CN117118727A

CN117118727A - Command injection attack detection method, device, computer equipment and storage medium

Info

Publication number: CN117118727A
Application number: CN202311173798.5A
Authority: CN
Inventors: 严超敏; 范渊
Original assignee: DBAPPSecurity Co Ltd
Current assignee: DBAPPSecurity Co Ltd
Priority date: 2023-09-11
Filing date: 2023-09-11
Publication date: 2023-11-24

Abstract

The application relates to a command injection attack detection method, a device, computer equipment and a storage medium. The method comprises the following steps: firstly, obtaining flow data to be detected, then analyzing the flow data to be detected, determining a key value to be detected, then carrying out preliminary detection based on the key value to be detected, determining alarm data and suspicious data, and finally inputting the key value to be detected corresponding to the suspicious data into a virtual sandbox, executing a detection command and determining the alarm data. That is, aiming at the condition that deformation bypasses exist in the existing command injection attack, the flow is obtained through the bypass, basic feature detection and sandbox simulation detection are combined, the known and unknown command injection attack can be detected, the accuracy of the command injection attack detection is improved, a text does not need to be restored, the detection efficiency is improved, and manpower and material resources are saved.

Description

Command injection attack detection method, device, computer equipment and storage medium

Technical Field

The present application relates to the field of network security technologies, and in particular, to a method and apparatus for detecting a command injection attack, a computer device, and a storage medium.

Background

In modern internet application development, security issues have been considered as one of the crucial factors. Command injection (Command Injection) is one of the most common security vulnerabilities. In the process of command injection attack, an attacker takes a malicious command as input by utilizing the existing wild card character of the Linux operating system and bypasses the existing detection means, thereby executing unauthorized operation.

In the related art, analysis is generally performed by collecting known command injection holes, extracting command injection attack characteristics, and summarizing command injection detection rules. For an attack command to be detected, an algorithm is adopted to carry out text reduction and intelligent semantic analysis, and the attack command is identified and detected based on a command injection detection rule, however, the detection rule is usually analyzed and written in advance by threat analysis staff, has detection hysteresis and can only detect known and unknown attacks, and the text reduction and intelligent semantic analysis algorithm has high realization cost, needs special maintenance and wastes a large amount of manpower and material resources.

Therefore, there is a need in the related art for a way to improve the accuracy of command injection attack detection.

Disclosure of Invention

In view of the foregoing, it is desirable to provide a command injection attack detection method, apparatus, computer device, and computer-readable storage medium that can improve the accuracy of command injection attack detection.

In a first aspect, the present application provides a method for detecting a command injection attack. The method comprises the following steps:

acquiring flow data to be detected;

analyzing the flow data to be detected, and determining a key value to be detected;

performing preliminary detection based on the key value to be detected, and determining alarm data and suspicious data;

and inputting the key value to be detected corresponding to the suspicious data into a virtual sandbox, executing a detection command, and determining alarm data.

Optionally, in one embodiment of the present application, the acquiring flow data to be detected includes:

and copying the data message passing through the port to be detected to obtain the flow data to be detected.

Optionally, in an embodiment of the present application, the to-be-detected traffic data includes at least two data packets, and the analyzing the to-be-detected traffic data and determining the to-be-detected key value include:

recombining the flow data to be detected according to the initial sequence number and the length of the data message to obtain a complete data flow to be detected;

and decoding the complete data stream to be detected to obtain a key value to be detected.

Optionally, in an embodiment of the present application, decoding the complete data stream to be detected includes:

and decoding the webpage address in the complete data stream to be detected to obtain a query character string, and determining a key value to be detected.

Optionally, in an embodiment of the present application, the performing preliminary detection based on the key value to be detected, and determining the alarm data and the suspicious data includes:

and matching the key values to be detected based on command injection attack rule database, and if the matching is successful, determining the flow data to be detected corresponding to the key values to be detected as alarm data.

Optionally, in an embodiment of the present application, inputting the key value to be detected corresponding to the suspicious data into a virtual sandbox, executing a detection command, and determining the alarm data includes:

enabling a virtual sandbox tool box;

inputting the key value to be detected corresponding to the suspicious data into the virtual sandbox tool box, and forming a detection command with a loading container command;

executing the detection command, and determining alarm data based on an execution result of the detection command;

restarting the virtual sandboxed tool box.

Optionally, in one embodiment of the present application, the determining the alarm data based on the execution result of the detection command includes:

if the execution result is null, the to-be-detected flow data corresponding to the to-be-detected key value does not belong to alarm data;

and if the execution result is successful, the flow data to be detected corresponding to the key value to be detected is alarm data.

In a second aspect, the application further provides a command injection attack detection device. The device comprises:

the data acquisition module is used for acquiring flow data to be detected;

the key value to be detected determining module is used for analyzing the flow data to be detected and determining a key value to be detected;

the preliminary detection module is used for carrying out preliminary detection based on the key value to be detected and determining alarm data and suspicious data;

and the virtual sandbox detection module is used for inputting the key value to be detected corresponding to the suspicious data into the virtual sandbox, executing the detection command and determining the alarm data.

In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor executing the steps of the method according to the various embodiments described above.

In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the method described in the above embodiments.

The command injection attack detection method, the device, the computer equipment and the storage medium comprise the steps of firstly, obtaining flow data to be detected, then analyzing the flow data to be detected, determining a key value to be detected, then, carrying out preliminary detection based on the key value to be detected, determining alarm data and suspicious data, and finally, inputting the key value to be detected corresponding to the suspicious data into a virtual sandbox, executing a detection command and determining the alarm data. That is, aiming at the condition that deformation bypasses exist in the existing command injection attack, the flow is obtained through the bypass, basic feature detection and sandbox simulation detection are combined, the known and unknown command injection attack can be detected, the accuracy of the command injection attack detection is improved, a text does not need to be restored, the detection efficiency is improved, and manpower and material resources are saved.

Drawings

FIG. 1 is an application environment diagram of a command injection attack detection method in one embodiment;

FIG. 2 is a flow chart of a command injection attack detection method in one embodiment;

FIG. 3 is a flow diagram of command injection attack detection in a virtual sandbox in one embodiment;

FIG. 4 is a flowchart illustrating specific steps of a command injection attack detection method according to an embodiment;

FIG. 5 is a block diagram of a command injection attack detection device in one embodiment;

fig. 6 is an internal structural diagram of a computer device in one embodiment.

Detailed Description

The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.

The command injection attack detection method provided by the embodiment of the application can be applied to an application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104 or may be located on a cloud or other network server. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices, and portable wearable devices, where the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device may be a smart watch, smart bracelet, headset, or the like. The server 104 may be implemented as a stand-alone server or as a server cluster of multiple servers.

Command injection attacks generally refer to vulnerabilities caused by splicing system commands on a server by a Web application, and such vulnerabilities generally occur in a scenario of calling an external program to perform some functions, such as configuring a hostname/IP/mask/gateway of a Web management interface, viewing system information, and closing a restart, or providing functions such as ping, nslookup, providing a sending mail, converting a picture, and the like by some sites.

The form of command injection attacks includes injection using functions such as sysytem, exec, passthru and also injection using grammar in Linux, and for some injections, it can be detected by detecting keywords or using regular expression matching, while for some command injection attacks using forms such as wildcards, command separators and the like, other commands can be added to the command injection attacks to realize unauthorized operation, and for such command injection attacks, a way of accurately identifying the bypass type command injection attack is needed.

In one embodiment, as shown in fig. 2, a command injection attack detection method is provided, and the method is applied to the server in fig. 1 for illustration, and includes the following steps:

s201: and acquiring flow data to be detected.

In the embodiment of the present application, first, obtain the traffic data to be detected, which refers to the HTTP request message. The Uniform Resource Locator (URL) in the HTTP request message locates the resource by providing an abstract identifier of the resource location. For HTTP request messages that may have command injection attacks, it may contain confusing commands such as "/???/c?t/?t?/p??swd", The data or commands input by the user are concatenated by the program and passed to the function executing the operating system commands for execution. Optionally, the methods for obtaining traffic data to be detected include playback or traffic mirroring.

S203: analyzing the flow data to be detected, and determining a key value to be detected.

In the embodiment of the application, after the flow data to be detected is obtained, the flow data to be detected is taken as input, and is analyzed, including the steps of data reorganization, encoding and decoding, and the like, specifically, the complete URL containing the command injection attack load is obtained, and the corresponding key value to be detected, namely the key pair value key, is obtained by decoding.

S205: and performing preliminary detection based on the key value to be detected, and determining alarm data and suspicious data.

In the embodiment of the application, based on the determined key value to be detected, the preliminary detection is carried out, the method of feature matching and rule matching can be adopted, the flow data to be detected corresponding to the key value to be detected is divided into alarm data and suspicious data based on the detection result, the alarm is carried out based on the alarm data, and the suspicious data is the flow data to be detected, of which the command injection attack load is not detected temporarily.

S207: and inputting the key value to be detected corresponding to the suspicious data into a virtual sandbox, executing a detection command, and determining alarm data.

In the embodiment of the application, the key value to be detected corresponding to the suspicious data is detected again and is input into the virtual sandbox, and the virtual sandbox environment refers to the use of the docker mirror image of the busy box based on the Linux operating system, so that the original system resource is not occupied, and the maintenance is simple. And executing the detection command in the virtual sandbox, simulating command execution by an operating system depending on the virtual sandbox environment, and if the execution is successful, indicating that the flow data to be detected corresponding to the key value to be detected is alarm data, wherein the alarm data comprises command injection attack load, and giving an alarm.

In the command injection attack detection method, firstly, flow data to be detected is obtained, then the flow data to be detected is analyzed, a key value to be detected is determined, then preliminary detection is carried out based on the key value to be detected, alarm data and suspicious data are determined, and finally, the key value to be detected corresponding to the suspicious data is input into a virtual sandbox, a detection command is executed, and alarm data are determined. That is, aiming at the condition that deformation bypasses exist in the existing command injection attack, the flow is obtained through the bypass, basic feature detection and sandbox simulation detection are combined, the known and unknown command injection attack can be detected, the accuracy of the command injection attack detection is improved, a text does not need to be restored, the detection efficiency is improved, and manpower and material resources are saved.

In one embodiment of the present application, the acquiring the flow data to be detected includes:

In one embodiment of the application, taking a flow mirroring mode as an example, the message of the mirror port is copied to the observation port under the condition that the normal processing of the message by the equipment is not affected. The mirror port is a port to be detected, namely a monitored port, and the observation port is a port connected with the monitoring equipment and is used for sending a message copied from the mirror port to the monitoring equipment. Specifically, based on the port to be detected, the data message received and transmitted by the port to be detected is duplicated and sent to the observation port, and the duplicated data message is the flow data to be detected.

In this embodiment, the data packet passing through the port to be detected is copied to obtain the flow data to be detected, so that the flow data can be continuously obtained for command injection attack detection.

In one embodiment of the present application, the flow data to be detected includes at least two data packets, and the analyzing the flow data to be detected and determining the key value to be detected include:

s301: and recombining the flow data to be detected according to the initial sequence number and the length of the data message to obtain a complete data flow to be detected.

S303: and decoding the complete data stream to be detected to obtain a key value to be detected.

In one embodiment of the present application, firstly, the flow data to be detected is reorganized according to the starting sequence number and the length of the data message, specifically, the flow data to be detected is divided into five cases, firstly, when the sum of the starting sequence number and the length of the first data message is equal to the starting sequence number of the second data message, the second data message is the expected subsequent message of the first data message, and the second data message is added to the first data message; second, when the initial sequence numbers of the first data message and the second data message are equal, and the length of the first data message is greater than or equal to that of the second data message, the second data message is a complete repeated message and a repeated sub-message of the first data message, and the second data message is discarded;

thirdly, when the starting sequence number of the second data message is larger than the starting sequence number of the first data message, and the sum of the starting sequence number and the length of the first data message is larger than the starting sequence number of the second data message, and the sum of the starting sequence number and the length of the first data message is larger than or equal to the sum of the starting sequence number and the length of the second data message, repeating all the second data message and part of the first data message, and discarding the second data message; fourth, when the starting sequence number of the second data message is greater than the starting sequence number of the first data message, and the sum of the starting sequence number and the length of the first data message is greater than the starting sequence number of the second data message, and the sum of the starting sequence number and the length of the first data message is less than or equal to the sum of the starting sequence number and the length of the second data message, the second data message has partial data and the first data message to repeat, the repeated part is discarded, and the non-repeated part is added to the first data message; fifthly, when the sum of the starting sequence number and the length of the first data message is smaller than the starting sequence number of the second data message, the second data message is a message arriving in advance, and the message is stored in an out-of-order message queue for subsequent reorganization.

After five different conditions are judged, all the data messages are recombined to obtain a complete data stream to be detected, then the complete data stream to be detected is decoded, specifically, any one or more decoding modes of base64 decoding, url decoding, hex decoding and the like can be selected, the decoding mode is determined according to the format of the complete data stream to be detected, and after decoding, a key value to be detected is obtained, such as a key=value form, and under the normal condition, an attack load exists in the value.

In this embodiment, the to-be-detected flow data is recombined according to the starting sequence number and the length of the data packet to obtain a complete to-be-detected data stream, the complete to-be-detected data stream is decoded to obtain the to-be-detected key value, and the segmented data packets can be formed into the complete data stream and decoded to obtain the key value.

In one embodiment of the present application, decoding the complete data stream to be detected to obtain the key value to be detected includes:

In one embodiment of the present application, in order to prevent the URL server from resolving errors, in general, the URL of the web address in the complete data stream to be detected is encoded, and to obtain the key value to be detected, decoding is needed, decoding modes such as base64 decoding, URL decoding, hex decoding and the like may be selected according to the situation, the URL is resolved, and information such as domain name, port number, path, query string and the like is obtained by restoring, where the query string is the key value to be detected, and is in a form of key=value.

In this embodiment, the query string is obtained by decoding the web page address in the complete data stream to be detected, and the key value to be detected is determined, so that data transmission can be facilitated.

In one embodiment of the present application, the performing preliminary detection based on the key value to be detected, and determining the alarm data and the suspicious data includes:

In one embodiment of the application, after the key value to be detected is determined, the key value to be detected is transmitted into an intrusion detection system (intrusion detection system, IDS), and is matched with the key value to be detected based on a command injection attack rule database stored in the key value to be detected, if the matching is successful, the flow data to be detected corresponding to the key value to be detected is determined to be alarm data, namely, command injection attack load is detected, and the alarm is directly carried out. The command injection attack rule database is a rule extracted based on known command injection attack and comprises a specific detection statement constrained by keywords, regular expressions and the like. And determining the corresponding flow data to be detected as suspicious data for the key value to be detected which is unsuccessfully matched with the command injection attack rule database, and waiting for further detection.

In this embodiment, the command injection attack with obvious detection characteristics can be screened out by matching the key values to be detected based on the command injection attack rule database, and if the matching is successful, determining the flow data to be detected corresponding to the key values to be detected as alarm data, thereby improving the efficiency of command injection attack detection.

In one embodiment of the present application, the inputting the key value to be detected corresponding to the suspicious data into the virtual sandbox, executing the detection command, and determining the alarm data includes:

s401: a virtual sandbox tool box is enabled.

S403: and inputting the key value to be detected corresponding to the suspicious data into the virtual sandbox tool box, and forming a detection command with a loading container command.

S405: and executing the detection command, and determining alarm data based on an execution result of the detection command.

S407: restarting the virtual sandboxed tool box.

In one embodiment of the application, the suspicious data obtained after preliminary detection screening is input into a virtual sandbox for further detection, wherein the corresponding key value to be detected is input into the virtual sandbox for further detection. As shown in fig. 3, first, a virtual sandbox tool box Busybox is enabled, a sandbox simulation environment is initialized, the Busybox is a Linux operating system which itself covers a large number of native Linux commands and supports the execution of multiple command wild card commands, and is compact and suitable for integration in multiple environments. Afterwards, the key values corresponding to the suspicious data to be detected are input into the virtual sandbox tool box and combined with the load container command to form a detection command. In specific applications, the URL, such as /search?keyword＝/???/u$@$@name, is parsed to determine the content of the key value to be detected as /???/u$@$@name. This content is used as the execution command parameter, and the load container command is the Docker command, such as Docker run it, which forms a detection command of loading container command+executing command parameter.

And then, executing the detection command, checking a returned execution result, determining whether the flow data to be detected corresponding to the key value to be detected is alarm data or not according to the execution result, and if so, giving an alarm. And finally, restarting the current virtual sandbox tool box, resetting the sandbox simulation environment, and facilitating the detection of command injection attack again.

In this embodiment, by enabling the virtual sandbox tool box, inputting the key value to be detected corresponding to the suspicious data into the virtual sandbox tool box, forming a detection command with the loading container command, executing the detection command, determining the alarm data based on the execution result of the detection command, restarting the virtual sandbox tool box, and preventing the command from escaping in a manner of loading the command execution by using the Linux operating system, so as to accurately detect the command injection bypass attack such as confusion by using the system wildcard attribute.

In one embodiment of the present application, the determining the alarm data based on the execution result of the detection command includes:

s501: and if the execution result is null, the to-be-detected flow data corresponding to the to-be-detected key value does not belong to the alarm data.

S503: and if the execution result is successful, the flow data to be detected corresponding to the key value to be detected is alarm data.

In one embodiment of the present application, based on an execution result returned by a virtual system of a virtual sandbox tool box, whether to-be-detected flow data corresponding to a to-be-detected key value is alarm data is determined, specifically, if the execution result is null, that is, the detection command is not successfully executed, and if no feedback is detected, the to-be-detected flow data corresponding to the to-be-detected key value does not belong to the alarm data, and is not a command injection attack load, if the execution result is successful, that is, the detection command is successfully executed, and if the feedback is detected, the to-be-detected flow data corresponding to the to-be-detected key value is alarm data, that is, the command injection attack load is detected, and an alarm is performed.

In the embodiment, by judging whether the flow data to be detected corresponding to the key value to be detected is the alarm data or not based on the execution result returned by the virtual system of the virtual sandbox tool box, the accuracy of command injection attack detection is improved.

In the following, a specific implementation step of command injection attack detection is described with a specific embodiment, as shown in fig. 4, first, S601, obtain flow data to be detected, specifically S603, copy a data packet passing through a port to be detected, and obtain the flow data to be detected. And S605, analyzing the flow data to be detected, determining a key value to be detected, specifically, inputting the acquired flow data to be detected into a data processing module, executing S607-S609, recombining the flow data to be detected according to the initial sequence number and the length of the data message to obtain a complete flow data to be detected, decoding a webpage address in the complete flow data to be detected to obtain a query character string, and determining the key value to be detected.

And then, S611, carrying out preliminary detection based on the key value to be detected, determining alarm data and suspicious data, specifically, inputting the key value to be detected into an IDS rule detection module, S613, carrying out matching on the key value to be detected based on a command injection attack rule database, if matching is successful, determining that the flow data to be detected corresponding to the key value to be detected is the alarm data, and storing the alarm data into an alarm list. And S615, inputting the key value to be detected corresponding to the suspicious data into a virtual sandbox, executing a detection command, determining alarm data, specifically, starting a virtual sandbox tool box, inputting the key value to be detected corresponding to the suspicious data into the virtual sandbox tool box, forming a detection command with a loading container command, executing the detection command, determining alarm data based on an execution result of the detection command, and restarting the virtual sandbox tool box. And S627-629, if the execution result is null, the to-be-detected flow data corresponding to the to-be-detected key value does not belong to the alarm data, and if the execution result is successful, the to-be-detected flow data corresponding to the to-be-detected key value is the alarm data. Similarly, the alarm data is stored in an alarm list, and finally, the alarm list is sent to the terminal and displayed to the user, and the command injection attack detection is finished.

It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.

Based on the same inventive concept, the embodiment of the application also provides a command injection attack detection device for realizing the command injection attack detection method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of the one or more command injection attack detection devices provided below may be referred to the limitation of the command injection attack detection method hereinabove, and will not be repeated herein.

In one embodiment, as shown in fig. 5, there is provided a command injection attack detection device 500, including: the system comprises a data acquisition module 501, a key value to be detected determining module 503, a preliminary detection module 505 and a virtual sandbox detection module 507, wherein:

the data acquisition module 501 is configured to acquire flow data to be detected.

The key value to be detected determining module 503 is configured to parse the flow data to be detected and determine a key value to be detected.

The preliminary detection module 505 is configured to perform preliminary detection based on the key value to be detected, and determine alarm data and suspicious data.

The virtual sandbox detection module 507 is configured to input a key value to be detected corresponding to the suspicious data into a virtual sandbox, execute a detection command, and determine alarm data.

In one embodiment of the present application, the data acquisition module is further configured to:

In one embodiment of the present application, the key value determining module to be detected is further configured to:

In one embodiment of the application, the preliminary detection module is further configured to:

In one embodiment of the present application, the virtual sandbox detection module is further configured to:

enabling a virtual sandbox tool box;

restarting the virtual sandboxed tool box.

The respective modules in the above-described command injection attack detection device may be implemented in whole or in part by software, hardware, and a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.

In one embodiment, a computer device is provided, which may be a terminal, and the internal structure of which may be as shown in fig. 6. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program, when executed by a processor, implements a command injection attack detection method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.

It will be appreciated by those skilled in the art that the structure shown in FIG. 6 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.

In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the method embodiments described above when the computer program is executed.

In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, implements the steps of the method embodiments described above.

In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.

Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.

The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.

The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims

1. A command injection attack detection method, the method comprising:

acquiring flow data to be detected;

2. The method of claim 1, wherein the acquiring traffic data to be detected comprises:

3. The method of claim 1, wherein the traffic data to be detected comprises at least two data messages, and wherein the parsing the traffic data to be detected and determining the key value to be detected comprises:

4. A method according to claim 3, wherein decoding the complete data stream to be detected to obtain key values to be detected comprises:

5. The method of claim 1, wherein the performing preliminary detection based on the key value to be detected and determining alert data and suspicious data comprises:

6. The method of claim 1, wherein inputting the key value to be detected corresponding to the suspicious data into a virtual sandbox, executing a detection command, and determining alarm data comprises:

enabling a virtual sandbox tool box;

restarting the virtual sandboxed tool box.

7. The method of claim 6, wherein the determining alert data based on the execution result of the detection command comprises:

8. A command injection attack detection device, the device comprising:

the data acquisition module is used for acquiring flow data to be detected;

9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 7 when the computer program is executed.

10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.