CN117439748A - Network attack detection method, device, equipment and storage medium - Google Patents
Network attack detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN117439748A CN117439748A CN202210828315.XA CN202210828315A CN117439748A CN 117439748 A CN117439748 A CN 117439748A CN 202210828315 A CN202210828315 A CN 202210828315A CN 117439748 A CN117439748 A CN 117439748A
- Authority
- CN
- China
- Prior art keywords
- function call
- relation
- malicious
- relationship
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 64
- 230000007488 abnormal function Effects 0.000 claims abstract description 97
- 238000000034 method Methods 0.000 claims abstract description 42
- 230000006870 function Effects 0.000 claims description 420
- 238000009877 rendering Methods 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 abstract description 3
- 238000010586 diagram Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The disclosure provides a network attack detection method, device, equipment and storage medium, and relates to the field of network technology and security. The method comprises the following steps: obtaining a function call relation of a service to be detected, wherein the function call relation comprises an identification of a call function, comparing the function call relation with a preset reference function call relation to obtain an abnormal function call relation, matching the abnormal function call relation with a preset malicious function call relation library, determining the abnormal function call relation as the malicious function call relation under the condition that the malicious function call relation library contains the malicious function call relation matched with the abnormal function call relation, and determining the service to be detected as network attack under the condition that the number of the malicious function call relations meets a preset condition. The network attack detection method and device can improve the accuracy of network attack detection.
Description
Technical Field
The present disclosure relates to network technologies and security, and in particular, to a method, an apparatus, a device, and a storage medium for detecting a network attack.
Background
In the process of applying rendering, a currently common rendering method is to render with a template engine. Rendering with the template engine is decoupling business logic from page logic by the template engine. The service logic and the page logic are decoupled and separated through the template engine, so that the data easy to lose can be flexibly combined with the fixed template, and the code readability is strong.
But in the current rendering process by using a template engine, there is an injection network attack of operating rights and sensitive data by injecting malicious template instructions to operate the template engine. In order to detect such an injection network attack, a currently common detection method is to detect features such as a system operation template function, command execution, a general data file name or a path. However, this detection method cannot detect the characteristics after the deformation by the deformation technique such as special coding. How to accurately detect the network attack is a problem to be solved in the current network technology and security field.
Disclosure of Invention
The present disclosure provides a network attack detection method, apparatus, device and storage medium, which at least overcomes the problem of inaccurate detection of the current network attack, and improves the security of the network.
Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.
According to one aspect of the present disclosure, there is provided a network attack detection method, including:
acquiring a function call relation of a service to be detected, wherein the function call relation comprises an identification of a call function;
comparing the function calling relationship with a preset reference function calling relationship to obtain an abnormal function calling relationship;
matching the abnormal function call relation with a preset malicious function call relation library;
under the condition that the malicious function call relation library contains a malicious function call relation matched and consistent with the abnormal function call relation, determining the abnormal function call relation as a malicious function call relation;
and under the condition that the number of the malicious function call relations meets the preset condition, determining the service to be detected as the network attack.
In one embodiment of the present disclosure, the function call relationship further includes a call function order;
comparing the function call relationship with a preset reference function call relationship to obtain an abnormal function call relationship, wherein the method comprises the following steps:
generating a function call relation tree according to the identification of the call function contained in the function call relation and the sequence of the call function;
And comparing the function call relation tree with a reference function call relation tree corresponding to the reference function call relation to obtain an abnormal function call relation.
In one embodiment of the present disclosure, before comparing the function call relationship tree with the reference function call relationship tree corresponding to the reference function call relationship to obtain the abnormal function call relationship, the method further includes:
and generating a reference function call relation tree according to the identification of the reference call function contained in the reference function call relation and the sequence of the reference call function.
In one embodiment of the present disclosure, after matching the abnormal function call relationship with the preset malicious function call relationship library, the method further includes:
under the condition that the malicious function call relation library does not contain a malicious function call relation matched and consistent with the abnormal function call relation, determining whether the abnormal function call relation meets a preset malicious function call relation standard;
and adding the abnormal function call relationship to a malicious function call relationship library under the condition that the abnormal function call relationship meets the malicious function call relationship standard.
In one embodiment of the present disclosure, before comparing the function call relationship with a preset reference function call relationship to obtain an abnormal function call relationship, the method further includes:
Acquiring a history function calling relation of a history service request;
and determining a reference function call relation according to the historical function call relation.
In one embodiment of the present disclosure, after obtaining the history function call relationship of the history service request, the method further comprises:
and determining a malicious function call relation library according to the historical function call relation.
In one embodiment of the present disclosure, the service to be detected comprises an application rendering service submitted by the user.
According to another aspect of the present disclosure, there is provided a network attack detection device including:
the first acquisition module is used for acquiring a function call relation of the service to be detected, wherein the function call relation comprises an identifier of a call function;
the comparison module is used for comparing the function call relationship with a preset reference function call relationship to obtain an abnormal function call relationship;
the matching module is used for matching the abnormal function call relation with a preset malicious function call relation library;
the first determining module is used for determining the abnormal function call relationship as the malicious function call relationship under the condition that the malicious function call relationship library contains the malicious function call relationship matched with the abnormal function call relationship;
And the second determining module is used for determining that the service to be detected is network attack under the condition that the malicious function calling relation meets the preset condition.
In one embodiment of the present disclosure, the function call relationship further includes a call function order;
the contrast module further comprises:
the generating unit is used for generating a function call relation tree according to the identity of the call function contained in the function call relation and the sequence of the call function;
and the comparison unit is used for comparing the function call relation tree with the reference function call relation tree corresponding to the reference function call relation to obtain an abnormal function call relation.
In one embodiment of the present disclosure, the network attack detection apparatus further includes:
the generating module is used for generating the reference function call relation tree according to the identification of the reference call function contained in the reference function call relation and the sequence of the reference call function before comparing the function call relation tree with the reference function call relation tree corresponding to the reference function call relation to obtain the abnormal function call relation.
In one embodiment of the present disclosure, the network attack detection device further includes:
the third determining module is used for determining whether the abnormal function call relationship meets the preset malicious function call relationship standard under the condition that the malicious function call relationship library does not contain the malicious function call relationship matched and consistent with the abnormal function call relationship after the abnormal function call relationship is matched with the preset malicious function call relationship library;
And the adding module is used for adding the abnormal function call relationship to the malicious function call relationship library under the condition that the abnormal function call relationship meets the malicious function call relationship standard.
In one embodiment of the present disclosure, the network attack detection device further includes:
the second acquisition module is used for acquiring a historical function call relation of the historical service request before comparing the function call relation with a preset reference function call relation to obtain an abnormal function call relation;
and the fourth determining module is used for determining a reference function call relation according to the historical function call relation.
In one embodiment of the present disclosure, the network attack detection device further includes:
and a fifth determining module, configured to determine a malicious function call relation library according to the historical function call relation.
In one embodiment of the present disclosure, the service to be detected comprises an application rendering service submitted by the user.
According to still another aspect of the present disclosure, there is provided an electronic apparatus including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the network attack detection method described above via execution of the executable instructions.
According to yet another aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the network attack detection method described above.
According to the network attack detection method provided by the embodiment of the disclosure, through the function call relation of the service to be detected, the function call relation is compared with the preset reference function call relation to obtain the abnormal function call relation, the obtained abnormal function call relation is matched with the preset malicious function call relation library, under the condition that the matching result of the abnormal function call relation exists in the malicious function call relation library, the abnormal function call relation is determined to be the malicious function call relation, and under the condition that the number of the malicious function call relations in the service to be detected meets the preset condition, the service to be detected is determined to be the network attack. The function call relation of the service to be detected is detected, and the parameter or statement of the service to be detected is not detected. The problem of malicious traffic to be detected bypassing detection by modifying parameters or statements can be avoided. The network attack detection method and device improve accuracy of network attack detection.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure. It will be apparent to those of ordinary skill in the art that the drawings in the following description are merely examples of the disclosure and that other drawings may be derived from them without undue effort.
FIG. 1 illustrates a flow chart of a conventional network detection method in an embodiment of the present disclosure;
FIG. 2 illustrates a flow chart of a network detection method in an embodiment of the disclosure;
FIG. 3 illustrates another network detection method flow diagram in an embodiment of the present disclosure;
FIG. 4 illustrates a function call relationship tree diagram in an embodiment of the present disclosure;
FIG. 5 illustrates a flowchart of yet another network detection method in an embodiment of the present disclosure;
FIG. 6 illustrates a flowchart of yet another network detection method in an embodiment of the present disclosure;
FIG. 7 is a schematic diagram of a network detection device according to an embodiment of the disclosure;
fig. 8 shows a block diagram of an electronic device in an embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor devices and/or microcontroller devices.
It should be understood that the various steps recited in the method embodiments of the present disclosure may be performed in a different order and/or performed in parallel. Furthermore, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.
It should be noted that the terms "first," "second," and the like in this disclosure are merely used to distinguish between different devices, modules, or units and are not used to define an order or interdependence of functions performed by the devices, modules, or units.
It should be noted that references to "one", "a plurality" and "a plurality" in this disclosure are intended to be illustrative rather than limiting, and those of ordinary skill in the art will appreciate that "one or more" is intended to be understood as "one or more" unless the context clearly indicates otherwise.
The current common network attack detection method generally detects a function in a service, and then determines whether the service is a network attack according to a detection result of the function.
For a detailed description of the network detection method in the related art, the present disclosure provides a conventional network detection method.
Fig. 1 shows a flowchart of a conventional network detection method in the related art, and as shown in fig. 1, the conventional network detection method may include:
s102, obtaining a function identifier of a service to be detected;
s104, sending the function identifier to a terminal corresponding to the user;
s106, determining whether the function identifier is the function identifier corresponding to the network attack or not in response to the identification of the user on the function identifier.
As can be seen from the above, the conventional network detection method generally detects the function identifier of the service to be detected, where the function identifier of the service to be detected may include the name of the function and the parameter of the function.
And whether the current service to be detected is a network attack or not is judged by detecting the function identifier of the service to be detected, so that the following problems exist:
after a malicious user who initiates a network attack deforms function identifiers or parameters of functions in the service function to be detected, the conventional network detection method cannot detect the service to be detected.
In order to solve the above problems, the present disclosure provides a network detection method, apparatus, device, and storage medium.
Next, a network detection method provided by the present disclosure will be described first.
Fig. 2 shows a flowchart of a network detection method in an embodiment of the disclosure. As shown in fig. 2, the network detection method in the embodiment of the present disclosure may include:
s202, acquiring a function call relation of a service to be detected, wherein the function call relation comprises an identification of a call function.
It should be noted that the service to be detected may include any network service including a function call relationship.
The function call relationship may include all data of the call flow during the function call. In the disclosed embodiment, the function call relationship includes only the identity of the function being called.
The identity of the called function may be any identity that is distinct from the remaining functions.
For example, the identification of the called function may include the name of the called function and key parameters of the called function.
In some embodiments, the service to be detected may include an application rendering service submitted by the user.
It should be noted that, the application rendering service refers to decoupling and separating the service logic and the page logic of the application through the template engine.
In this process the user needs to provide templates, which the user provides can call to the function.
S204, comparing the function calling relation of the service to be detected with a preset reference function calling relation to obtain an abnormal function calling relation.
It should be noted that the preset reference function call relationship may be a preset normal function call relationship.
As a specific example, comparing the function call relationship with a preset reference function call relationship, and obtaining the abnormal function call relationship may include:
Comparing the identification of the function called in the service to be detected with the identification of the normal calling function which is preset, and if the identification of the calling function in the service to be detected contains the identification of the calling function except the identification of the normal calling function, determining the identification of the calling function as an abnormal function calling relation.
For example, the reference function call relationship may include an identification of a function that calls normal information, and an identification of a function that calls normal files.
The function call relation of the service to be detected may include an identification of a function that calls all information and an identification of a function that calls all files.
The malicious function call relationship may include an identification of a function that called the sensitive information and an identification of a function that called the sensitive file.
S206, matching the abnormal function call relation with a preset malicious function call relation library.
It should be noted that the malicious function call relation library includes a plurality of malicious function call relations.
Matching the abnormal function call relationship with a preset malicious function call relationship library may include:
and matching the abnormal function call relationship with a plurality of malicious function call relationships in a preset malicious function call relationship library.
S208, determining the abnormal function call relationship as the malicious function call relationship under the condition that the malicious function call relationship library contains the malicious function call relationship matched and consistent with the abnormal function call relationship.
It should be noted that, the malicious function call relation library containing the malicious function call relation matched and consistent with the abnormal function call relation may include:
at least one malicious function call relation exists in the malicious function call relation library, and the malicious function call relation is substantially the same as the abnormal function call relation.
The substantial identity may be a call object of a malicious function call relationship and an abnormal function call relationship, and the call sequence is the same.
It should be noted that, in the case that at least one malicious function call relationship exists in the malicious function call relationship library and the malicious function call relationship is substantially the same as the above-mentioned abnormal function call relationship, it may be determined that the above-mentioned abnormal function call relationship may be a malicious function call relationship.
S210, determining the service to be detected as the service with network attack under the condition that the number of the malicious function call relations meets the preset condition.
It should be noted that, the number of malicious function call relationships satisfying the preset condition may include:
At least one malicious function call relation exists in the function call relation of the service to be detected; the number of the calling relations of the malicious functions in the function calling relations of the service to be detected reaches a preset threshold; the proportion of the number of the calling relations of the malicious functions in the function calling relations of the service to be detected in all the function calling relations of the function of the service to be detected reaches a preset threshold.
According to the network attack detection method provided by the embodiment of the disclosure, through the function call relation of the service to be detected, the function call relation is compared with the preset reference function call relation to obtain the abnormal function call relation, the obtained abnormal function call relation is matched with the preset malicious function call relation library, under the condition that the matching result of the abnormal function call relation exists in the malicious function call relation library, the abnormal function call relation is determined to be the malicious function call relation, and under the condition that the number of the malicious function call relations in the service to be detected meets the preset condition, the service to be detected is determined to be the network attack. Therefore, the function call relation of the service to be detected is detected, and the parameter or statement of the service to be detected is not detected. The problem of malicious traffic to be detected bypassing detection by modifying parameters or statements can be avoided. The accuracy of network attack detection is improved.
Based on the same inventive concept, the embodiments of the present disclosure provide another network detection method, which may in principle be performed by any electronic device with computer processing capabilities.
Fig. 3 is a flowchart illustrating another network detection method according to an embodiment of the present disclosure, and as shown in fig. 3, the embodiment of the present disclosure is different from one of the above embodiments in that S204 in the above embodiment may include:
s302, generating a function call relation tree according to the identity of the call function contained in the function call relation and the order of the call functions.
It should be noted that the function call relation tree may be a representation mode including identification of functions and order of calling functions.
To illustrate the function call relationship tree in detail, this example provides a schematic diagram of the function call relationship tree, as shown in fig. 4:
the first hierarchy is a first function. The first function may be a root node of the function call relationship tree, the first function calls the second function and the third function, and the second function and the third function may be used as a second level of the function call relationship tree. The second function then calls the fourth function, the third function calls the fifth function and the sixth function, and the fourth function, the fifth function and the sixth function may be a third level of the function call relationship tree.
The fourth function, the fifth function, and the sixth function may also be leaf nodes of a function call relationship tree.
The connections between the first level and the second level, the second level and the third level, and the first level and the third level may be referred to as branches of the function call relationship.
It should be noted that the schematic diagram shown in fig. 4 is only one expression form of the function call relationship tree, and in addition, the function call relationship tree may be expressed in various forms such as a table.
The expression form of the function call relation tree is not particularly limited here.
S304, comparing the function call relation tree with a reference function call relation tree corresponding to the reference function call relation to obtain an abnormal function call relation.
It should be noted that the base station function call relation tree may also take various forms.
Comparing the function call relationship tree with the base station function call relationship tree may include:
and comparing the levels, branches and nodes of the two relationship trees to determine abnormal branches.
The abnormal branch and the node on the branch can be used as an abnormal function call relation.
It should be noted that, the function call relationship tree or the reference function call relationship tree may be compared according to the comparison model, or the comparison may be performed autonomously by a user, which is not limited herein.
In the embodiment of the disclosure, a function call relation tree and a reference function call relation tree are generated according to a function call relation and a reference function call relation. And comparing the function call relation tree with the reference function call relation tree. The function call relation and the reference function call relation which are not easy to compare are converted into a function call relation tree and a reference function call relation tree which are easy to compare, and then the function call relation tree and the reference function call relation tree are compared. The comparison process can be simplified.
In some embodiments, before S304, the network detection method may further include:
and generating a reference function call relation tree according to the identification of the reference call function contained in the reference function call relation and the sequence of the reference call function.
It should be noted that, the method for generating the reference function call relationship tree according to the reference function call relationship is the same as the method for generating the function call relationship tree according to the function call relationship, and will not be described here again.
Based on the same inventive concept, the embodiments of the present disclosure provide yet another network detection method, which may in principle be performed by any electronic device with computer processing capabilities.
Fig. 5 shows a flowchart of still another network detection method in the embodiment of the disclosure, and as shown in fig. 5, the embodiment of the disclosure is different from one of the above embodiments in that, after S206, the method may further include:
s502, determining whether the abnormal function call relationship meets the preset malicious function call relationship standard under the condition that the malicious function call relationship library does not contain the malicious function call relationship matched and consistent with the abnormal function call relationship.
Note that, the preset malicious function call Guan Jibiao may be a malicious function call relationship standard set by user definition.
The user can set parameters, key characters, etc. for determining the malicious function call relationship according to experience of judging the malicious function call relationship.
The preset malicious function call relation standard can also be obtained by training a neural network, and is not particularly limited herein.
S504, adding the abnormal function call relationship to a malicious function call relationship library under the condition that the abnormal function call relationship meets the malicious function call relationship standard.
It should be noted that the number of malicious function call relations in the preset malicious function call relation library is determined. With the update of network attacks, malicious function call relationships are updated.
When the abnormal function call relationship meets the malicious function call relationship standard, the current abnormal function call relationship is indicated to be used as the malicious function call relationship. At this time, the abnormal function call relationship can be used as a new malicious function call relationship to be added into a malicious function call relationship library to update the malicious function call relationship library.
In the embodiment of the disclosure, the malicious function call relation in the malicious function call relation library can be updated by adding the new malicious function call relation not contained in the malicious function call relation library into the malicious function call relation library. Therefore, the problem of low network detection efficiency caused by insufficient malicious function call relation quantity in the malicious function call relation library can be avoided.
Based on the same inventive concept, the embodiments of the present disclosure provide yet another network detection method, which may in principle be performed by any electronic device with computer processing capabilities.
Fig. 6 is a flowchart illustrating yet another network detection method according to an embodiment of the disclosure, as shown in fig. 6, where the method may further include, before S204:
S602, acquiring a history function call relation of a history service request.
It should be noted that, the history function call relationship may include a normal function call relationship and an abnormal function call relationship.
S604, determining a reference function call relation according to the historical function call relation.
It should be noted that determining the reference function call relationship according to the history function call relationship may include determining the reference function call relationship according to a normal function call relationship in the history function call relationship.
Determining the reference function call relationship from the normal function call relationship in the history function call relationships may include:
and determining a reference function call relation according to the identification of the call function in the normal function call relation and the call function sequence.
In some embodiments, after S602, the network detection method may further include:
and determining a malicious function call relation library according to the historical function call relation.
It should be noted that, determining the malicious function call relation library according to the historical function call relation may include:
and determining a reference function call relation according to the malicious function call relation in the historical function call relation.
Based on the same inventive concept, a network attack detection device 700 is also provided in the embodiments of the present disclosure, as in the following embodiments. Since the principle of solving the problem of the embodiment of the device is similar to that of the embodiment of the method, the implementation of the embodiment of the device can be referred to the implementation of the embodiment of the method, and the repetition is omitted.
Fig. 7 is a schematic diagram of a network attack detection device according to an embodiment of the disclosure, as shown in fig. 7, where the device includes:
a first obtaining module 702, configured to obtain a function call relationship of a service to be detected, where the function call relationship includes an identifier of a call function;
the comparison module 704 is configured to compare the function call relationship with a preset reference function call relationship to obtain an abnormal function call relationship;
a matching module 706, configured to match the abnormal function call relationship with a preset malicious function call relationship library;
a first determining module 708, configured to determine, when the malicious function call relation library includes a malicious function call relation that matches the abnormal function call relation, the abnormal function call relation as a malicious function call relation;
the second determining module 710 is configured to determine that the service to be detected is a network attack if the malicious function call relationship satisfies a preset condition.
According to the network attack detection device provided by the embodiment of the disclosure, the function call relation of the service to be detected is obtained through the first obtaining module, then the function call relation is compared with the preset reference function call relation through the comparison module to obtain the abnormal function call relation, then the obtained abnormal function call relation is matched with the preset malicious function call relation library through the matching module, under the condition that the matching result of the abnormal function call relation exists in the malicious function call relation library, the abnormal function call relation is determined to be the malicious function call relation, and under the condition that the number of the malicious function call relations in the service to be detected meets the preset condition, the service to be detected is determined to be the network attack. Therefore, the function call relation of the service to be detected is detected, and the parameter or statement of the service to be detected is not detected. The problem of malicious traffic to be detected bypassing detection by modifying parameters or statements can be avoided. The accuracy of network attack detection is improved.
In some embodiments, the function call relationship further comprises a call function order;
the contrast module 704 further includes:
the generating unit is used for generating a function call relation tree according to the identity of the call function contained in the function call relation and the sequence of the call function;
and the comparison unit is used for comparing the function call relation tree with the reference function call relation tree corresponding to the reference function call relation to obtain an abnormal function call relation.
In some embodiments, the network attack detection apparatus further comprises:
the generating module 712 is configured to generate, before comparing the function call relationship tree with the reference function call relationship tree corresponding to the reference function call relationship to obtain the abnormal function call relationship, a reference function call relationship tree according to the identifier of the reference call function and the reference call function sequence included in the reference function call relationship.
In the embodiment of the disclosure, a function call relation tree and a reference function call relation tree are generated according to a function call relation and a reference function call relation. And comparing the function call relation tree with the reference function call relation tree. The function call relation and the reference function call relation which are not easy to compare are converted into a function call relation tree and a reference function call relation tree which are easy to compare, and then the function call relation tree and the reference function call relation tree are compared. The comparison process can be simplified.
In some embodiments, the network attack detection device further includes:
a third determining module 714, configured to determine, after matching the abnormal function call relationship with a preset malicious function call relationship library, if the malicious function call relationship library does not include a malicious function call relationship that matches the abnormal function call relationship, whether the abnormal function call relationship meets a preset malicious function call relationship standard;
and the adding module 716 is configured to add the abnormal function call relationship to the malicious function call relationship library when the abnormal function call relationship meets the malicious function call relationship standard.
In the embodiment of the disclosure, the malicious function call relation in the malicious function call relation library can be updated by adding the new malicious function call relation not contained in the malicious function call relation library into the malicious function call relation library. Therefore, the problem of low network detection efficiency caused by insufficient malicious function call relation quantity in the malicious function call relation library can be avoided.
In some embodiments, the network attack detection device further includes:
the second obtaining module 718 is configured to obtain a history function call relationship of the history service request before comparing the function call relationship with a preset reference function call relationship to obtain an abnormal function call relationship;
A fourth determining module 720, configured to determine a reference function call relationship according to the historical function call relationship.
In some embodiments, the network attack detection device further includes:
a fifth determining module 722 is configured to determine a malicious function call relationship library according to the historical function call relationship.
In some embodiments, the service to be detected comprises an application rendering service submitted by the user.
Those skilled in the art will appreciate that the various aspects of the present disclosure may be implemented as a system, method, or program product. Accordingly, various aspects of the disclosure may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
An electronic device 800 according to such an embodiment of the present disclosure is described below with reference to fig. 8. The electronic device 800 shown in fig. 8 is merely an example and should not be construed to limit the functionality and scope of use of embodiments of the present disclosure in any way.
As shown in fig. 8, the electronic device 800 is embodied in the form of a general purpose computing device. Components of electronic device 800 may include, but are not limited to: the at least one processing unit 810, the at least one memory unit 820, and a bus 830 connecting the various system components, including the memory unit 820 and the processing unit 810.
Wherein the storage unit stores program code that is executable by the processing unit 810 such that the processing unit 810 performs steps according to various exemplary embodiments of the present disclosure described in the above section of the present specification. For example, the processing unit 810 may perform the following steps of the method embodiments described above
Acquiring a function call relation of a service to be detected, wherein the function call relation comprises an identification of a call function;
comparing the function calling relationship with a preset reference function calling relationship to obtain an abnormal function calling relationship;
matching the abnormal function call relation with a preset malicious function call relation library;
under the condition that the malicious function call relation library contains a malicious function call relation matched and consistent with the abnormal function call relation, determining the abnormal function call relation as a malicious function call relation;
and under the condition that the number of the malicious function call relations meets the preset condition, determining the service to be detected as the network attack.
The storage unit 820 may include readable media in the form of volatile storage units, such as Random Access Memory (RAM) 8201 and/or cache memory 8202, and may further include Read Only Memory (ROM) 8203.
Storage unit 820 may also include a program/utility 8204 having a set (at least one) of program modules 8205, such program modules 8205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 830 may be one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 800 may also communicate with one or more external devices 840 (e.g., keyboard, pointing device, bluetooth device, etc.), one or more devices that enable a user to interact with the electronic device 800, and/or any device (e.g., router, modem, etc.) that enables the electronic device 800 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 850. Also, electronic device 800 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through network adapter 860. As shown, network adapter 860 communicates with other modules of electronic device 800 over bus 830. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with electronic device 800, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a terminal device, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, a computer-readable storage medium, which may be a readable signal medium or a readable storage medium, is also provided. On which a program product is stored which enables the implementation of the method described above of the present disclosure. In some possible implementations, various aspects of the disclosure may also be implemented in the form of a program product comprising program code for causing a terminal device to carry out the steps according to the various exemplary embodiments of the disclosure as described in the "exemplary methods" section of this specification, when the program product is run on the terminal device.
More specific examples of the computer readable storage medium in the present disclosure may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
In this disclosure, a computer readable storage medium may include a data signal propagated in baseband or as part of a carrier wave, with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Alternatively, the program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
In particular implementations, the program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
Furthermore, although the steps of the methods in the present disclosure are depicted in a particular order in the drawings, this does not require or imply that the steps must be performed in that particular order or that all illustrated steps be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.
From the description of the above embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or may be implemented in software in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, including several instructions to cause a computing device (may be a personal computer, a server, a mobile terminal, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any adaptations, uses, or adaptations of the disclosure following the general principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
Claims (10)
1. A method for detecting a network attack, the method comprising:
acquiring a function call relation of a service to be detected, wherein the function call relation comprises an identification of a call function;
comparing the function call relationship with a preset reference function call relationship to obtain an abnormal function call relationship;
matching the abnormal function call relation with a preset malicious function call relation library;
under the condition that the malicious function call relation library contains a malicious function call relation matched and consistent with the abnormal function call relation, determining the abnormal function call relation as a malicious function call relation;
and under the condition that the number of the malicious function call relations meets the preset condition, determining the service to be detected as network attack.
2. The method of claim 1, wherein the function call relationship further comprises a call function order;
comparing the function call relationship with a preset reference function call relationship to obtain an abnormal function call relationship, wherein the method comprises the following steps:
generating a function call relation tree according to the identity of the call function contained in the function call relation and the sequence of the call function;
And comparing the function call relation tree with a reference function call relation tree corresponding to the reference function call relation to obtain an abnormal function call relation.
3. The method of claim 2, wherein before comparing the function call relationship tree with the reference function call relationship tree corresponding to the reference function call relationship to obtain an abnormal function call relationship, the method further comprises:
and generating a reference function call relation tree according to the identification of the reference call function contained in the reference function call relation and the sequence of the reference call function.
4. The method of claim 1, wherein after matching the abnormal function call relationship with a preset library of malicious function call relationships, the method further comprises:
under the condition that the malicious function call relation library does not contain a malicious function call relation matched and consistent with the abnormal function call relation, determining whether the abnormal function call relation meets a preset malicious function call relation standard;
and adding the abnormal function call relationship to the malicious function call relationship library under the condition that the abnormal function call relationship meets the malicious function call relationship standard.
5. The method of claim 1, wherein prior to comparing the function call relationship with a preset reference function call relationship to obtain an abnormal function call relationship, the method further comprises:
acquiring a history function calling relation of a history service request;
and determining the reference function call relation according to the historical function call relation.
6. The method of claim 5, wherein after obtaining the history function call relationship of the history service request, the method further comprises:
and determining the malicious function call relation library according to the historical function call relation.
7. The method of claim 1, wherein the service to be detected comprises a user-submitted application rendering service.
8. A network attack detection device, the device comprising:
the first acquisition module is used for acquiring a function call relation of a service to be detected, wherein the function call relation comprises an identifier of a call function;
the comparison module is used for comparing the function call relationship with a preset reference function call relationship to obtain an abnormal function call relationship;
The matching module is used for matching the abnormal function call relation with a preset malicious function call relation library;
the first determining module is used for determining the abnormal function call relationship as a malicious function call relationship under the condition that the malicious function call relationship library contains the malicious function call relationship matched and consistent with the abnormal function call relationship;
and the second determining module is used for determining that the service to be detected is network attack under the condition that the malicious function calling relation meets the preset condition.
9. An electronic device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the network attack detection method of any of claims 1-7 via execution of the executable instructions.
10. A computer readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the network attack detection method according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210828315.XA CN117439748A (en) | 2022-07-13 | 2022-07-13 | Network attack detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210828315.XA CN117439748A (en) | 2022-07-13 | 2022-07-13 | Network attack detection method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117439748A true CN117439748A (en) | 2024-01-23 |
Family
ID=89557035
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210828315.XA Pending CN117439748A (en) | 2022-07-13 | 2022-07-13 | Network attack detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117439748A (en) |
-
2022
- 2022-07-13 CN CN202210828315.XA patent/CN117439748A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110688096B (en) | Method and device for constructing application program containing plug-in, medium and electronic equipment | |
| CN112154420A (en) | Automatic intelligent cloud service testing tool | |
| EP4290399A1 (en) | Log information processing method and apparatus, device, storage medium, and program product | |
| CN111708753A (en) | Method, device and equipment for evaluating database migration and computer storage medium | |
| CN114238948A (en) | Application program detection method and device, electronic equipment and storage medium | |
| CN112631924A (en) | Automatic testing method and device, computer equipment and storage medium | |
| CN110688305B (en) | Test environment synchronization method, device, medium and electronic equipment | |
| CN112398809A (en) | Protocol rule conversion method, device, computer equipment and storage medium | |
| CN109684207B (en) | Method and device for packaging operation sequence, electronic equipment and storage medium | |
| CN111324645B (en) | Block chain data processing method and device | |
| CN117439748A (en) | Network attack detection method, device, equipment and storage medium | |
| US20220334744A1 (en) | Method, electronic device, and computer program product for processing data | |
| CN114090514A (en) | Log retrieval method and device for distributed system | |
| CN110471708B (en) | Method and device for acquiring configuration items based on reusable components | |
| CN114374686A (en) | File processing method, device and equipment based on browser | |
| CN109634636B (en) | Application processing method, device, equipment and medium | |
| CN108874625B (en) | Information processing method and device, electronic equipment and storage medium | |
| CN111538651A (en) | Interface testing method, device, server and storage medium | |
| CN117034210B (en) | Event image generation method and device, storage medium and electronic equipment | |
| CN110781188B (en) | Form information processing method and device, electronic equipment and storage medium | |
| CN110647519B (en) | Method and device for predicting missing attribute value in test sample | |
| CN115174224B (en) | Information security monitoring method and device suitable for industrial control network | |
| CN109901997B (en) | Financial system upgrading method and device, electronic equipment and storage medium | |
| CN108932263B (en) | Associated object tracking method and device | |
| CN116614292A (en) | Webshell detection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |