to be the non-active maintenance scene, the submitting flow data of the target software is intelligently obtained, and then the first user information of the creating user and the second user information of the delivering user corresponding to the target dependency in the submitting flow data are subjected to the poisoning attack analysis by using the first attack detection rule matched with the non-active maintenance scene, so that a poisoning attack detection result corresponding to the target dependency is generated, the processing efficiency and the processing accuracy of the target-dependent poisoning attack detection are effectively improved based on the use of the first attack detection rule, and the accuracy of the generated poisoning attack detection result is ensured.
In some optional implementations, the detection scenario includes an active maintenance scenario or an inactive maintenance scenario; step S206 includes the steps of:
and if the processing scene is the active maintenance scene, acquiring a second attack detection rule corresponding to the active maintenance scene.
In this embodiment, the active maintenance scenario refers to a scenario of active behavior of the project party, that is, the user is a person of the project party.
And acquiring the submitting frequency data corresponding to the target dependence.
In this embodiment, the above-described submission frequency data may refer to the submission frequency of the submitted code corresponding to the item to which the target dependency matches, and for example, the submission frequency may include once a week or once a month, and so on.
And acquiring the user number data of the target software.
In this embodiment, the usage personnel data may refer to the number of usage personnel for the target software.
And carrying out poisoning attack analysis on the using frequency data and the using personnel data based on the second attack detection rule, and generating a poisoning attack detection result corresponding to the target dependence.
In this embodiment, the foregoing specific implementation process of performing the poisoning attack analysis on the usage frequency data and the usage personnel data based on the second attack detection rule to generate the poisoning attack detection result corresponding to the target dependency will be described in further detail in the following specific embodiments, which will not be described herein.
The method comprises the steps of acquiring a second attack detection rule corresponding to the active maintenance scene when the processing scene is detected to be the active maintenance scene; then acquiring submission frequency data corresponding to the target dependence; acquiring user number data of the target software; and then carrying out poisoning attack analysis on the using frequency data and the using man-made data based on the second attack detection rule, and generating a poisoning attack detection result corresponding to the target dependence. When the detection scene is detected to be the active maintenance scene, the application intelligently acquires the submitted frequency data corresponding to the target dependence and the user number data of the target software, and further uses a second attack detection rule matched with the active maintenance scene to carry out the poisoning attack analysis on the use frequency data and the user number data so as to generate a poisoning attack detection result corresponding to the target dependence. The processing efficiency and processing accuracy of target-dependent poisoning attack detection are effectively improved through the use of the second attack detection rule, and the accuracy of the generated poisoning attack detection result is guaranteed.
In some optional implementations, the performing a poisoning attack analysis on the usage frequency data and the usage personnel data based on the second attack detection rule, and generating a poisoning attack detection result corresponding to the target dependency, includes the following steps:
and acquiring appointed submitting frequency data in a preset time period from the using frequency data.
In this embodiment, the value of the preset time period is not specifically limited, and may be set according to actual use requirements, for example, may be set within a week or a month, etc.
And acquiring average submission frequency data of the specified item corresponding to the target dependency.
In this embodiment, the average submission frequency data may refer to an average value of a sum value of all submission frequency data of the specified item within the preset time period.
And judging whether the difference value between the appointed submitting frequency data and the average submitting frequency data accords with a preset numerical fluctuation interval or not.
In this embodiment, the value of the above-mentioned value fluctuation interval is not particularly limited, and may be set according to actual use requirements, for example, may be set to-1 to 1. If the difference value between the appointed submitting frequency data and the average submitting frequency data does not accord with a preset numerical fluctuation interval, directly generating a poisoning attack detection result of the target dependence without the poisoning attack risk.
And if the numerical fluctuation interval is met, judging whether the user data is larger than a preset numerical threshold value.
In this embodiment, the value of the numerical threshold is not specifically limited, and may be set according to actual use requirements.
If the target dependence is larger than the numerical threshold, generating a poisoning attack detection result of the target dependence with the risk of the poisoning attack, otherwise, generating a poisoning attack detection result of the target dependence without the risk of the poisoning attack.
In this embodiment, whether the target dependency is at risk of a poisoning attack may also be detected based on other ways, such as detecting whether the target dependency has recently been updated in a large version. If the target dependence exists, the risk of the poisoning attack of the target dependence can be primarily judged.
The method comprises the steps of obtaining appointed submitting frequency data in a preset time period from the using frequency data; then obtaining average submitting frequency data of a designated item corresponding to the target dependency; subsequently judging whether the difference value between the appointed submitting frequency data and the average submitting frequency data accords with a preset numerical fluctuation interval or not; if the value fluctuation interval is met, judging whether the user data is larger than a preset value threshold value or not; if the target dependence is larger than the numerical threshold, generating a poisoning attack detection result of the target dependence with the risk of the poisoning attack, otherwise, generating a poisoning attack detection result of the target dependence without the risk of the poisoning attack. When the detection scene is detected to be the active maintenance scene, the method intelligently acquires the appointed submitting frequency data in the preset time period and the average submitting frequency data of the appointed item corresponding to the target dependence from the using frequency data, and further uses a second attack detection rule matched with the active maintenance scene to conduct poisoning attack analysis on the appointed submitting frequency data, the average submitting frequency data and the user number data of target software so as to generate a poisoning attack detection result corresponding to the target dependence. The processing efficiency and processing accuracy of target-dependent poisoning attack detection are effectively improved through the use of the second attack detection rule, and the accuracy of the generated poisoning attack detection result is guaranteed.
In some optional implementations of this embodiment, after step S206, the electronic device may further perform the following steps:
judging whether the target dependence exists or not according to the detection result of the poisoning attack.
In this embodiment, the foregoing detection result of the poisoning attack may include that the target dependency does not have a risk of the poisoning attack or that the target dependency has a risk of the poisoning attack.
If yes, acquiring preset dependent updating flow information.
In this embodiment, the above-mentioned dependent update flow information is flow information previously constructed according to an actual dependent update processing flow.
And updating the target software based on the dependency updating flow information and the target dependency.
In this embodiment, the target dependency may be used to perform a dependency update process on the target software according to the update step in the dependency update flow information.
The application judges whether the detection result of the poisoning attack is target dependence or not, and does not have the poisoning attack risk; if yes, acquiring preset dependent updating flow information; and subsequently updating the target software based on the dependency updating flow information and the target dependency. The application only updates the target software based on the dependency updating flow information and the target dependency when detecting that the target dependency does not have the risk of the poisoning attack, thereby effectively reducing the risk of the target software supply chain poisoning attack, being beneficial to providing a safe and reliable open source software supply chain for a user group,
In some optional implementations of this embodiment, after step S206, the electronic device may further perform the following steps:
judging whether the target dependence exists a risk of the poisoning attack or not according to the poisoning attack detection result.
In this embodiment, the foregoing detection result of the poisoning attack may include that the target dependency does not have a risk of the poisoning attack or that the target dependency has a risk of the poisoning attack.
If yes, obtaining the abnormal information corresponding to the target dependence.
In this embodiment, when detecting that the target dependency has a risk of a poisoning attack, the method automatically captures an anomaly existing in the target dependency to generate corresponding anomaly information.
And generating corresponding early warning information based on the abnormal information and the dependent information.
In this embodiment, the abnormal information and the dependent information may be filled into the information template by acquiring a preset information template, so as to generate corresponding early warning information. The information template can be a template file generated according to actual abnormal display requirements. The method comprises the steps of analyzing a source code on the premise of risk, finding out a part with the risk of poisoning, analyzing and reminding a community according to information by a user, and timely exposing related risks, so that the user can avoid similar attacks not only by the user but also by the user corresponding to the project.
And acquiring communication information of the management user.
In this embodiment, the management user may target the operation and maintenance personnel of the software. The communication information may include mail address, mobile phone number, etc.
And pushing the early warning information to the management user based on the communication information.
In this embodiment, in the subjective poisoning detection system, the user may further select whether to perform the update difference manual audit for further confirmation, and the manual audit extracts the difference information of the new version and the old version for display, so that the user can confirm and judge the updated code. And updating is completed after the user confirms the risk of the potential toxin administration.
Judging whether the target dependence exists a poisoning attack risk or not according to the poisoning attack detection result; if yes, obtaining abnormal information corresponding to the target dependence; then generating corresponding early warning information based on the abnormal information and the dependent information; then obtaining the communication information of the management user; and pushing the early warning information to the management user based on the communication information. According to the method and the device, when the risk of the target dependence on the poisoning attack is detected, the abnormal information of the target dependence is intelligently acquired, the early warning information corresponding to the target dependence is constructed based on the abnormal information and is pushed to the corresponding management user, so that the management user can review the early warning information in time, and execute subsequent dependence update processing on the target software according to the early warning information, thereby being beneficial to improving the work experience of the management user and improving the processing efficiency of the dependence update processing on the target software.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present application.
It is emphasized that to further guarantee the privacy and security of the dependency information, the dependency information may also be stored in a blockchain node.
The blockchain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanism, encryption algorithm and the like. The Blockchain (Blockchain), which is essentially a decentralised database, is a string of data blocks that are generated by cryptographic means in association, each data block containing a batch of information of network transactions for verifying the validity of the information (anti-counterfeiting) and generating the next block. The blockchain may include a blockchain underlying platform, a platform product services layer, an application services layer, and the like.
The embodiment of the application can acquire and process the related data based on the artificial intelligence technology. Among these, artificial intelligence (Artificial Intelligence, AI) is the theory, method, technique and application system that uses a digital computer or a digital computer-controlled machine to simulate, extend and extend human intelligence, sense the environment, acquire knowledge and use knowledge to obtain optimal results.
Artificial intelligence infrastructure technologies generally include technologies such as sensors, dedicated artificial intelligence chips, cloud computing, distributed storage, big data processing technologies, operation/interaction systems, mechatronics, and the like. The artificial intelligence software technology mainly comprises a computer vision technology, a robot technology, a biological recognition technology, a voice processing technology, a natural language processing technology, machine learning/deep learning and other directions.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by computer readable instructions stored in a computer readable storage medium that, when executed, may comprise the steps of the embodiments of the methods described above. The storage medium may be a nonvolatile storage medium such as a magnetic disk, an optical disk, a Read-Only Memory (ROM), or a random access Memory (Random Access Memory, RAM).
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, these steps are not necessarily performed in order as indicated by the arrows. The steps are not strictly limited in order and may be performed in other orders, unless explicitly stated herein. Moreover, at least some of the steps in the flowcharts of the figures may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order of their execution not necessarily being sequential, but may be performed in turn or alternately with other steps or at least a portion of the other steps or stages.
With further reference to fig. 3, as an implementation of the method shown in fig. 2, the present application provides an embodiment of an attack detection device, where the embodiment of the device corresponds to the embodiment of the method shown in fig. 2, and the device is particularly applicable to various electronic devices.
As shown in fig. 3, the attack detection apparatus 300 according to the present embodiment includes: a first judging module 301, a first acquiring module 302, a second judging module 303, a second acquiring module 304, a determining module 305 and a detecting module 306. Wherein:
a first determining module 301, configured to determine whether a dependency update request corresponding to the target software triggered by a user is received; wherein, the dependency update request carries the user information of the user and the dependency information of the target dependency;
a first obtaining module 302, configured to obtain, if the dependency update request is received, the dependency information from the dependency update request;
a second judging module 303, configured to judge whether the target dependency belongs to a new software dependency based on dependency detection performed on the target software by using the dependency information;
a second obtaining module 304, configured to obtain the user information from the dependency update request if the new software dependency belongs;
A determining module 305, configured to determine a detection scenario corresponding to the target dependency based on the user information;
the detection module 306 is configured to obtain an attack detection rule corresponding to the detection scenario, and perform a poisoning attack detection process on the target dependency based on the attack detection rule, so as to generate a poisoning attack detection result corresponding to the target dependency.
In this embodiment, the operations performed by the modules or units respectively correspond to the steps of the attack detection method in the foregoing embodiment one by one, which is not described herein again.
In some optional implementations of the present embodiment, the detection scenario includes an active maintenance scenario or an inactive maintenance scenario; the detection module 306 includes:
the first acquisition submodule is used for acquiring a first attack detection rule corresponding to the non-active maintenance scene if the detection scene is the non-active maintenance scene;
the second acquisition sub-module is used for acquiring the submitting flow data of the target software;
and the first generation sub-module is used for carrying out poisoning attack analysis on the submitted flow data based on the first attack detection rule and generating a poisoning attack detection result corresponding to the target dependence.
In this embodiment, the operations performed by the modules or units respectively correspond to the steps of the attack detection method in the foregoing embodiment one by one, which is not described herein again.
In some optional implementations of this embodiment, the first generating sub-module includes:
a first obtaining unit, configured to obtain first user information of a creating user corresponding to the target dependency from the submitting flow data;
a second obtaining unit, configured to obtain second user information of a submitting user corresponding to the target dependency from the submitting flow data;
the third acquisition unit is used for acquiring preset submission judging logic;
the first generation unit is used for analyzing the first user information and the second user information based on the submission judging logic, and carrying out the poisoning attack analysis on the target dependence based on the obtained analysis result to generate a poisoning attack detection result corresponding to the target dependence.
In this embodiment, the operations performed by the modules or units respectively correspond to the steps of the attack detection method in the foregoing embodiment one by one, and are not described herein again.
In some optional implementations of the present embodiment, the detection scenario includes an active maintenance scenario or an inactive maintenance scenario; the detection module 306 includes:
The third acquisition sub-module is used for acquiring a second attack detection rule corresponding to the active maintenance scene if the processing scene is the active maintenance scene;
a fourth acquisition sub-module for acquiring commit frequency data corresponding to the target dependency;
a fifth acquisition sub-module, configured to acquire user number data of the target software;
and the second generation submodule is used for carrying out the poisoning attack analysis on the use frequency data and the use personnel data based on the second attack detection rule and generating a poisoning attack detection result corresponding to the target dependence.
In this embodiment, the operations performed by the modules or units respectively correspond to the steps of the attack detection method in the foregoing embodiment one by one, which is not described herein again.
In some optional implementations of this embodiment, the second generating submodule includes:
a fourth obtaining unit, configured to obtain specified submission frequency data in a preset time period from the usage frequency data;
a fifth acquisition unit configured to acquire average submission frequency data of a specified item corresponding to the target dependency;
the first judging unit is used for judging whether the difference value between the appointed submitting frequency data and the average submitting frequency data accords with a preset numerical fluctuation interval or not;
The second judging unit is used for judging whether the user number data is larger than a preset numerical threshold value or not if the user number data accords with the numerical fluctuation interval;
and the second generating unit is used for generating a poisoning attack detection result of the target dependence with the poisoning attack risk if the target dependence is larger than the numerical threshold, otherwise, generating a poisoning attack detection result of the target dependence without the poisoning attack risk.
In this embodiment, the operations performed by the modules or units respectively correspond to the steps of the attack detection method in the foregoing embodiment one by one, which is not described herein again.
In some optional implementations of this embodiment, the attack detection device further includes:
the third judging module is used for judging whether the target dependence exists in the detection result of the poisoning attack or not;
the third acquisition module is used for acquiring preset dependent updating flow information if yes;
and the updating module is used for updating the target software based on the dependence updating flow information and the target dependence.
In this embodiment, the operations performed by the modules or units respectively correspond to the steps of the attack detection method in the foregoing embodiment one by one, which is not described herein again.
In some optional implementations of this embodiment, the attack detection device further includes:
a fourth judging module, configured to judge whether the target dependency exists a risk of the poisoning attack according to the poisoning attack detection result;
the fourth acquisition module is used for acquiring abnormal information corresponding to the target dependence if yes;
the generation module is used for generating corresponding early warning information based on the abnormal information and the dependent information;
a fifth acquisition module, configured to acquire communication information of the management user;
and the pushing module is used for pushing the early warning information to the management user based on the communication information.
In this embodiment, the operations performed by the modules or units respectively correspond to the steps of the attack detection method in the foregoing embodiment one by one, which is not described herein again.
In order to solve the technical problems, the embodiment of the application also provides computer equipment. Referring specifically to fig. 4, fig. 4 is a basic structural block diagram of a computer device according to the present embodiment.
The computer device 4 comprises a memory 41, a processor 42, a network interface 43 communicatively connected to each other via a system bus. It should be noted that only computer device 4 having components 41-43 is shown in the figures, but it should be understood that not all of the illustrated components are required to be implemented and that more or fewer components may be implemented instead. It will be appreciated by those skilled in the art that the computer device herein is a device capable of automatically performing numerical calculations and/or information processing in accordance with predetermined or stored instructions, the hardware of which includes, but is not limited to, microprocessors, application specific integrated circuits (Application Specific Integrated Circuit, ASICs), programmable gate arrays (fields-Programmable Gate Array, FPGAs), digital processors (Digital Signal Processor, DSPs), embedded devices, etc.
The computer equipment can be a desktop computer, a notebook computer, a palm computer, a cloud server and other computing equipment. The computer equipment can perform man-machine interaction with a user through a keyboard, a mouse, a remote controller, a touch pad or voice control equipment and the like.
The memory 41 includes at least one type of readable storage medium including flash memory, hard disk, multimedia card, card memory (e.g., SD or DX memory, etc.), random Access Memory (RAM), static Random Access Memory (SRAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), programmable Read Only Memory (PROM), magnetic memory, magnetic disk, optical disk, etc. In some embodiments, the storage 41 may be an internal storage unit of the computer device 4, such as a hard disk or a memory of the computer device 4. In other embodiments, the memory 41 may also be an external storage device of the computer device 4, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card) or the like, which are provided on the computer device 4. Of course, the memory 41 may also comprise both an internal memory unit of the computer device 4 and an external memory device. In this embodiment, the memory 41 is typically used to store an operating system and various application software installed on the computer device 4, such as computer readable instructions of an attack detection method. Further, the memory 41 may be used to temporarily store various types of data that have been output or are to be output.
The processor 42 may be a central processing unit (Central Processing Unit, CPU), controller, microcontroller, microprocessor, or other data processing chip in some embodiments. The processor 42 is typically used to control the overall operation of the computer device 4. In this embodiment, the processor 42 is configured to execute computer readable instructions stored in the memory 41 or process data, such as computer readable instructions for executing the attack detection method.
The network interface 43 may comprise a wireless network interface or a wired network interface, which network interface 43 is typically used for establishing a communication connection between the computer device 4 and other electronic devices.
Compared with the prior art, the embodiment of the application has the following main beneficial effects:
in the embodiment of the application, after receiving a dependency update request triggered by a user and corresponding to target software, the embodiment of the application intelligently judges whether the target dependency belongs to new software dependency according to dependency information carried in the dependency update request, if the target dependency is detected to belong to the new software dependency, a detection scene corresponding to the target dependency is further determined based on user information carried in the dependency update request, and then a poisoning attack detection process is carried out on the target dependency based on an attack detection rule corresponding to the detection scene, so as to generate a poisoning attack detection result corresponding to the target dependency. The application provides a detection mode capable of effectively identifying the risk of the open source software supply chain poisoning attack, which can effectively discover and reduce the risk of the open source software supply chain poisoning attack based on the use of attack detection rules, improves the processing efficiency and processing accuracy of target-dependent poisoning attack detection, and ensures the accuracy of the generated poisoning attack detection result.
The present application also provides another embodiment, namely, a computer-readable storage medium storing computer-readable instructions executable by at least one processor to cause the at least one processor to perform the steps of an attack detection method as described above.
Compared with the prior art, the embodiment of the application has the following main beneficial effects:
in the embodiment of the application, after receiving a dependency update request triggered by a user and corresponding to target software, the embodiment of the application intelligently judges whether the target dependency belongs to new software dependency according to dependency information carried in the dependency update request, if the target dependency is detected to belong to the new software dependency, a detection scene corresponding to the target dependency is further determined based on user information carried in the dependency update request, and then a poisoning attack detection process is carried out on the target dependency based on an attack detection rule corresponding to the detection scene, so as to generate a poisoning attack detection result corresponding to the target dependency. The application provides a detection mode capable of effectively identifying the risk of the open source software supply chain poisoning attack, which can effectively discover and reduce the risk of the open source software supply chain poisoning attack based on the use of attack detection rules, improves the processing efficiency and processing accuracy of target-dependent poisoning attack detection, and ensures the accuracy of the generated poisoning attack detection result.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to perform the method according to the embodiments of the present application.
It is apparent that the above-described embodiments are only some embodiments of the present application, but not all embodiments, and the preferred embodiments of the present application are shown in the drawings, which do not limit the scope of the patent claims. This application may be embodied in many different forms, but rather, embodiments are provided in order to provide a thorough and complete understanding of the present disclosure. Although the application has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the embodiments described in the foregoing description, or equivalents may be substituted for elements thereof. All equivalent structures made by the content of the specification and the drawings of the application are directly or indirectly applied to other related technical fields, and are also within the scope of the application.

Claims (10)

1. An attack detection method, comprising the steps of:
judging whether a dependency update request corresponding to target software triggered by a user is received or not; wherein, the dependency update request carries the user information of the user and the dependency information of the target dependency;
if the dependency update request is received, acquiring the dependency information from the dependency update request;
based on the dependency information, performing dependency detection on the target software, and judging whether the target dependency belongs to a new software dependency;
if the new software dependence exists, acquiring the user information from the dependence updating request;
determining a detection scene corresponding to the target dependency based on the user information;
and acquiring an attack detection rule corresponding to the detection scene, and carrying out a poisoning attack detection process on the target dependence based on the attack detection rule to generate a poisoning attack detection result corresponding to the target dependence.
2. The attack detection method according to claim 1, wherein the detection scenario comprises an active maintenance scenario or an inactive maintenance scenario; the step of obtaining an attack detection rule corresponding to the detection scene, performing a poisoning attack detection process on the target dependency based on the attack detection rule, and generating a poisoning attack detection result corresponding to the target dependency specifically includes:
If the detection scene is the non-active maintenance scene, acquiring a first attack detection rule corresponding to the non-active maintenance scene;
acquiring submitting flow data of the target software;
and carrying out poisoning attack analysis on the submitted flow data based on the first attack detection rule, and generating a poisoning attack detection result corresponding to the target dependence.
3. The attack detection method according to claim 2, wherein the step of performing a poisoning attack analysis on the submission flow data based on the first attack detection rule, and generating a poisoning attack detection result corresponding to the target dependency, specifically includes:
acquiring first user information of a creating user corresponding to the target dependency from the submitting flow data;
acquiring second user information of a submitting user corresponding to the target dependency from the submitting flow data;
acquiring preset submitting judgment logic;
analyzing the first user information and the second user information based on the submission judging logic, and performing poisoning attack analysis on the target dependence based on the obtained analysis result to generate a poisoning attack detection result corresponding to the target dependence.
4. The attack detection method according to claim 1, wherein the detection scenario comprises an active maintenance scenario or an inactive maintenance scenario; the step of obtaining an attack detection rule corresponding to the detection scene, performing a poisoning attack detection process on the target dependency based on the attack detection rule, and generating a poisoning attack detection result corresponding to the target dependency specifically includes:
if the processing scene is the active maintenance scene, acquiring a second attack detection rule corresponding to the active maintenance scene;
acquiring submission frequency data corresponding to the target dependency;
acquiring user number data of the target software;
and carrying out poisoning attack analysis on the using frequency data and the using personnel data based on the second attack detection rule, and generating a poisoning attack detection result corresponding to the target dependence.
5. The attack detection method according to claim 4, wherein the step of performing a poisoning attack analysis on the usage frequency data and the usage number data based on the second attack detection rule, and generating a poisoning attack detection result corresponding to the target dependency, specifically includes:
Acquiring appointed submitting frequency data in a preset time period from the using frequency data;
acquiring average submission frequency data of a specified item corresponding to the target dependency;
judging whether the difference value between the appointed submitting frequency data and the average submitting frequency data accords with a preset numerical fluctuation interval or not;
if the value fluctuation interval is met, judging whether the user data is larger than a preset value threshold value or not;
if the target dependence is larger than the numerical threshold, generating a poisoning attack detection result of the target dependence with the risk of the poisoning attack, otherwise, generating a poisoning attack detection result of the target dependence without the risk of the poisoning attack.
6. The attack detection method according to claim 1, wherein after the step of acquiring an attack detection rule corresponding to the detection scenario and performing a poisoning attack detection process on the target dependency based on the attack detection rule, generating a poisoning attack detection result corresponding to the target dependency, further comprises:
judging whether the target dependence exists or not according to the detection result of the poisoning attack;
if yes, acquiring preset dependent updating flow information;
And updating the target software based on the dependency updating flow information and the target dependency.
7. The attack detection method according to claim 1, wherein after the step of acquiring an attack detection rule corresponding to the detection scenario and performing a poisoning attack detection process on the target dependency based on the attack detection rule, generating a poisoning attack detection result corresponding to the target dependency, further comprises:
judging whether the target dependence exists a risk of the poisoning attack or not according to the poisoning attack detection result;
if yes, obtaining abnormal information corresponding to the target dependence;
generating corresponding early warning information based on the abnormal information and the dependent information;
acquiring communication information of a management user;
and pushing the early warning information to the management user based on the communication information.
8. An attack detection apparatus, comprising:
the first judging module is used for judging whether a user-triggered dependency update request corresponding to the target software is received or not; wherein, the dependency update request carries the user information of the user and the dependency information of the target dependency;
the first acquisition module is used for acquiring the dependency information from the dependency update request if the dependency update request is received;
The second judging module is used for carrying out dependency detection on the target software based on the dependency information and judging whether the target dependency belongs to new software dependency or not;
the second acquisition module is used for acquiring the user information from the dependency update request if the new software dependency exists;
a determining module, configured to determine a detection scenario corresponding to the target dependency based on the user information;
the detection module is used for acquiring an attack detection rule corresponding to the detection scene, carrying out poisoning attack detection processing on the target dependence based on the attack detection rule, and generating a poisoning attack detection result corresponding to the target dependence.
9. A computer device comprising a memory having stored therein computer readable instructions which when executed implement the steps of the attack detection method according to any of claims 1 to 7.
10. A computer readable storage medium having stored thereon computer readable instructions which when executed by a processor implement the steps of the attack detection method according to any of claims 1 to 7.
CN202310796510.3A 2023-06-30 2023-06-30 Attack detection method, attack detection device, computer equipment and storage medium Pending CN116663003A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310796510.3A CN116663003A (en) 2023-06-30 2023-06-30 Attack detection method, attack detection device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310796510.3A CN116663003A (en) 2023-06-30 2023-06-30 Attack detection method, attack detection device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116663003A true CN116663003A (en) 2023-08-29

Family

ID=87724193

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310796510.3A Pending CN116663003A (en) 2023-06-30 2023-06-30 Attack detection method, attack detection device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116663003A (en)

Similar Documents

Publication Publication Date Title
CN112613917A (en) Information pushing method, device and equipment based on user portrait and storage medium
CN114493255A (en) Enterprise abnormity monitoring method based on knowledge graph and related equipment thereof
CN113869789A (en) Risk monitoring method and device, computer equipment and storage medium
CN116956326A (en) Authority data processing method and device, computer equipment and storage medium
CN117094729A (en) Request processing method, device, computer equipment and storage medium
CN111666298A (en) Method and device for detecting user service class based on flink, and computer equipment
CN115936895A (en) Risk assessment method, device and equipment based on artificial intelligence and storage medium
CN115757075A (en) Task abnormity detection method and device, computer equipment and storage medium
CN114637672A (en) Automatic data testing method and device, computer equipment and storage medium
CN113779198A (en) Electronic business card generating method, device, equipment and medium based on artificial intelligence
CN116663003A (en) Attack detection method, attack detection device, computer equipment and storage medium
CN117278298A (en) Domain name detection method, device, equipment and storage medium based on artificial intelligence
CN117407420A (en) Data construction method, device, computer equipment and storage medium
CN117853241A (en) Risk service provider identification method, apparatus, device and storage medium thereof
CN117422523A (en) Product online method and device, computer equipment and storage medium
CN116737437A (en) Data analysis method, device, computer equipment and storage medium
CN115080045A (en) Link generation method and device, computer equipment and storage medium
CN117078332A (en) Abnormal behavior detection method, device, computer equipment and storage medium
CN116643884A (en) Data computing method, device, equipment and storage medium based on rule engine
CN117390119A (en) Task processing method, device, computer equipment and storage medium
CN116932090A (en) Tool pack loading method, device, computer equipment and storage medium
CN117272256A (en) Sensitive data detection method and device, computer equipment and storage medium
CN116701488A (en) Data processing method, device, computer equipment and storage medium
CN117056629A (en) Cache configuration method, device, computer equipment and storage medium
CN117094827A (en) Data generation method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination