CN117354057B - Malicious traffic detection method, device and equipment - Google Patents
Malicious traffic detection method, device and equipment Download PDFInfo
- Publication number
- CN117354057B CN117354057B CN202311642441.7A CN202311642441A CN117354057B CN 117354057 B CN117354057 B CN 117354057B CN 202311642441 A CN202311642441 A CN 202311642441A CN 117354057 B CN117354057 B CN 117354057B
- Authority
- CN
- China
- Prior art keywords
- data packet
- detected
- encryption
- decryption
- application layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 74
- 230000004044 response Effects 0.000 claims abstract description 41
- 238000000034 method Methods 0.000 claims abstract description 31
- 238000004458 analytical method Methods 0.000 claims description 51
- 238000012545 processing Methods 0.000 claims description 13
- 238000003860 storage Methods 0.000 claims description 12
- 238000012546 transfer Methods 0.000 claims description 10
- 230000001960 triggered effect Effects 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 6
- 238000012544 monitoring process Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 230000006399 behavior Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 230000008030 elimination Effects 0.000 description 4
- 238000003379 elimination reaction Methods 0.000 description 4
- 239000000243 solution Substances 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 208000001613 Gambling Diseases 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 101100404300 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) kpr-1 gene Proteins 0.000 description 1
- 101100349601 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) kpr-2 gene Proteins 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 238000005422 blasting Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000005111 flow chemistry technique Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 230000008521 reorganization Effects 0.000 description 1
- 238000007789 sealing Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000001502 supplementing effect Effects 0.000 description 1
- 231100000331 toxic Toxicity 0.000 description 1
- 230000002588 toxic effect Effects 0.000 description 1
- 231100000419 toxicity Toxicity 0.000 description 1
- 230000001988 toxicity Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a malicious traffic detection method, device and equipment, wherein the method comprises the following steps: acquiring a data packet to be detected; under the condition that the data packet to be detected is a data packet of an HTTPs protocol, determining a session to which the data packet to be detected belongs according to session quintuple information of the data packet to be detected; determining an encryption and decryption channel associated with the session in the password card, decrypting application layer data of the data packet to be detected through the encryption and decryption channel, and replacing application layer data which is not decrypted in the data packet to be detected by using the decrypted application layer data; under the condition that the data packet to be detected is a data packet of an HTTP protocol or an HTTPs protocol, determining the type of the data packet to be detected; and under the condition that the type of the data packet to be detected is a response data packet, matching is carried out based on the application layer data of the data packet to be detected and the attack success characteristics so as to determine whether the data packet to be detected belongs to malicious traffic. The method can improve the comprehensiveness of malicious traffic detection.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a method, an apparatus, and a device for detecting malicious traffic.
Background
The existing malicious flow detection methods are many, and feature matching, machine learning, deep learning and the like are based.
However, the current malicious traffic detection methods focus mostly on detecting whether a website is attacked, for example, whether malicious traffic exists in a request initiated to a web page, and do not pay attention to whether the web page itself has an anomaly.
Disclosure of Invention
In view of this, the present application provides a method, an apparatus, and a device for detecting malicious traffic.
Specifically, the application is realized by the following technical scheme:
according to a first aspect of an embodiment of the present application, there is provided a malicious traffic detection method, including:
acquiring a data packet to be detected;
under the condition that the data packet to be detected is a data packet of an HTTPs protocol, determining a session to which the data packet to be detected belongs according to session quintuple information of the data packet to be detected;
determining an encryption and decryption channel associated with the session in the password card, decrypting the application layer data of the data packet to be detected through the encryption and decryption channel, and replacing the application layer data which is not decrypted in the data packet to be detected by using the decrypted application layer data; the password card is provided with a plurality of encryption and decryption channels, and each encryption and decryption channel is used for processing encryption and decryption operations of a pre-allocated session associated with the Web service to be monitored;
Determining the type of the data packet to be detected under the condition that the data packet to be detected is a data packet of an HTTP protocol or an HTTPs protocol; the type of the data packet comprises a request data packet or a response data packet, wherein the request data packet is used for requesting the Web service to be monitored to be accessed, and the response data packet is used for responding to the access request by the Web service to be monitored;
and under the condition that the type of the data packet to be detected is a response data packet, matching is carried out based on the application layer data of the data packet to be detected and the attack success characteristics so as to determine whether the data packet to be detected belongs to malicious traffic.
According to a second aspect of embodiments of the present application, there is provided a malicious traffic detection apparatus, including:
the acquisition unit is used for acquiring the data packet to be detected;
the first determining unit is used for determining a session to which the data packet to be detected belongs according to session five-tuple information of the data packet to be detected under the condition that the data packet to be detected is a data packet of an HTTPs protocol;
the decryption unit is used for determining an encryption and decryption channel associated with the session in the password card, decrypting the application layer data of the data packet to be detected through the encryption and decryption channel, and replacing the application layer data which is not decrypted in the data packet to be detected by using the decrypted application layer data; the password card is provided with a plurality of encryption and decryption channels, and each encryption and decryption channel is used for processing encryption and decryption operations of a pre-allocated session associated with the Web service to be monitored;
The second determining unit is used for determining the type of the data packet to be detected when the data packet to be detected is a data packet of an HTTP protocol or an HTTPs protocol; the type of the data packet comprises a request data packet or a response data packet, wherein the request data packet is used for requesting the Web service to be monitored to be accessed, and the response data packet is used for responding to the access request by the Web service to be monitored;
and the detection unit is used for matching based on the application layer data of the data packet to be detected and the attack success characteristics under the condition that the type of the data packet to be detected is a response data packet so as to determine whether the data packet to be detected belongs to malicious traffic.
According to a fifth aspect of embodiments of the present application, there is provided an electronic device comprising a processor and a memory, wherein,
a memory for storing a computer program;
and a processor configured to implement the method provided in the first aspect when executing the program stored in the memory.
According to the malicious traffic detection method, a plurality of encryption and decryption channels are arranged in a password card, each encryption and decryption channel is used for processing encryption and decryption operations of a pre-allocated session related to a Web service to be monitored, when an obtained data packet to be detected is determined to be a data packet of an HTTPs protocol, the session to which the data packet to be detected belongs is determined according to session quintuple information of the data packet to be detected, the encryption and decryption channel related to the session in the password card is determined, application layer data of the data packet to be detected is decrypted through the encryption and decryption channels, and the application layer data which is not decrypted in the data packet to be monitored is replaced by the decrypted application layer data; under the condition that the data packet to be detected is a data packet of an HTTP protocol or an HTTPs protocol, the type of the data packet to be detected can be determined, and further under the condition that the type of the data packet to be detected is a response data packet, the data packet to be detected is matched with attack success characteristics based on application layer data of the data packet to be detected so as to determine whether the data packet to be detected belongs to malicious traffic, malicious traffic detection is not limited to detecting the data packet requesting to access the Web service to be monitored any more, and malicious traffic monitoring is also carried out on the response data packet requesting to respond to the Web service to be monitored, so that the safety detection of traffic of the HTTPs protocol can be realized, the decryption of application layer data of the data packet of the HTTPs protocol is realized through a password card, and the decryption efficiency and safety are improved; in addition, the condition that the Web service is successfully attacked can be effectively detected, the comprehensiveness of malicious traffic detection is improved, and further, the safety of equipment is improved.
Drawings
Fig. 1 is a flow chart of a malicious traffic detection method according to an exemplary embodiment of the present application;
FIG. 2 is a flow diagram of a malicious traffic detection scheme according to an exemplary embodiment of the present application;
fig. 3 is a schematic structural diagram of a malicious traffic detection device according to an exemplary embodiment of the present application;
fig. 4 is a schematic hardware structure of an electronic device according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.
The terminology used in the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the present application. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In order to enable those skilled in the art to better understand the technical solutions provided in the embodiments of the present application, some terms related to the embodiments of the present application will be briefly described below.
1. HTTPs (Hypertext Transfer Protocol Secure, hypertext transfer security protocol): a traffic communication protocol encrypts data content based on HTTP (Hypertext Transfer Protocol ) protocol in combination with TLS (Transport Layer Security ) protocol, such that data transmitted in a network is encrypted and cannot directly see the original content of a data packet even if intercepted.
2. Password card: a hardware device for cryptographic operation supports internal key generation calculation and cryptographic algorithm operation, and compared with traditional CPU operation, the hardware device is accelerated and optimized in terms of hardware design, algorithm optimization and the like in the process of cryptographic calculation.
3. Asymmetric encryption: the encryption algorithm can generate two keys, namely a public key and a private key, which are generally used for digital signature, integrity verification and the like, and the operation complexity is high.
4. Symmetric encryption: and the encryption of the plaintext and the decryption of the ciphertext are carried out based on one key, so that the operation complexity is low.
In order to make the above objects, features and advantages of the embodiments of the present application more comprehensible, the following describes the technical solutions of the embodiments of the present application in detail with reference to the accompanying drawings.
Referring to fig. 1, a flow chart of a malicious traffic detection method provided in an embodiment of the present application, as shown in fig. 1, the malicious traffic detection method may include the following steps:
step S100, obtaining a data packet to be detected.
For example, the monitored data packet, such as the data packet of the core network traffic, may be determined as the data packet to be detected by the traffic bypass mirror image.
For example, for a monitored data packet to be detected, it may be parsed, and key features of the data packet may be extracted, which may include: source IP address, destination IP address, source port, destination port, protocol (application layer protocol), application layer data.
Step S110, under the condition that the data packet to be detected is a data packet of HTTPs protocol, determining the session to which the data packet to be detected belongs according to the session quintuple information of the data packet to be detected.
Step S120, determining an encryption and decryption channel associated with the session in the password card, decrypting application layer data of the data packet to be detected through the encryption and decryption channel, and replacing undeveloped application layer data in the data packet to be detected by using the decrypted application layer data; the password card is provided with a plurality of encryption and decryption channels, and each encryption and decryption channel is used for processing encryption and decryption operations of a pre-allocated session associated with the Web service to be monitored.
In the embodiment of the application, considering that most websites provide web services by using the HTTPs protocol, security check is performed on traffic of the HTTPs protocol, and application layer data in the data packet needs to be decrypted first.
In the embodiment of the application, in order to improve the security and efficiency of decrypting the application layer data of the data packet of the HTTPs protocol, the decryption of the application layer data of the data packet of the HTTPs protocol may be implemented by using a cryptographic card.
For example, a plurality of encryption and decryption channels may be set in the cryptographic card, where each encryption and decryption channel is used to process encryption and decryption operations of a pre-allocated session associated with the Web service to be monitored.
Correspondingly, for the obtained data packet to be detected, under the condition that the data packet to be detected is the data packet of the HTTPs protocol, the session to which the data packet to be detected belongs can be determined according to the session quintuple information of the data packet to be detected.
Illustratively, a session five-tuple refers to five elements in a computer network used to identify a network session, including a source IP address (which may be referred to as a session source IP address), a destination IP address (which may be referred to as a session destination IP address), a source port number, a destination port number, and a transport protocol.
Wherein, session source IP address: refers to the IP address of the device initiating the network session that uniquely identifies the device's location in the network.
Session destination IP address: refers to the IP address of the target device of the network session, representing the destination of the network communication.
Source port number: refers to the port number used by an application or service on the device that initiated the network session. The port number is used to distinguish between different network applications on the same device.
Target port number: refers to the port number that an application or service on the target device of the network session listens to. Through the destination port number, the destination device may submit the received data packet to the correct application or service process.
Transmission protocol: referring to the transport layer protocols used in network sessions, there are commonly TCP (transmission control protocol) and UDP (user datagram protocol). The transmission protocol determines the manner and rules of transmission of data in the network.
In a session, an IP address of a client is a session source IP, an IP address of a server is a destination IP of the session, a request packet of the session is a packet sent from the client to the server, and a response packet of the session is a packet sent from the server to the client.
For example, the session five-tuple information can uniquely identify a session.
The encryption and decryption channels associated with the session in the password card can be determined according to the session to which the data packet to be detected belongs, the application layer data of the data packet to be detected is decrypted through the encryption and decryption channels, and the application layer data which is not decrypted in the data packet to be detected is replaced by the decrypted application layer data.
For example, for any session, the encryption and decryption channel associated with that session in the cryptographic card may be associated with storing the symmetric key for that session, which is used to decrypt the application layer data in the data packets for that session.
For example, for a newly created session, when an encryption and decryption channel is allocated to the session, a symmetric key of the session may be generated according to a private key of a Web service to be monitored stored in association with the encryption and decryption channel, and the symmetric key and the encryption and decryption channel may be stored in association.
For example, in the case where the application layer data of the data packet is decrypted in the above manner, the application layer data that is not decrypted in the data packet to be detected may be replaced with the decrypted application layer data.
Step S130, determining the type of the data packet to be detected under the condition that the data packet to be detected is a data packet of an HTTP protocol or an HTTPs protocol; the type of the data packet comprises a request data packet or a response data packet, wherein the request data packet is used for requesting the Web service to be monitored to be accessed, and the response data packet is used for responding the Web service to be monitored to the access request.
In the embodiment of the application, in consideration of the situation that the Web service is attacked successfully, the response data packet returned to the access requester device by the Web service may also become malicious traffic, for example, one or more of malicious information such as sensitive information, malicious links and the like is carried, so that the access requester device has security risk.
Therefore, in order to improve the comprehensiveness of malicious traffic detection, malicious traffic detection can be performed on a response data packet returned by the Web service in addition to a request data packet for accessing the Web service.
Accordingly, under the condition that the data packet to be detected is determined to be the data packet of the HTTP protocol or the HTTPs protocol, the type of the data packet to be detected can be identified, and the type of the data packet to be detected is determined.
By way of example, the type of data packet may include a request data packet or a response data packet.
By way of example, the type of data packet may be determined based on the source IP, destination IP, and session direction of the data packet.
For example, in the case that the session direction is the session source IP to the session destination IP, it is determined that the current session is a request packet; otherwise, determining the current data packet as a response data packet.
For example, session direction identification may be performed based on the source port and the destination port.
For example, in the case where the destination port is in the common web service port list ([ 80, 8080, 8081] etc.), the current session direction is determined as session source IP to session destination IP; otherwise, determining that the session direction is session destination IP to session source IP.
By the identification of the session direction, the session source IP address and the session destination IP address can be determined, and then the source IP address and the destination IP address in the data packet can be matched with the session source IP address and the session destination IP address to determine the type of the data packet.
For example, when the source IP address of the packet is the session source IP address and the destination IP address of the packet is the session destination IP address, the type of the packet is a request packet; the source IP address of the data packet is a session destination IP address, and the type of the data packet is a response data packet when the destination IP address of the data packet is the session source IP address.
In this embodiment of the present application, when it is determined in the above manner that the type of the data packet to be detected is a request data packet and the destination IP address of the data packet is an IP address of the Web service to be monitored, it may be determined that the data packet to be detected is a request data packet for accessing the Web service to be monitored; in the case that the type of the data packet to be detected is determined to be the response data packet and the source IP address of the data packet is the IP address of the Web service to be monitored in the above manner, it may be determined that the data packet to be detected is the response data packet of the Web service to be monitored.
If not specified, in the embodiment of the present application, the type of the data packet to be detected is a request data packet, which means that the data packet to be detected is a request data packet for accessing the Web service to be monitored; the type of the data packet to be detected being a response data packet means that the data packet to be detected is a response data packet of the Web service to be monitored.
Step S120, under the condition that the type of the data packet to be detected is a response data packet, matching is performed based on the application layer data of the data packet to be detected and the attack success characteristics so as to determine whether the data packet to be detected belongs to malicious traffic.
In this embodiment of the present application, when the type of the data packet to be detected is determined to be the response data packet, matching may be performed based on the application layer data of the data packet to be detected and the attack success feature, so as to determine whether the data packet to be detected belongs to malicious traffic.
For example, it may be determined that the data packet to be detected belongs to malicious traffic in the case that the application layer data of the data packet to be detected is successfully matched with the attack success feature.
By way of example, the attack success features may include one or more of the presence of sensitive information in the web page data, the presence of malicious links in the web page data, and the tampering of the web page content.
For example, in the case that it is determined that the data packet to be detected belongs to malicious traffic, an alarm may be given to the data packet to be detected.
It can be seen that, in the method flow shown in fig. 1, by setting a plurality of encryption and decryption channels in the crypto card, each encryption and decryption channel is used for processing the encryption and decryption operation of the session associated with the pre-allocated Web service to be monitored, for the obtained data packet to be detected, under the condition that the data packet to be detected is determined to be the data packet of the HTTPs protocol, the session to which the data packet to be detected belongs is determined according to the session quintuple information of the data packet to be detected, the encryption and decryption channel associated with the session in the crypto card is determined, the application layer data of the data packet to be detected is decrypted through the encryption and decryption channel, and the application layer data after decryption is utilized to replace the application layer data not decrypted in the data packet to be monitored; under the condition that the data packet to be detected is a data packet of an HTTP protocol or an HTTPs protocol, the type of the data packet to be detected can be determined, and further under the condition that the type of the data packet to be detected is a response data packet, the data packet to be detected is matched with attack success characteristics based on application layer data of the data packet to be detected so as to determine whether the data packet to be detected belongs to malicious traffic, malicious traffic detection is not limited to detecting the data packet requesting to access the Web service to be monitored any more, and malicious traffic monitoring is also carried out on the response data packet requesting to respond to the Web service to be monitored, so that the safety detection of traffic of the HTTPs protocol can be realized, the decryption of application layer data of the data packet of the HTTPs protocol is realized through a password card, and the decryption efficiency and safety are improved; in addition, the condition that the Web service is successfully attacked can be effectively detected, the comprehensiveness of malicious traffic detection is improved, and further, the safety of equipment is improved.
In some embodiments, determining the encryption and decryption channel associated with the session in the cryptographic card and decrypting the application layer data of the data packet to be detected through the encryption and decryption channel may include:
determining whether an encryption and decryption channel associated with the session exists;
under the condition that an encryption and decryption channel associated with the session does not exist, according to the Web service to be monitored associated with the session, an encryption and decryption channel is allocated to the session from the encryption and decryption channels in an idle state allocated to the Web service to be monitored, a symmetric key of the session is generated based on a private key of the Web service to be monitored through the encryption and decryption channel, application layer data of a data packet to be detected is decrypted by utilizing the symmetric key, and the symmetric key is associated with the encryption and decryption channel for storage;
and under the condition that an encryption and decryption channel associated with the session exists, a symmetric key associated with the encryption and decryption channel is acquired, and the application layer data of the data packet to be detected is decrypted by using the symmetric key.
For any session, in the case of acquiring a data packet of the session, it may be determined whether an encryption and decryption channel associated with the session exists.
Under the condition that the encryption and decryption channels associated with the session do not exist, whether the encryption and decryption channels in an idle state exist in the encryption and decryption channels allocated for the Web service to be monitored can be inquired according to the Web service to be monitored associated with the session (namely, the Web service corresponding to the session destination IP address of the session). Under the condition that an encryption and decryption channel in an idle state exists, an encryption and decryption channel can be allocated to the session from the encryption and decryption channel in the idle state, a symmetric key of the session is generated based on a private key of the Web service to be monitored through the encryption and decryption channel, application layer data of the data packet to be detected is decrypted through the symmetric key, and the symmetric key is stored in association with the encryption and decryption channel.
In the encryption card, a plurality of encryption and decryption channels can be allocated to one Web service to be monitored, and the private key of the Web service to be monitored and the plurality of encryption and decryption channels are stored in association in the encryption card.
And under the condition that an encryption and decryption channel associated with the session exists, a symmetric key associated with the encryption and decryption channel is acquired, and the application layer data of the data packet to be detected is decrypted by using the symmetric key.
In one example, the private key of each Web service to be monitored may be obtained, the obtained private key of the Web service to be monitored is imported into the encryption card in the form of a correspondence between the IP address of the Web service to be monitored and the private key (the IP address of one Web service to be monitored and the private key corresponding thereto may be referred to as one private key group), and a private key group ID (identification) is assigned to each private key group.
For a Web service to be monitored, a plurality of encryption and decryption channels can be allocated to the Web service to be monitored in an encryption card, and an association relationship between the encryption and decryption channels and a private key of the Web service to be monitored is established (the association relationship between the encryption and decryption channels and a private key group ID of a private key group of the Web service to be monitored can be established).
For a data packet to be detected of the HTTPs protocol, under the condition that a session to which the data to be detected belongs is determined, whether an encryption and decryption channel associated with the session exists in the encryption card can be determined.
For example, for any session to which an encryption and decryption channel is allocated, the association relationship between the session five-tuple information of the session and the encryption and decryption channel may be stored. Accordingly, for any session, whether an encryption and decryption channel associated with the session exists or not can be queried according to session five-tuple information of the session.
And under the condition that the encryption and decryption channel associated with the session does not exist in the encryption card, selecting an idle encryption and decryption channel from the encryption and decryption channels allocated to the Web service to be monitored (namely, the session destination IP address of the session corresponds to the Web service) in the encryption card, allocating the encryption and decryption channel to the session, generating a symmetric key of the session based on a private key of the Web service to be monitored through the encryption and decryption channel, decrypting application layer data of the data packet to be detected by utilizing the symmetric key, and storing the symmetric key and the encryption and decryption channel in an associated mode.
For any encryption and decryption channel allocated to the Web service to be monitored, the association relationship between the encryption and decryption channel and the private key set ID of the private key set of the Web service to be monitored is established in the above manner. Correspondingly, for any Web service to be monitored, a corresponding private key set can be determined according to the IP address of the Web service to be monitored, and an encryption and decryption channel allocated to the Web service to be monitored can be determined according to the private key set ID of the private key set.
And under the condition that an encryption and decryption channel associated with the session exists, a symmetric key associated with the encryption and decryption channel is acquired, and the application layer data of the data packet to be detected is decrypted by using the symmetric key.
In one example, the encryption and decryption channels in the cryptographic card include encryption and decryption channels allocated to each Web service to be monitored, and backup encryption and decryption channels;
the malicious traffic detection scheme provided by the embodiment of the application may include:
and under the condition that an encryption and decryption channel associated with the session does not exist and an idle channel does not exist in the encryption and decryption channels allocated for the Web service to be monitored, allocating an encryption and decryption channel for the session from the idle backup encryption and decryption channels, generating a symmetric key of the session based on a private key of the Web service to be monitored through the encryption and decryption channel, decrypting application layer data of a data packet to be detected by using the symmetric key, and storing the symmetric key in association with the encryption and decryption channel.
For example, considering that the flow processing requirements of different Web services to be monitored may change with time, in a certain period of time, the flow of one Web service to be monitored may be relatively more; in another period, the traffic of another Web service to be monitored is more, so that under the condition that a fixed number of encryption and decryption channels are set for each Web service to be monitored, the situation that part of the encryption and decryption channels of the Web service to be monitored are insufficient and the other encryption and decryption channels of the Web service to be monitored are more idle may occur.
Based on the above, the encryption and decryption channels in the password card comprise encryption and decryption channels allocated to each Web service to be monitored, and backup encryption and decryption channels, namely a certain number of encryption and decryption channels can be reserved for flexible allocation, and the backup encryption and decryption channels can be allocated to any Web service to be monitored according to requirements.
Correspondingly, under the condition that no encryption and decryption channel associated with the session exists and no idle channel exists in the encryption and decryption channels allocated for the Web service to be monitored, an encryption and decryption channel is allocated for the session from the idle backup encryption and decryption channel, a symmetric key of the session is generated based on a private key of the Web service to be monitored through the encryption and decryption channel, application layer data of a data packet to be detected is decrypted by utilizing the symmetric key, and the symmetric key is associated with the encryption and decryption channel for storage.
For example, the backup encryption and decryption channels allocated in the above manner may be restored to the backup encryption and decryption channels when the corresponding session ends, and may be allocated to the Web service to be monitored again or to other Web services to be monitored when needed.
In some embodiments, the matching between the application layer data based on the data packet to be detected and the attack success feature may include:
Under the condition that the attack success characteristics comprise sensitive information in the webpage data, sensitive information matching is carried out on application layer data of the data packet to be detected; the sensitive information matching comprises detecting whether application layer data of a data packet to be detected comprises appointed sensitive information or not;
and/or the number of the groups of groups,
under the condition that the attack success characteristics comprise malicious links in the webpage data, carrying out webpage link analysis on application layer data of the data packet to be detected; the webpage link analysis comprises detecting whether a malicious link is included in a URL (uniform resource locator) in application layer data of a data packet to be detected;
and/or the number of the groups of groups,
under the condition that the attack success characteristics comprise tampered webpage content, carrying out webpage similarity comparison on application layer data of the data packet to be detected; the webpage similarity comparison comprises detecting whether the similarity between application layer data of a data packet to be detected and the webpage information of a pre-stored target webpage is lower than a preset threshold value; the target webpage is a webpage corresponding to the Web service for sending the data to be detected.
For example, in the case that the Web service is attacked successfully, the response data packet may carry specified sensitive information, such as sensitive information including toxic, gambling, yellow, and the like.
In addition, the response packet may also carry malicious links, such as Trojan links, malicious website links, and the like.
Furthermore, if the Web service is successfully attacked, the Web content may be tampered with, in which case the Web content differs significantly from the Web content if it is not attacked.
Correspondingly, malicious traffic detection for the data packet to be detected can be realized by performing one or more of detection operations such as sensitive information matching, web page link analysis, web page similarity comparison and the like on the application layer data of the data packet to be monitored.
For example, in the case where the attack success feature includes the presence of sensitive information in the web page data, the application layer data of the data packet to be detected may be subjected to sensitive information matching.
And under the condition that the attack success characteristic comprises malicious links in the webpage data, webpage link analysis can be carried out on the application layer data of the data packet to be detected.
And under the condition that the attack success characteristic comprises that the webpage content is tampered, webpage similarity comparison can be carried out on the application layer data of the data packet to be detected.
For example, for the matching of the sensitive information, it may be determined that the data packet to be detected belongs to malicious traffic in the case that the application layer data of the data packet to be detected includes specified sensitive information.
For web page link analysis, it may be determined that the data packet to be detected belongs to malicious traffic in the case that a malicious link is included in a URL (Uniform Resource Locator ) in application layer data of the data packet to be detected.
By way of example, detection of malicious links may be achieved by one or more of malicious link database matching, character-based malicious link detection, threat intelligence matching, and the like.
For the comparison of web page similarity, it may be determined that the data packet to be detected belongs to malicious traffic when the similarity between the application layer data of the data packet to be detected and the pre-stored web page information of the target web page is lower than a preset threshold.
By way of example, web page similarity may include, but is not limited to, web page code similarity, and one or more of web page screenshot similarity, and the like.
The target Web page may be a Web page corresponding to a Web service that sends data to be detected.
For any Web service to be monitored, the Web page corresponding to the Web service can be actively accessed, and the Web page information of the Web page can be acquired and stored.
In one example, the attack success features include the presence of sensitive information in the web page data, the presence of malicious links in the web page data, and the tampering of the web page content;
The matching between the application layer data based on the data packet to be detected and the attack success feature may include:
in a rapid analysis mode, sensitive information matching is carried out on application layer data of a data packet to be detected;
in a common analysis mode, carrying out sensitive information matching and webpage link analysis on application layer data of a data packet to be detected;
and in the deep analysis mode, carrying out sensitive information matching, web page link analysis and web page similarity comparison on application layer data of the data packet to be detected.
Illustratively, the attack success features include attack success features including the presence of sensitive information in the web page data, the presence of malicious links in the web page data, and tampering of the web page content, for example.
In order to improve the flexibility of malicious traffic detection, a plurality of different malicious traffic detection modes can be set so as to adapt to different application scene requirements.
By way of example, malicious traffic detection patterns may include, but are not limited to, one or more of a fast analysis pattern, a normal analysis pattern, a deep analysis pattern, and the like.
Because the consumption of resources and time is usually incremental due to the matching of sensitive information, the analysis of web page links, and the comparison of web page similarity, different analysis modes can be selected according to the requirements of analysis efficiency and security in the actual scene.
For the scene with high analysis efficiency requirement and low security requirement, a rapid analysis mode can be selected, and in the mode, whether the data packet to be detected belongs to malicious traffic can be determined by carrying out sensitive information matching on application layer data of the data packet to be detected.
For the scene with medium analysis efficiency requirements and medium security requirements, a common analysis mode can be selected, and in the mode, whether the data packet to be detected belongs to malicious traffic can be determined by carrying out sensitive information matching and webpage link analysis on the application layer data of the data packet to be detected.
For the scene with low analysis efficiency requirement and high security requirement, a deep analysis mode can be selected, and in the mode, whether the data packet to be detected belongs to malicious traffic can be determined by carrying out sensitive information matching and web page link analysis on the application layer data of the data packet to be detected and web page similarity comparison.
It should be appreciated that the above-mentioned division manner of the malicious traffic detection modes and the corresponding malicious traffic detection manners under different malicious traffic detection modes are only specific examples in the embodiments of the present application, and are not intended to limit the protection scope of the present application. In the embodiment of the present application, more malicious traffic detection modes may be divided, and the correspondence between the malicious traffic detection modes and the malicious traffic detection modes may also be different, for example, the malicious traffic detection modes may include a mode one, a mode two, a mode three and a mode four, and the mode one may adopt a sensitive information matching mode; mode two, can adopt the analysis of the link of the webpage; mode three, can adopt sensitive information to match and webpage link analysis; mode four, web page similarity comparisons, etc. may be employed.
In an example, in a case where an alarm for a data packet to be detected is triggered by performing a web page similarity comparison on application layer data of the data packet to be detected, the malicious traffic detection method provided in the embodiment of the present application may further include:
and under the condition that the elimination instruction for the alarm is detected, eliminating the alarm, acquiring the latest webpage information of the target webpage, and updating the stored webpage information of the target webpage into the latest webpage information of the acquired target webpage.
For example, in order to reduce alarm false alarm, for an alarm for a data packet to be detected triggered by performing Web similarity comparison on application layer data of the data packet to be detected, manual alarm elimination can be supported, that is, for the alarm of the type, in the case that a user determines that the alarm is caused by normal update or upgrade of a Web page, in consideration of the fact that in an actual scene, the Web page content corresponding to the Web service to be detected may change greatly due to normal update or upgrade.
For example, an alarm cause may be carried in an alarm for malicious traffic, where the alarm cause may indicate a trigger cause of the alarm, e.g., one or more of a trigger cause triggered by sensitive information matching, a trigger by web page link analysis, or a trigger cause triggered by web page similarity comparison, etc.
Accordingly, in the case that an elimination instruction for an alarm triggered by the web page similarity comparison is detected, the stored web page information of the target web page may be updated.
For example, the target webpage can be actively accessed, latest webpage information of the target webpage is obtained, and the stored webpage information of the target webpage is updated.
In order to enable those skilled in the art to better understand the technical solutions provided by the embodiments of the present application, the technical solutions provided by the embodiments of the present application are described below with reference to specific examples.
The embodiment provides a malicious flow detection scheme, which is mainly used for carrying out encryption flow deep packet analysis and webpage security monitoring based on a preset certificate and a password card.
With the continuous improvement of the security requirements of websites, most websites provide web services by using the HTTPs protocol, and security detection products are required to judge whether the web pages are safe or not based on encrypted traffic data. Directly distributing encryption and decryption session resources of the password card by importing an encryption session private key of the web service to be detected, applying for the password card encryption and decryption handle to the encryption traffic monitored in real time by means of a web service object (namely a client side requesting a service side) to decrypt the traffic in real time: aiming at the web service access flow, carrying out attack load characteristic matching and alarming; aiming at web service response flow, one or more modes of sensitive information matching, web page link, web page similarity comparison and the like are adopted for detection and alarm.
In the embodiment, the method is high in accuracy and low in false alarm rate, and the collection of a normal sample and a malicious sample library and the sample label in advance are not relied on; the web service security monitoring and the encrypted traffic data security detection are supported, the web service security is improved, and the web service anomaly discovery efficiency is improved.
As shown in fig. 2, the malicious traffic detection scheme provided by this embodiment may include the following steps:
s1, importing a server private key and a service URL of a service to be monitored;
s2, monitoring the flow data of the core network in real time;
s3, decrypting the HTTPs data packet based on the server private key and the flow data;
s4, detecting malicious traffic of an HTTP protocol family;
s5, detecting malicious traffic of a conventional protocol;
s6, malicious threat treatment.
The implementation of the steps is further described below in connection with the preferred embodiments.
S1, importing a server private key of a service to be monitored and a service URL
For example, the present step may be performed at any time, and in the case of performing the step, the Web service to be monitored may be effectively monitored, including attack detection and successful attack detection.
For web services to be monitored using HTTPs protocol, the encrypted session private key set key_private= [ { ip1, kpr_1}, { ip_2, kpr_2}, … { ip_n, kpr_n } ] of the web service to be monitored may be imported into the system. Where IP refers to the IP address of the web service to be monitored, kpr refers to the encrypted session private key of the corresponding service;
1.2, pre-distributing a cryptographic card computing resource and a corresponding private key group ID for each encryption session private key group for subsequent symmetric encryption key computation and ciphertext decryption of a specific encryption session;
and 1.3, importing web page URLs of web services to be monitored (including web services to be monitored using HTTP protocol and web services to be monitored using HTTPs protocol), actively accessing the web pages and saving basic information of the web pages, such as web page screenshots, part or all of information such as website links contained in the web pages.
S2, monitoring flow data of core network in real time
The step can comprise flow bypass mirror image and flow data packet protocol analysis, and S3 is carried out after the encrypted flow is identified; otherwise enter S4:
2.1, monitoring the flow data of the core network in real time, analyzing and extracting key characteristics of a flow data packet, including: source IP, destination IP, source port, destination port, protocol, application layer data;
2.2, data packets of HTTPs protocol enter S3 for processing; the data packet of the HTTP protocol enters S4 for processing; and (5) processing other protocol data packets in S5.
S3, decrypting the https data packet based on the server private key and the flow data
This step may include two main parts: symmetric key decryption is carried out based on the HTTs session initial data packet, and data packet ciphertext decryption based on the symmetric key:
3.1, carrying out session reorganization and session pool establishment according to the source IP, the destination IP, the source port and the destination port:
3.1.1, determining a session direction, wherein the session direction is determined from a source IP of a current data packet to a destination IP of the current data packet, namely the current data packet is a request data packet under the condition that the destination IP is in an IP list of key_private; otherwise, the session direction is from the destination IP to the source IP of the current data packet;
3.1.2, supplementing the data packet to the corresponding session stream in the case that the current data packet session five-tuple is already in the session pool;
and 3.1.3, under the condition that the current session quintuple is not in the session pool, newly establishing a session stream, and obtaining the mark as the current data packet session quintuple.
And 3.2, calculating the pre-master key of the current session. Wherein, in case the current session stream already has the symmetric key symmetry_key, 3.3 is entered directly:
3.2.1, reorganizing application layer data of the current session stream, and extracting pre-master key ciphertext data pre-master_secret in a data packet; if present, proceeding to the next step; otherwise, ending the current flow;
3.2.2, calculating a master_secret of the current session on the password card based on the server private key, the handshake information and the premaster secret ciphertext which are pre-imported in the step S1;
3.2.3, extracting ciphertext data of the symmetric key in the data packet; if present, proceeding to the next step; otherwise, exiting;
3.2.4, calculating a symmetric key of the current session according to the master key; in case of successful decryption, 3.3 is entered; otherwise, the method exits.
3.3, decrypting the current session application layer data: decrypting the application layer message data of the data packet of the current session stream based on the symmetric key in 3.2, replacing the original un-decrypted application layer data field, and inputting the data field into the S4 comprises: source IP, destination IP, source port, destination port, protocol, session direction, application layer packet data.
S4, malicious traffic detection of http protocol family
The method comprises the steps of carrying out malicious traffic detection on data packets of an HTTP protocol and an HTTPs protocol, and specifically detecting attack and attacked under a web access scene:
4.1, for HTTP protocol traffic, carrying out session direction identification based on a source port and a destination port; in the case that the destination port is in the list of common web service ports (e.g., [80, 8080, 8081], etc.), determining the current session direction as source IP to destination IP; otherwise, determining that the session direction is from the destination IP to the source IP;
4.2, determining the type of the current data packet based on the source IP and the destination IP and the session direction: request packets or response packets. Under the condition that the session direction is from a source IP to a destination IP, determining that the current session is a request data packet; otherwise, determining the current data packet as a response data packet;
4.3, for the request data packet, matching based on the application layer data and the attack behavior characteristics, and identifying attack behaviors aiming at web services, such as: SQL (Structured Query Language, structural query language) injection, XSS (Cross-Site script attack), malicious file uploading, password blasting and other attack behaviors, and if the attack behaviors are matched, entering S6;
4.4, for the response data packet, matching based on the application layer data and the attack success characteristics, and judging whether the current web service is attacked, for example: one or more of attack modes of website hanging, website embedding malicious website, pornographic website link and the like can specifically comprise the following three modes:
4.4.1, matching sensitive information: matching whether the application layer data contains sensitive information, determining that the current data packet belongs to malicious traffic under the conditions of characters such as toxicity, gambling, yellow, and the like, and entering S6;
4.4.2, webpage chaining analysis: extracting URL data contained in the application layer data, removing links of the main domain name which are the same as the current web service, and judging the maliciousness of the rest links, wherein the method comprises the following steps: phishing link detection, malicious website detection and the like, and under the condition of matching with a malicious link, determining that the current data packet belongs to malicious traffic, and entering S6;
4.4.3, web page similarity comparison: performing similarity comparison based on the pre-stored webpage information in the S1 and the current application layer data; and under the condition that the similarity is lower than a preset threshold value, determining that the webpage is possibly tampered or modified, and entering S6.
S5, malicious flow detection of conventional protocol
In this step, for a data packet that is not an HTTP protocol or an HTTPs protocol, traffic maliciousness determination may be performed based on a preset rule:
malicious traffic detection is performed based on existing rules, such as: botnet detection, DNS anomaly detection, malicious file detection, worm virus detection, etc. And (6) in case that the detection determines that the current data packet belongs to malicious traffic, entering into S6.
S6, malicious threat handling
The step is to treat the alarm data of S4 and S5, wherein the treatment modes comprise one or more of blocking, user alarm modifying and the like:
6.1, blocking or sealing or user alarming is carried out on the request data packet alarming of the S4 and the alarming of the S5 according to a preset treatment scheme, and the processing object is an attacker;
6.2, alarming the response data packet of the S4, and processing according to a preset treatment scheme; the alarm generated by the webpage similarity comparison supports manual alarm elimination of a user, and updates a preset webpage URL, so that false alarm caused by normal updating or upgrading of the webpage is reduced.
Therefore, in the embodiment, the malicious flow detection scheme based on flow real-time detection and feature matching is adopted, and samples and labels required by a machine learning method are not relied on, so that the false alarm rate can be effectively reduced.
In addition, the method and the device combine the characteristics of the same key and multiple handles of the password card to decrypt malicious traffic, realize concurrent decryption of encrypted traffic under a scene by multiple keys, and effectively solve the problem of decrypting encrypted traffic of multiple servers and multiple access sessions in an actual scene.
Furthermore, the definition of malicious traffic not only comprises attack behaviors initiated by the client, but also traffic data generated by carrying malicious information after the client is successfully attacked or tampered, so that the attack process and malicious traffic detection after the attack is successful are realized, and the comprehensiveness of malicious detection is improved.
The methods provided herein are described above. The apparatus provided in this application is described below:
referring to fig. 3, a schematic structural diagram of a malicious traffic detection device provided in an embodiment of the present application, as shown in fig. 3, the malicious traffic detection device may include:
an acquiring unit 310, configured to acquire a data packet to be detected;
a first determining unit 320, configured to determine, according to session five-tuple information of the data packet to be detected, a session to which the data packet to be detected belongs, when the data packet to be detected is a data packet of a hypertext transfer security protocol HTTPs protocol;
the decryption unit 330 is configured to determine an encryption and decryption channel associated with the session in the cryptographic card, decrypt application layer data of the to-be-detected data packet through the encryption and decryption channel, and replace application layer data, which is not decrypted, in the to-be-detected data packet with the decrypted application layer data; the password card is provided with a plurality of encryption and decryption channels, and each encryption and decryption channel is used for processing encryption and decryption operations of a pre-allocated session associated with the Web service to be monitored;
a second determining unit 340, configured to determine a type of the data packet to be detected, where the data packet to be detected is a data packet of a hypertext transfer protocol HTTP protocol or an HTTPs protocol; the type of the data packet comprises a request data packet or a response data packet, wherein the request data packet is used for requesting the Web service to be monitored to be accessed, and the response data packet is used for responding to the access request by the Web service to be monitored;
And the detecting unit 350 is configured to, when the type of the data packet to be detected is a response data packet, match the data packet to be detected based on the application layer data of the data packet to be detected and the attack success feature, so as to determine whether the data packet to be detected belongs to malicious traffic.
In some embodiments, the decryption unit 330 determines an encryption and decryption channel associated with the session in the cryptographic card, and decrypts the application layer data of the data packet to be detected through the encryption and decryption channel, including:
determining whether an encryption and decryption channel associated with the session exists;
under the condition that an encryption and decryption channel associated with the session does not exist, according to the Web service to be monitored associated with the session, an encryption and decryption channel is allocated to the session from the encryption and decryption channels in an idle state allocated to the Web service to be monitored, a symmetric key of the session is generated based on a private key of the Web service to be monitored through the encryption and decryption channel, application layer data of the data packet to be detected is decrypted through the symmetric key, and the symmetric key is associated with the encryption and decryption channel for storage;
and under the condition that an encryption and decryption channel associated with the session exists, a symmetric key associated with the encryption and decryption channel is acquired, and the application layer data of the data packet to be detected is decrypted by using the symmetric key.
In some embodiments, the encryption and decryption channels in the cryptographic card include encryption and decryption channels allocated to each Web service to be monitored, and backup encryption and decryption channels;
the decryption unit 330 is further configured to, when there is no encryption and decryption channel associated with the session and no idle channel exists in the encryption and decryption channels allocated to the Web service to be monitored, allocate an encryption and decryption channel from the idle backup encryption and decryption channels for the session, generate, through the encryption and decryption channel, a symmetric key of the session based on a private key of the Web service to be monitored, decrypt application layer data of the data packet to be detected using the symmetric key, and store the symmetric key in association with the encryption and decryption channel.
In some embodiments, the detecting unit 350 matches, based on the application layer data of the data packet to be detected and the attack success feature, including:
under the condition that the attack success characteristics comprise sensitive information in webpage data, sensitive information matching is carried out on application layer data of the data packet to be detected; the sensitive information matching comprises detecting whether application layer data of the data packet to be detected comprises appointed sensitive information or not;
And/or the number of the groups of groups,
under the condition that the attack success characteristics comprise malicious links in the webpage data, carrying out webpage link analysis on application layer data of the data packet to be detected; the webpage link analysis comprises detecting whether a Uniform Resource Locator (URL) in application layer data of the data packet to be detected comprises a malicious link or not;
and/or the number of the groups of groups,
under the condition that the attack success characteristics comprise tampered webpage content, carrying out webpage similarity comparison on the application layer data of the data packet to be detected; the webpage similarity comparison comprises detecting whether the similarity between the application layer data of the data packet to be detected and the webpage information of the pre-stored target webpage is lower than a preset threshold value; the target webpage is a webpage corresponding to the Web service for sending the data to be detected.
In some embodiments, the attack success features include the presence of sensitive information in the web page data, the presence of malicious links in the web page data, and the tampering of the web page content;
the detecting unit 350 matches, based on the application layer data of the data packet to be detected and the attack success feature, including:
in a rapid analysis mode, sensitive information matching is carried out on the application layer data of the data packet to be detected;
In a common analysis mode, carrying out sensitive information matching and webpage link analysis on the application layer data of the data packet to be detected;
and in a deep analysis mode, performing sensitive information matching, web page link analysis and web page similarity comparison on the application layer data of the data packet to be detected.
In some embodiments, the detecting unit 350 is further configured to, when the alert for the data packet to be detected is triggered by performing the web page similarity comparison on the application layer data of the data packet to be detected and an instruction for removing the alert is detected, remove the alert, obtain the latest web page information of the target web page, and update the stored web page information of the target web page to the obtained latest web page information of the target web page.
The embodiment of the application also provides electronic equipment, which comprises a processor and a memory, wherein the memory is used for storing a computer program; and the processor is used for realizing the malicious flow detection method when executing the program stored in the memory.
Fig. 4 is a schematic hardware structure of an electronic device according to an embodiment of the present application. The electronic device may include a processor 401, a memory 402 storing machine-executable instructions. The processor 401 and the memory 402 may communicate via a system bus 403. Also, the processor 401 may perform the malicious traffic detection method described above by reading and executing machine-executable instructions in the memory 402 corresponding to the malicious traffic detection logic.
The memory 402 referred to herein may be any electronic, magnetic, optical, or other physical storage device that may contain or store information, such as executable instructions, data, or the like. For example, a machine-readable storage medium may be: RAM (Radom Access Memory, random access memory), volatile memory, non-volatile memory, flash memory, a storage drive (e.g., hard drive), a solid state drive, any type of storage disk (e.g., optical disk, dvd, etc.), or a similar storage medium, or a combination thereof.
In some embodiments, a machine-readable storage medium, such as memory 402 in fig. 4, is also provided, having stored therein machine-executable instructions that when executed by a processor implement the malicious traffic detection method described above. For example, the machine-readable storage medium may be ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.
Embodiments of the present application also provide a computer program product storing a computer program and causing a processor to perform the malicious traffic detection method described above when the processor executes the computer program.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The foregoing description of the preferred embodiments of the present invention is not intended to limit the invention to the precise form disclosed, and any modifications, equivalents, improvements and alternatives falling within the spirit and principles of the present invention are intended to be included within the scope of the present invention.
Claims (10)
1. A malicious traffic detection method, comprising:
acquiring a data packet to be detected;
under the condition that the data packet to be detected is a data packet of a hypertext transfer security protocol (HTTPs) protocol, determining a session to which the data packet to be detected belongs according to session quintuple information of the data packet to be detected;
determining an encryption and decryption channel associated with the session in the password card, decrypting the application layer data of the data packet to be detected through the encryption and decryption channel, and replacing the application layer data which is not decrypted in the data packet to be detected by using the decrypted application layer data; the password card is provided with a plurality of encryption and decryption channels, and each encryption and decryption channel is used for processing encryption and decryption operations of a pre-allocated session associated with the Web service to be monitored;
determining the type of the data packet to be detected under the condition that the data packet to be detected is a data packet of a hypertext transfer protocol (HTTP) protocol or an HTTPs protocol; the type of the data packet comprises a request data packet or a response data packet, wherein the request data packet is used for requesting the Web service to be monitored to be accessed, and the response data packet is used for responding to the access request by the Web service to be monitored;
And under the condition that the type of the data packet to be detected is a response data packet, matching is carried out based on the application layer data of the data packet to be detected and the attack success characteristics so as to determine whether the data packet to be detected belongs to malicious traffic.
2. The method of claim 1, wherein determining an encryption and decryption channel associated with the session in the cryptographic card and decrypting application layer data of the data packet to be detected via the encryption and decryption channel comprises:
determining whether an encryption and decryption channel associated with the session exists;
under the condition that an encryption and decryption channel associated with the session does not exist, according to the Web service to be monitored associated with the session, an encryption and decryption channel is allocated to the session from the encryption and decryption channels in an idle state allocated to the Web service to be monitored, a symmetric key of the session is determined based on a private key of the Web service to be monitored through the encryption and decryption channel, application layer data of the data packet to be detected is decrypted through the symmetric key, and the symmetric key is associated with the encryption and decryption channel for storage;
and under the condition that an encryption and decryption channel associated with the session exists, a symmetric key associated with the encryption and decryption channel is acquired, and the application layer data of the data packet to be detected is decrypted by using the symmetric key.
3. The method of claim 2, wherein the encryption and decryption channels in the cryptographic card include encryption and decryption channels allocated to each Web service to be monitored, and backup encryption and decryption channels;
the method further comprises the steps of:
and under the condition that no encryption and decryption channel associated with the session exists and no idle channel exists in the encryption and decryption channels allocated for the Web service to be monitored, allocating an encryption and decryption channel for the session from the idle backup encryption and decryption channels, determining a symmetric key of the session based on a private key of the Web service to be monitored through the encryption and decryption channel, decrypting application layer data of the data packet to be detected by using the symmetric key, and storing the symmetric key and the encryption and decryption channel in an associated mode.
4. The method of claim 1, wherein the matching based on the application layer data of the data packet to be detected and the attack success characteristics comprises:
under the condition that the attack success characteristics comprise sensitive information in webpage data, sensitive information matching is carried out on application layer data of the data packet to be detected; the sensitive information matching comprises detecting whether application layer data of the data packet to be detected comprises appointed sensitive information or not;
And/or the number of the groups of groups,
under the condition that the attack success characteristics comprise malicious links in the webpage data, carrying out webpage link analysis on application layer data of the data packet to be detected; the webpage link analysis comprises detecting whether the URL in the application layer data of the data packet to be detected comprises the malicious link or not;
and/or the number of the groups of groups,
under the condition that the attack success characteristics comprise tampered webpage content, carrying out webpage similarity comparison on the application layer data of the data packet to be detected; the webpage similarity comparison comprises detecting whether the similarity between the application layer data of the data packet to be detected and the webpage information of the pre-stored target webpage is lower than a preset threshold value; the target webpage is a webpage corresponding to the Web service for sending the data to be detected.
5. The method of claim 4, wherein the attack success characteristics include the presence of sensitive information in the web page data, the presence of malicious links in the web page data, and the tampering of the web page content;
the matching between the application layer data based on the data packet to be detected and the attack success characteristics comprises the following steps:
in a rapid analysis mode, sensitive information matching is carried out on the application layer data of the data packet to be detected;
In a common analysis mode, carrying out sensitive information matching and webpage link analysis on the application layer data of the data packet to be detected;
and in a deep analysis mode, performing sensitive information matching, web page link analysis and web page similarity comparison on the application layer data of the data packet to be detected.
6. The method of claim 4, wherein in the event that an alert for the data packet to be detected is triggered by a web page similarity comparison of application layer data of the data packet to be detected, the method further comprises:
and under the condition that an instruction for eliminating the alarm is detected, eliminating the alarm, acquiring the latest webpage information of a target webpage, and updating the stored webpage information of the target webpage into the acquired latest webpage information of the target webpage.
7. A malicious traffic detection device, comprising:
the acquisition unit is used for acquiring the data packet to be detected;
the first determining unit is used for determining a session to which the data packet to be detected belongs according to session five-tuple information of the data packet to be detected under the condition that the data packet to be detected is a data packet of a hypertext transfer security protocol (HTTPs) protocol;
The decryption unit is used for determining an encryption and decryption channel associated with the session in the password card, decrypting the application layer data of the data packet to be detected through the encryption and decryption channel, and replacing the application layer data which is not decrypted in the data packet to be detected by using the decrypted application layer data; the password card is provided with a plurality of encryption and decryption channels, and each encryption and decryption channel is used for processing encryption and decryption operations of a pre-allocated session associated with the Web service to be monitored;
the second determining unit is used for determining the type of the data packet to be detected when the data packet to be detected is a data packet of a hypertext transfer protocol (HTTP) protocol or a hypertext transfer protocol (HTTPs) protocol; the type of the data packet comprises a request data packet or a response data packet, wherein the request data packet is used for requesting the Web service to be monitored to be accessed, and the response data packet is used for responding to the access request by the Web service to be monitored;
and the detection unit is used for matching based on the application layer data of the data packet to be detected and the attack success characteristics under the condition that the type of the data packet to be detected is a response data packet so as to determine whether the data packet to be detected belongs to malicious traffic.
8. The apparatus of claim 7, wherein the decryption unit determines an encryption and decryption channel associated with the session in the cryptographic card, and decrypts application layer data of the data packet to be detected via the encryption and decryption channel, comprising:
determining whether an encryption and decryption channel associated with the session exists;
under the condition that an encryption and decryption channel associated with the session does not exist, according to the Web service to be monitored associated with the session, an encryption and decryption channel is allocated to the session from the encryption and decryption channels in an idle state allocated to the Web service to be monitored, a symmetric key of the session is determined based on a private key of the Web service to be monitored through the encryption and decryption channel, application layer data of the data packet to be detected is decrypted through the symmetric key, and the symmetric key is associated with the encryption and decryption channel for storage;
under the condition that an encryption and decryption channel associated with the session exists, a symmetric key associated with the encryption and decryption channel is obtained, and the symmetric key is utilized to decrypt the application layer data of the data packet to be detected;
the encryption and decryption channels in the password card comprise encryption and decryption channels distributed to each Web service to be monitored and backup encryption and decryption channels;
And the decryption unit is further configured to allocate an encryption and decryption channel from the idle backup encryption and decryption channel to the session when no encryption and decryption channel associated with the session exists and no idle channel exists in the encryption and decryption channel allocated to the Web service to be monitored, determine a symmetric key of the session based on a private key of the Web service to be monitored through the encryption and decryption channel, decrypt application layer data of the data packet to be detected by using the symmetric key, and store the symmetric key in association with the encryption and decryption channel.
9. The apparatus of claim 7, wherein the detection unit matches based on application layer data of the data packet to be detected and attack success characteristics, comprising:
under the condition that the attack success characteristics comprise sensitive information in webpage data, sensitive information matching is carried out on application layer data of the data packet to be detected; the sensitive information matching comprises detecting whether application layer data of the data packet to be detected comprises appointed sensitive information or not;
and/or the number of the groups of groups,
under the condition that the attack success characteristics comprise malicious links in the webpage data, carrying out webpage link analysis on application layer data of the data packet to be detected; the webpage link analysis comprises detecting whether a Uniform Resource Locator (URL) in application layer data of the data packet to be detected comprises a malicious link or not;
And/or the number of the groups of groups,
under the condition that the attack success characteristics comprise tampered webpage content, carrying out webpage similarity comparison on the application layer data of the data packet to be detected; the webpage similarity comparison comprises detecting whether the similarity between the application layer data of the data packet to be detected and the webpage information of the pre-stored target webpage is lower than a preset threshold value; the target webpage is a webpage corresponding to the Web service for sending the data to be detected;
the attack success characteristics comprise the existence of sensitive information in the webpage data, the existence of malicious links in the webpage data and the falsification of the webpage content;
the detection unit performs matching based on the application layer data of the data packet to be detected and the attack success characteristics, and the detection unit comprises:
in a rapid analysis mode, sensitive information matching is carried out on the application layer data of the data packet to be detected;
in a common analysis mode, carrying out sensitive information matching and webpage link analysis on the application layer data of the data packet to be detected;
in a deep analysis mode, performing sensitive information matching, web page link analysis and web page similarity comparison on the application layer data of the data packet to be detected;
The detection unit is further configured to, when an alarm for the data packet to be detected is triggered by performing a web page similarity comparison on application layer data of the data packet to be detected and an instruction for eliminating the alarm is detected, eliminate the alarm, obtain latest web page information of a target web page, and update stored web page information of the target web page to the obtained latest web page information of the target web page.
10. An electronic device comprising a processor and a memory, wherein,
a memory for storing a computer program;
a processor configured to implement the method of any one of claims 1 to 6 when executing a program stored on a memory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311642441.7A CN117354057B (en) | 2023-12-01 | 2023-12-01 | Malicious traffic detection method, device and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311642441.7A CN117354057B (en) | 2023-12-01 | 2023-12-01 | Malicious traffic detection method, device and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117354057A CN117354057A (en) | 2024-01-05 |
| CN117354057B true CN117354057B (en) | 2024-03-05 |
Family
ID=89371399
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311642441.7A Active CN117354057B (en) | 2023-12-01 | 2023-12-01 | Malicious traffic detection method, device and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117354057B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103795709A (en) * | 2013-12-27 | 2014-05-14 | 北京天融信软件有限公司 | Network security detection method and system |
| CN107948208A (en) * | 2018-01-05 | 2018-04-20 | 宝牧科技(天津)有限公司 | A kind of method and device of network application layer transparent encryption |
| CN109995740A (en) * | 2018-01-02 | 2019-07-09 | 国家电网公司 | Threat detection method based on depth protocal analysis |
| CN110166480A (en) * | 2019-05-31 | 2019-08-23 | 新华三信息安全技术有限公司 | A kind of analysis method and device of data packet |
| CN111277587A (en) * | 2020-01-19 | 2020-06-12 | 武汉思普崚技术有限公司 | Malicious encrypted traffic detection method and system based on behavior analysis |
| CN111464526A (en) * | 2020-03-30 | 2020-07-28 | 深信服科技股份有限公司 | Network intrusion detection method, device, equipment and readable storage medium |
| CN116094745A (en) * | 2022-11-01 | 2023-05-09 | 深圳市燃气集团股份有限公司 | Industrial control network safety protection method and device, terminal equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB0022485D0 (en) * | 2000-09-13 | 2000-11-01 | Apl Financial Services Oversea | Monitoring network activity |
| US10505970B2 (en) * | 2016-10-05 | 2019-12-10 | Cisco Technology, Inc. | Identifying and using DNS contextual flows |
-
2023
- 2023-12-01 CN CN202311642441.7A patent/CN117354057B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103795709A (en) * | 2013-12-27 | 2014-05-14 | 北京天融信软件有限公司 | Network security detection method and system |
| CN109995740A (en) * | 2018-01-02 | 2019-07-09 | 国家电网公司 | Threat detection method based on depth protocal analysis |
| CN107948208A (en) * | 2018-01-05 | 2018-04-20 | 宝牧科技(天津)有限公司 | A kind of method and device of network application layer transparent encryption |
| CN110166480A (en) * | 2019-05-31 | 2019-08-23 | 新华三信息安全技术有限公司 | A kind of analysis method and device of data packet |
| CN111277587A (en) * | 2020-01-19 | 2020-06-12 | 武汉思普崚技术有限公司 | Malicious encrypted traffic detection method and system based on behavior analysis |
| CN111464526A (en) * | 2020-03-30 | 2020-07-28 | 深信服科技股份有限公司 | Network intrusion detection method, device, equipment and readable storage medium |
| CN116094745A (en) * | 2022-11-01 | 2023-05-09 | 深圳市燃气集团股份有限公司 | Industrial control network safety protection method and device, terminal equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 骆子铭 ; 许书彬 ; 刘晓东 ; .基于机器学习的TLS恶意加密流量检测方案.网络与信息安全学报.2020,(01), * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117354057A (en) | 2024-01-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Anderson et al. | Deciphering malware’s use of TLS (without decryption) | |
| CN108471432B (en) | Method for preventing network application program interface from being attacked maliciously | |
| EP3219068B1 (en) | Method of identifying and counteracting internet attacks | |
| CN105939326B (en) | Method and device for processing message | |
| US20170034189A1 (en) | Remediating ransomware | |
| US9531749B2 (en) | Prevention of query overloading in a server application | |
| CN111756702B (en) | Data security protection method, device, equipment and storage medium | |
| CN113542253B (en) | Network flow detection method, device, equipment and medium | |
| US20240106858A1 (en) | Web site compromise detection | |
| US20180302437A1 (en) | Methods of identifying and counteracting internet attacks | |
| CN109818906B (en) | Equipment fingerprint information processing method and device and server | |
| CN115694932A (en) | Method and equipment for realizing community sensitive data protection based on block chain technology | |
| KR20110029340A (en) | Protection system against ddos | |
| RU2647616C1 (en) | Method of detecting brute force attack on web service | |
| EP3718284B1 (en) | Extending encrypted traffic analytics with traffic flow data | |
| CN117354057B (en) | Malicious traffic detection method, device and equipment | |
| Venkatesan et al. | Analysis of accounting models for the detection of duplicate requests in web services | |
| JP5743822B2 (en) | Information leakage prevention device and restriction information generation device | |
| Chen et al. | Privacy-Preserving Anomaly Detection of Encrypted Smart Contract for Blockchain-Based Data Trading | |
| CN113923021A (en) | Sandbox-based encrypted flow processing method, system, device and medium | |
| Hatada et al. | Finding new varieties of malware with the classification of network behavior | |
| Orucho et al. | Security threats affecting user-data on transit in mobile banking applications: A review | |
| Sree et al. | Secure logging scheme for forensic analysis in cloud | |
| CN108173828B (en) | Data transmission method, device and storage medium | |
| CN114401112A (en) | Bypass deployment malicious traffic real-time deep packet detection method aiming at TLS encryption |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |