CN107426211A - Detection method and device, terminal device and the computer-readable storage medium of network attack - Google Patents
Detection method and device, terminal device and the computer-readable storage medium of network attack Download PDFInfo
- Publication number
- CN107426211A CN107426211A CN201710613907.9A CN201710613907A CN107426211A CN 107426211 A CN107426211 A CN 107426211A CN 201710613907 A CN201710613907 A CN 201710613907A CN 107426211 A CN107426211 A CN 107426211A
- Authority
- CN
- China
- Prior art keywords
- field
- automaton
- request data
- value
- target field
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 59
- 238000000034 method Methods 0.000 claims description 82
- 238000004891 communication Methods 0.000 claims description 37
- 238000010276 construction Methods 0.000 claims description 11
- 230000008569 process Effects 0.000 description 19
- 238000005516 engineering process Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 6
- 230000007704 transition Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 5
- 230000014509 gene expression Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007493 shaping process Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Embodiment of the present invention provides detection method and device, terminal device and the computer-readable storage medium of network attack, is related to technical field of network security.Wherein, the detection method of the network attack includes:Aiming field is parsed from request data by automatic machine;The field value of the aiming field is decoded, to obtain the solution code value of the aiming field;Attack detecting is carried out to the request data according to the solution code value.In technical scheme provided by the invention, request data is parsed by automatic machine, therefore, it is possible to expeditiously perform the resolving of request data.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting a network attack, a terminal device, and a computer storage medium.
Background
A Web Application Firewall (WAF) detects Web requests of a protected Web application, discovers threats existing therein, and takes corresponding alarms or interception actions. The WAF itself should not functionally affect the protected Web application, i.e., the requirements of efficient detection, low false alarm, and the like must be met. The existing detection technologies mainly include a rule-based detection technology and a syntax analysis-based detection technology. For the rule-based detection technology, in order to detect a new attack or reduce false alarms, regular expressions need to be continuously added and modified, so that the maintenance cost of the regular expressions is higher and higher, and the detection efficiency is reduced. Meanwhile, the process of extracting the attack pattern as the detection rule needs to be based on the existing attack sample, so that the rule-based detection technology has difficulty in having the capability of detecting unknown attacks. While the detection technology based on the syntax analysis can solve some problems of the detection technology based on the rule to some extent, it still has some defects, for example, the existing detection technology has a problem of low parsing efficiency for HTTP (HyperText Transfer Protocol) requests.
Disclosure of Invention
The embodiment of the invention provides a network attack detection method and device, terminal equipment and a computer storage medium, which are used for solving the technical problems in the prior art.
In a first aspect, an embodiment of the present invention provides a method for detecting a network attack.
Specifically, the method comprises the following steps:
analyzing a target field from the request data through an automaton;
decoding the field value of the target field to obtain a decoded value of the target field;
and carrying out attack detection on the request data according to the decoding value.
In the invention, the request data is analyzed through the automaton, so the analysis process of the request data can be executed efficiently.
With reference to the first aspect, in some implementations of the invention, parsing the target field from the request data by the automaton includes:
and directly analyzing the target field from the request data through the first automaton.
With reference to the first aspect, in some implementations of the invention, parsing the target field from the request data by the automaton includes:
analyzing the carrier field from the request data through a first automaton;
and resolving the target field from the field value of the carrier field through a second automaton.
With reference to the first aspect, in some implementations of the invention, the method further includes:
the first automaton is constructed based on a communication standard corresponding to the request data.
With reference to the first aspect, in some implementations of the invention, the method further includes:
the second automaton is constructed based on a communication standard corresponding to the bearer field.
With reference to the first aspect, in some implementations of the invention, constructing the second automaton based on the communication standard corresponding to the bearer field includes:
determining one or more requestor communication standards from a dimension of a content type (content-type);
building one or more of the second automata corresponding to the one or more requestor communication standards.
With reference to the first aspect, in some implementations of the invention, parsing, by the second automaton, the target field from the field value of the bearer field includes:
determining a suspected content type of the request body field;
selecting a second automaton according to the suspected content type;
and resolving a target field from the field value of the request body field through the selected second automaton.
The invention analyzes the possible content types of the request body and executes the analysis processing corresponding to the analyzed content types, thereby effectively preventing an attacker from bypassing the attack detection by utilizing a protocol.
With reference to the first aspect, in some implementations of the invention, determining the suspected content type of the requestor field includes:
matching the field value of the request body field with the set media format characteristics;
and determining the suspected content type of the request body field according to the successfully matched media format characteristics.
In a second aspect, the embodiment of the present invention provides a device for detecting a network attack.
Specifically, the apparatus comprises:
the analysis module is used for analyzing the target field from the request data through an automaton;
the decoding module is used for decoding the field value of the target field to obtain a decoded value of the target field;
and the detection module is used for carrying out attack detection on the request data according to the decoding value.
In the invention, the request data is analyzed through the automaton, so the analysis process of the request data can be executed efficiently.
In combination with the second aspect, in some implementations of the invention,
the parsing module is used for parsing the target field from the request data through the automaton in the following modes: and directly analyzing the target field from the request data through the first automaton.
With reference to the second aspect, in some implementations of the invention, the parsing module includes:
the carrier field analyzing unit is used for analyzing the carrier field from the request data through the first automaton;
and the target field analyzing unit is used for analyzing the target field from the field value of the carrier field through a second automaton.
With reference to the second aspect, in some implementations of the invention, the apparatus further includes:
a first automaton construction module to construct the first automaton based on a communication standard corresponding to the request data.
With reference to the second aspect, in some implementations of the invention, the apparatus further includes:
and the second automaton constructing module is used for constructing the second automaton based on the communication standard corresponding to the carrier field.
With reference to the second aspect, in some implementations of the invention, the second automaton construction module includes:
a determining unit for determining one or more requestor communication standards from the dimensions of the content type;
a construction unit for constructing one or more of the second automata corresponding to the one or more request body communication standards.
With reference to the second aspect, in some implementations of the invention, the target field parsing unit includes:
a determining component to determine a suspected content type of the request body field;
the selecting component is used for selecting a second automaton according to the suspected content type;
and the parsing component is used for parsing the target field from the field value of the request body field through the selected second automaton.
The invention analyzes the possible content types of the request body and executes the analysis processing corresponding to the analyzed content types, thereby effectively preventing an attacker from bypassing the attack detection by utilizing a protocol.
With reference to the second aspect, in some implementations of the invention, the determining component includes:
a matching sub-component for matching the field value of the request body field with the set media format characteristics;
and the determining subcomponent is used for determining the suspected content type of the request body field according to the successfully matched media format characteristics.
In a third aspect, the embodiment of the invention provides a terminal device.
The terminal equipment comprises a memory and a processor; wherein,
the memory is used for storing one or more computer instructions, wherein the one or more computer instructions can realize the detection method of any one of the above network attacks when being executed by the processor.
In the invention, the request data is analyzed through the automaton, so the analysis process of the request data can be executed efficiently.
In a fourth aspect, embodiments of the present invention provide a computer storage medium.
The computer storage medium is used for storing one or more computer instructions, wherein the one or more computer instructions can realize the detection method of any network attack when being executed.
In the invention, the request data is analyzed through the automaton, so the analysis process of the request data can be executed efficiently.
These and other aspects of the invention will be more readily apparent from the following description of the embodiments.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the description below are some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a network attack detection method according to method embodiment 1 of the present invention;
FIG. 2 is a block diagram of a finite state automaton according to an embodiment of the present invention;
FIG. 3 illustrates one embodiment of the process S1 shown in FIG. 1;
FIG. 4 illustrates one embodiment of the process S12 shown in FIG. 3;
FIG. 5 illustrates one embodiment of the process S121 illustrated in FIG. 4;
fig. 6 is a schematic structural diagram of a network attack detection apparatus according to embodiment 1 of the present invention;
fig. 7 is a schematic structural diagram of a network attack detection apparatus according to embodiment 2 of the present invention;
FIG. 8 illustrates one embodiment of the parsing module 12' shown in FIG. 7;
fig. 9 is a schematic structural diagram of a network attack detection apparatus according to embodiment 3 of the present invention;
FIG. 10 illustrates one embodiment of the second robot building module 16' shown in FIG. 9;
FIG. 11 illustrates one embodiment of the target field parsing unit 122' shown in FIG. 7;
FIG. 12 illustrates one embodiment of the determination component 1221' illustrated in FIG. 11.
Detailed Description
Various aspects of the invention are described in detail below with reference to the figures and the detailed description. Well-known processes, program modules, elements and their interconnections, links, communications or operations, among others, are not shown or described in detail herein in various embodiments of the invention.
Furthermore, the described features, architectures, or functions can be combined in any manner in one or more implementations.
Furthermore, it should be understood by those skilled in the art that the following embodiments are illustrative only and are not intended to limit the scope of the present invention. Those of skill would further appreciate that the program modules, elements, or steps of the various embodiments described herein and illustrated in the figures may be combined and designed in a wide variety of different configurations.
Technical terms not specifically described in the present specification should be construed in the broadest sense in the art unless otherwise specifically indicated.
In some of the flows described in the present specification and claims and in the above figures, a number of operations are included that occur in a particular order, but it should be clearly understood that these operations may be performed out of order or in parallel as they occur herein, with the reference numbers such as 101, 102, etc. merely being used to distinguish between the various operations, and the reference numbers themselves do not represent any order of performance. Additionally, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first", "second", etc. in this document are used for distinguishing different messages, devices, modules, etc., and do not represent a sequential order, nor limit the types of "first" and "second" to be different.
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without inventive effort based on the embodiments of the present invention, are within the scope of the present invention.
[ METHOD EMBODIMENT 1 ]
Fig. 1 is a flowchart of a network attack detection method according to embodiment 1 of the method of the present invention. Referring to fig. 1, in the present embodiment, the method includes:
s1: and analyzing the target field from the request data through the automaton.
S2: and decoding the field value of the target field to obtain a decoded value of the target field.
S3: and carrying out attack detection on the request data according to the decoding value.
The field value refers to the value of a certain field in the request data. For example, "GET" is a field value of a method field in the request data.
The decoded value is a decoding result obtained by decoding a certain field value in the request data.
The automaton is used for analyzing request data (such as an HTTP request), completing scanning on the whole request data in a linear time, and analyzing each component of the request data for a subsequent detection process.
The following takes finite state automata as an example to specifically describe the operation process of the automaton in the present invention.
The finite state automaton is composed of state nodes and transition arcs, each transition arc is a directed edge pointing from one state node to another state node, and a label on the transition arc indicates that the automaton will transition to a subsequent state if the label is received as input in a previous state. As shown in fig. 2, the automaton starts in an initial state, state 1, and when an input "G" is received, it transitions to state 2, and when an input string "GET" is received from the initial state, it reaches state 4, and the recording of the requested method, i.e., "GET", is completed during the transition from state 3 to state 4.
In the invention, the request data is analyzed through the automaton, so the analysis process of the request data can be executed efficiently.
[ METHOD EMBODIMENT 2 ]
The method provided by this embodiment includes all the contents of method embodiment 1, and is not described herein again. Wherein, the direct carrier of the target field can be request data or field value in the request data.
If the direct bearer of the target field is the requested data, the process S1 is implemented by:
and directly analyzing the target field from the request data through the first automaton.
Accordingly, in the method provided in this embodiment, the first automaton is constructed based on a communication standard corresponding to the request data.
As shown in fig. 3, if the direct carrier of the target field is a field value in the request data, the process S1 is implemented by:
s11: the bearer field (request data field containing the target field) is parsed from the request data by the first automaton.
S12: and resolving the target field from the field value of the carrier field through a second automaton.
Accordingly, in the method provided in this embodiment, the second automaton is constructed based on the communication standard corresponding to the bearer field.
The bearer field comprises, for example, a request body field, and accordingly, constructing the second automaton based on the communication standard corresponding to the bearer field comprises:
(1) determining one or more requestor communication standards from a dimension of a content type (content-type);
(2) building one or more of the second automata corresponding to the one or more requestor communication standards.
[ METHOD EMBODIMENT 3 ]
The method provided by this embodiment includes all the contents of method embodiment 2, and is not described herein again. As shown in fig. 4, in the present embodiment, S12 includes the following processes:
s121: the suspected content type of the requestor field (the possible content type of the requestor field) is determined.
S122: and selecting a second automaton according to the suspected content type.
S123: and resolving a target field from the field value of the request body field through the selected second automaton.
The invention analyzes the possible content types of the request body and executes the analysis processing corresponding to the analyzed content types, thereby effectively preventing an attacker from bypassing the attack detection by utilizing a protocol.
[ METHOD EMBODIMENT 4 ]
The method provided by this embodiment includes all the contents of method embodiment 3, and is not described herein again. As shown in fig. 5, in the present embodiment, the process S121 is implemented as follows:
s1211: and matching the field value of the request body field with the set media format characteristics.
S1212: and determining the suspected content type of the request body field according to the successfully matched media format characteristics.
The media format features refer to structural features of an internet media format (e.g., JSON (JavaScript Object notification, a lightweight data exchange format) format, XML (Extensible Markup Language) format, form format, and the like).
[ METHOD EMBODIMENT 5 ]
The following describes a network attack detection method provided in this embodiment in detail, taking HTTP request detection as an example. In this embodiment, the method comprises:
step 1: the target field is parsed from the HTTP request by the automaton.
Specifically, step 1 may be implemented in a manner described in any one of method embodiment 2 to method embodiment 4, which is not described herein again.
Step 2: and deeply decoding the field value of the target field to obtain a result decoded value of the target field.
The result decoding value refers to a decoding result finally obtained after a certain field value in the request data is subjected to deep decoding.
In the invention, the field value of the target field in the request data is deeply decoded, so that the situation of multi-layer coding can be effectively dealt with, the decoding capability is improved, and the accuracy of network attack detection is further improved.
And step 3: and performing risk estimation on the HTTP request according to the result decoding value. And if the risk prediction determines that the HTTP request has the risk of the cyber attack, executing the step 4, and if the risk prediction determines that the HTTP request does not have the risk of the cyber attack, ending the current process.
According to the invention, the risk estimation is carried out on the request data before the attack detection is carried out, so that the network attack detection on the normal request data can be stopped in time, and the detection efficiency of the network attack is improved.
And 4, step 4: and carrying out attack detection on the HTTP request.
The step 2 can be specifically realized by the following steps:
(1) and carrying out decoding operation on the field value of the target field to obtain an intermediate decoded value of the target field.
(2) Judging whether the intermediate decoded value needs to be subjected to further decoding operation, if so, performing decoding operation on the intermediate decoded value to obtain another intermediate decoded value of the target field, and returning to execute: judging whether the intermediate decoded value needs to be subjected to further decoding operation; if not, determining the intermediate decoding value as the result decoding value.
The intermediate decoded value refers to a decoding result obtained in the process of deep decoding.
Specifically, the determination of whether the intermediate decoded value needs to be further decoded may be implemented by:
(1) and updating the multi-layer coding possibility parameter of the target field according to the coding mode corresponding to the intermediate decoding value.
For example, the weight value of the coding mode is determined according to the coding tree, and then the multi-layer coding possibility parameter is updated according to the weight value. Each node in the coding tree is a possible coding mode under a corresponding father node, the nodes record weight values of the corresponding coding modes, and the coding tree can be constructed based on network traffic data and a processing mechanism of web (network) application.
(2) And judging whether the intermediate decoding value needs to be subjected to further decoding operation or not according to the comparison result between the updated multi-layer coding possibility parameter and the set threshold value.
In the invention, before the decoding operation is carried out on the intermediate decoding value, the possibility of the current multi-layer coding is evaluated, so that the deep decoding with low possibility can be terminated in time, thereby improving the decoding efficiency.
In addition, as for the decoding operation, in the present embodiment, the decoding operation of the field value of the target field may be implemented by:
(1) and matching the field value with the set coding characteristics.
The coding feature is, for example, a coding symbol specific to a certain coding scheme, for example, "%".
(2) And executing decoding operation corresponding to the successfully matched coding characteristics on the field value.
If a decoding operation fails, the corresponding decoding path is ended, but other possible decoding manners are continuously tried.
In the invention, the field value is matched with the set coding characteristics, so that the coding mode can be intelligently analyzed, and a good decoding effect is ensured.
Of course, those skilled in the art can also perform decoding operation on the intermediate decoded value based on a similar manner, specifically, match the intermediate decoded value with the set encoding characteristics; and executing decoding operation corresponding to the successfully matched coding features on the intermediate decoding value.
For step 3, the following method can be specifically implemented: and identifying whether the result decoding value has network attack characteristics by using an automaton, if so, determining that the HTTP request has the risk of network attack, and if not, determining that the HTTP request does not have the risk of network attack. If the automaton recognizes that the network attack characteristics exist in the result decoding value, recording the network attack type corresponding to the existing network attack characteristics so as to carry out attack detection with pertinence to the network attack type recorded by the automaton in step 4.
In addition, the automaton is a deterministic finite state automaton constructed based on various network attack characteristics, so that all possible network attack types can be analyzed by only one scan.
In addition, in the present embodiment, the traffic shaping process may be performed according to a customized traffic restriction rule. The flow rate restriction rule describes, for example: a request header that is not allowed to appear, a restriction rule on the number of request headers, or a restriction rule on the length of a request header. The user of the product can set customized flow limiting rules according to the requirements of the web application of the user.
[ PRODUCT EMBODIMENT 1 ]
Fig. 6 is a schematic structural diagram of a network attack detection apparatus according to embodiment 1 of the present invention. Referring to fig. 6, in the present embodiment, a network attack detection apparatus 10 includes: the parsing module 11, the decoding module 12 and the detecting module 13 specifically:
the parsing module 11 is used for parsing the target field from the request data through an automaton.
The decoding module 12 is configured to decode the field value of the target field parsed by the parsing module 11 to obtain a decoded value of the target field.
The detection module 13 is configured to perform attack detection on the request data according to the decoding value obtained by the decoding module 12.
In the invention, the request data is analyzed through the automaton, so the analysis process of the request data can be executed efficiently.
[ PRODUCT EMBODIMENT 2 ]
Fig. 7 is a schematic structural diagram of a network attack detection apparatus according to embodiment 2 of the present invention. In this embodiment, the direct carrier of the target field may be the request data or the field value in the request data. Accordingly, as shown in fig. 7, the network attack detection device 10' includes: parsing module 11 ', parsing module 12', decoding module 13 ', and detection module 14', specifically:
the parsing module 11' is configured to, in a case that a direct bearer of the target field is request data, parse the target field from the request data directly through the first automaton.
The parsing module 12' is configured to parse the target field from the request data through the first automaton and the second automaton in case that a direct bearer of the target field is a field value in the request data. Specifically, as shown in fig. 8, the parsing module 12' includes: a carrier field parsing unit 121 'and a target field parsing unit 122', specifically:
the bearer field parsing unit 121' is configured to parse the bearer field from the request data through the first automaton.
The target field parsing unit 122 'is configured to parse the target field from the field value of the bearer field parsed by the bearer field parsing unit 121' through the second automaton.
The decoding module 13 'and the detecting module 14' are respectively the same as the decoding module 12 and the detecting module 13 in product embodiment 1, and are not described herein again.
[ PRODUCT EMBODIMENT 3 ]
The detection apparatus for network attack provided by this embodiment includes all the contents in product embodiment 2, and is not described herein again. As shown in fig. 9, in the present embodiment, the network attack detection apparatus 10' further includes: a first automata building module 15 'and a second automata building module 16', in particular:
the first automata building module 15' is configured to build the first automata based on a communication standard corresponding to the request data.
The second automata construction module 16' is configured to construct the second automata based on the communication standard corresponding to the bearer field.
[ PRODUCT EMBODIMENT 4 ]
The detection apparatus for network attack provided by this embodiment includes all the contents in product embodiment 3, and is not described herein again. The bearer field includes, for example, a request body field, and accordingly, as shown in fig. 10, the second automaton building module 16' includes: a determination unit 161 'and a construction unit 162', in particular:
the determining unit 161' is configured to determine one or more requester communication standards from a dimension of a content type (content-type).
The construction unit 162 'is configured to construct one or more of the second automata corresponding to the one or more request body communication standards determined by the determination unit 161'.
[ PRODUCT EMBODIMENT 5 ]
The detection apparatus for network attack provided by this embodiment includes all the contents of any one of product embodiment 2 to product embodiment 4, and details are not repeated here. As shown in fig. 11, in the present embodiment, the target field parsing unit 122' includes: a determination component 1221 ', a selection component 1222 ' and an analysis component 1223 ', in particular:
the determination component 1221' is used to determine the suspected content type of the requestor field.
The selecting component 1222 'is arranged to select the second automaton based on the suspected content type determined by the determining component 1221'.
The parsing component 1223 'is configured to parse the target field from the field value of the requestor field by the second automaton selected by the selecting component 1222'.
The invention analyzes the possible content types of the request body and executes the analysis processing corresponding to the analyzed content types, thereby effectively preventing an attacker from bypassing the attack detection by utilizing a protocol.
[ PRODUCT EMBODIMENT 6 ]
The detection apparatus for network attack provided by this embodiment includes all the contents in product embodiment 5, and is not described herein again. As shown in fig. 12, in the present embodiment, the determination component 1221' includes: a matching sub-component 12211 'and a determining sub-component 12212', specifically:
a matching sub-component 12211' is used to match the field value of the requestor field with the set media format characteristics.
The determining sub-component 12212 'is configured to determine the suspected content type of the request body field according to the media format characteristics successfully matched by the matching sub-component 12211'.
The embodiment of the invention also provides terminal equipment, which comprises a memory and a processor; wherein,
the memory is configured to store one or more computer instructions that, when executed by the processor, are capable of performing the method of any one of method embodiments 1-5.
Furthermore, embodiments of the present invention also provide a computer storage medium for storing one or more computer instructions, wherein the one or more computer instructions, when executed, enable implementation of the method according to any one of method embodiment 1 to method embodiment 5.
Those skilled in the art will clearly understand that the present invention may be implemented entirely in software, or by a combination of software and a hardware platform. Based on such understanding, all or part of the technical solutions of the present invention contributing to the background may be embodied in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, a smart phone, a network device, etc.) to execute the method according to each embodiment or some parts of the embodiments of the present invention.
As used herein, the term "software" or the like refers to any type of computer code or set of computer-executable instructions in a general sense that is executed to program a computer or other processor to perform various aspects of the present inventive concepts as discussed above. Furthermore, it should be noted that according to one aspect of the embodiment, one or more computer programs implementing the method of the present invention when executed do not need to be on one computer or processor, but may be distributed in modules in multiple computers or processors to execute various aspects of the present invention.
Computer-executable instructions may take many forms, such as program modules, executed by one or more computers or other devices. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. In particular, the operations performed by the program modules may be combined or separated as desired in various embodiments.
Also, technical solutions of the present invention may be embodied as a method, and at least one example of the method has been provided. The actions may be performed in any suitable order and may be presented as part of the method. Thus, embodiments may be configured such that acts may be performed in an order different than illustrated, which may include performing some acts simultaneously (although in the illustrated embodiments, the acts are sequential).
The definitions given and used herein should be understood with reference to dictionaries, definitions in documents incorporated by reference, and/or their ordinary meanings.
In the claims, as well as in the specification above, all transitional phrases such as "comprising," "having," "containing," "carrying," "having," "involving," "consisting essentially of …," and the like are to be understood to be open-ended, i.e., to include but not limited to.
The terms and expressions used in the specification of the present invention have been set forth for illustrative purposes only and are not meant to be limiting. It will be appreciated by those skilled in the art that changes could be made to the details of the above-described embodiments without departing from the underlying principles thereof. The scope of the invention is, therefore, indicated by the appended claims, in which all terms are intended to be interpreted in their broadest reasonable sense unless otherwise indicated.
While various embodiments of the present invention have been described above with particularity, various aspects or features of the teachings of embodiments of the present invention are described below in another form and are not limited to the following series of paragraphs, some or all of which may be assigned alphanumeric characters for the sake of clarity. Each of these paragraphs may be combined with the contents of one or more other paragraphs in any suitable manner. Without limiting examples of some of the suitable combinations, some paragraphs hereinafter make specific reference to and further define other paragraphs.
A1, a method for detecting network attacks, the method comprising:
analyzing a target field from the request data through an automaton;
decoding the field value of the target field to obtain a decoded value of the target field;
and carrying out attack detection on the request data according to the decoding value.
A2, the method as in a1, wherein parsing the target field from the request data by the automaton comprises:
and directly analyzing the target field from the request data through the first automaton.
A3, the method as in a1, wherein parsing the target field from the request data by the automaton comprises:
analyzing the carrier field from the request data through a first automaton;
and resolving the target field from the field value of the carrier field through a second automaton.
In the method of a4, as in a2 or A3, the method further comprising:
the first automaton is constructed based on a communication standard corresponding to the request data.
A5, the method of A3, the method further comprising:
the second automaton is constructed based on a communication standard corresponding to the bearer field.
A6, the method as in a5, wherein constructing the second automaton based on the communication standard corresponding to the bearer field comprises:
determining one or more requestor communication standards from the dimension of the content type;
building one or more of the second automata corresponding to the one or more requestor communication standards.
A7, the method as defined in a6, wherein parsing the target field from the field value of the bearer field by the second automaton comprises:
determining a suspected content type of the request body field;
selecting a second automaton according to the suspected content type;
and resolving a target field from the field value of the request body field through the selected second automaton.
A8, the method of A7, wherein the determining the suspected content type of the requestor field comprises:
matching the field value of the request body field with the set media format characteristics;
and determining the suspected content type of the request body field according to the successfully matched media format characteristics.
B9, a network attack detection device, the device includes:
the analysis module is used for analyzing the target field from the request data through an automaton;
the decoding module is used for decoding the field value of the target field to obtain a decoded value of the target field;
and the detection module is used for carrying out attack detection on the request data according to the decoding value.
B10, the apparatus as in B9, wherein the parsing module is configured to perform parsing the target field from the request data by the automaton by: and directly analyzing the target field from the request data through the first automaton.
B11, the apparatus as in B9, the parsing module comprising:
the carrier field analyzing unit is used for analyzing the carrier field from the request data through the first automaton;
and the target field analyzing unit is used for analyzing the target field from the field value of the carrier field through a second automaton.
B12, the apparatus as described in B10 or B11, the apparatus further comprising:
a first automaton construction module to construct the first automaton based on a communication standard corresponding to the request data.
B13, the apparatus of B11, further comprising:
and the second automaton constructing module is used for constructing the second automaton based on the communication standard corresponding to the carrier field.
B14, the apparatus of B13, wherein the second robot building block comprises:
a determining unit for determining one or more requestor communication standards from the dimensions of the content type;
a construction unit for constructing one or more of the second automata corresponding to the one or more request body communication standards.
B15, the apparatus as in B14, the target field parsing unit comprising:
a determining component to determine a suspected content type of the request body field;
the selecting component is used for selecting a second automaton according to the suspected content type;
and the parsing component is used for parsing the target field from the field value of the request body field through the selected second automaton.
B16, the apparatus as in B15, the determining component comprising:
a matching sub-component for matching the field value of the request body field with the set media format characteristics;
and the determining subcomponent is used for determining the suspected content type of the request body field according to the successfully matched media format characteristics.
C17, a terminal device comprising a memory and a processor; wherein,
the memory is to store one or more computer instructions that, when executed by the processor, are capable of implementing the method as any one of A1-A8.
D18, a computer storage medium storing one or more computer instructions which, when executed, are capable of implementing the method of any one of a 1-a 8.
Claims (18)
1. A method for detecting a network attack, the method comprising:
analyzing a target field from the request data through an automaton;
decoding the field value of the target field to obtain a decoded value of the target field;
and carrying out attack detection on the request data according to the decoding value.
2. The method of claim 1, wherein parsing the target field from the request data by the automaton comprises:
and directly analyzing the target field from the request data through the first automaton.
3. The method of claim 1, wherein parsing the target field from the request data by the automaton comprises:
analyzing the carrier field from the request data through a first automaton;
and resolving the target field from the field value of the carrier field through a second automaton.
4. The method of claim 2 or 3, wherein the method further comprises:
the first automaton is constructed based on a communication standard corresponding to the request data.
5. The method of claim 3, wherein the method further comprises:
the second automaton is constructed based on a communication standard corresponding to the bearer field.
6. The method of claim 5, wherein constructing the second automaton based on the communication standard corresponding to the bearer field comprises:
determining one or more requestor communication standards from the dimension of the content type;
building one or more of the second automata corresponding to the one or more requestor communication standards.
7. The method of claim 6, wherein parsing a target field from a field value of the bearer field by a second automaton comprises:
determining a suspected content type of the request body field;
selecting a second automaton according to the suspected content type;
and resolving a target field from the field value of the request body field through the selected second automaton.
8. The method of claim 7, wherein determining the suspected content type of the requestor field comprises:
matching the field value of the request body field with the set media format characteristics;
and determining the suspected content type of the request body field according to the successfully matched media format characteristics.
9. An apparatus for detecting a cyber attack, the apparatus comprising:
the analysis module is used for analyzing the target field from the request data through an automaton;
the decoding module is used for decoding the field value of the target field to obtain a decoded value of the target field;
and the detection module is used for carrying out attack detection on the request data according to the decoding value.
10. The apparatus of claim 9,
the parsing module is used for parsing the target field from the request data through the automaton in the following modes: and directly analyzing the target field from the request data through the first automaton.
11. The apparatus of claim 9, wherein the parsing module comprises:
the carrier field analyzing unit is used for analyzing the carrier field from the request data through the first automaton;
and the target field analyzing unit is used for analyzing the target field from the field value of the carrier field through a second automaton.
12. The apparatus of claim 10 or 11, wherein the apparatus further comprises:
a first automaton construction module to construct the first automaton based on a communication standard corresponding to the request data.
13. The apparatus of claim 11, wherein the apparatus further comprises:
and the second automaton constructing module is used for constructing the second automaton based on the communication standard corresponding to the carrier field.
14. The apparatus of claim 13, wherein the second automaton construction module comprises:
a determining unit for determining one or more requestor communication standards from the dimensions of the content type;
a construction unit for constructing one or more of the second automata corresponding to the one or more request body communication standards.
15. The apparatus of claim 14, wherein the target field parsing unit comprises:
a determining component to determine a suspected content type of the request body field;
the selecting component is used for selecting a second automaton according to the suspected content type;
and the parsing component is used for parsing the target field from the field value of the request body field through the selected second automaton.
16. The apparatus of claim 15, wherein the determining component comprises:
a matching sub-component for matching the field value of the request body field with the set media format characteristics;
and the determining subcomponent is used for determining the suspected content type of the request body field according to the successfully matched media format characteristics.
17. A terminal device comprising a memory and a processor; wherein,
the memory is to store one or more computer instructions, wherein the one or more computer instructions, when executed by the processor, are capable of implementing the method of any of claims 1 to 8.
18. A computer storage medium storing one or more computer instructions which, when executed, are capable of implementing the method of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710613907.9A CN107426211B (en) | 2017-07-25 | 2017-07-25 | Network attack detection method and device, terminal equipment and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710613907.9A CN107426211B (en) | 2017-07-25 | 2017-07-25 | Network attack detection method and device, terminal equipment and computer storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107426211A true CN107426211A (en) | 2017-12-01 |
| CN107426211B CN107426211B (en) | 2020-08-14 |
Family
ID=60431176
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710613907.9A Active CN107426211B (en) | 2017-07-25 | 2017-07-25 | Network attack detection method and device, terminal equipment and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107426211B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109445564A (en) * | 2018-10-19 | 2019-03-08 | 歌尔科技有限公司 | A kind of usb audio class equipment and its control method, device |
| CN112906003A (en) * | 2021-03-28 | 2021-06-04 | 黑龙江朝南科技有限责任公司 | Detection technology for HTTP smuggling vulnerability |
| CN113645224A (en) * | 2021-08-09 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Network attack detection method, device, equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101267299A (en) * | 2007-03-14 | 2008-09-17 | 阿里巴巴集团控股有限公司 | A method and system for securely display data on the webpage |
| CN101414914A (en) * | 2008-11-26 | 2009-04-22 | 北京星网锐捷网络技术有限公司 | Method and apparatus for filtrating data content, finite state automata and conformation apparatus |
| CN102708155A (en) * | 2012-04-20 | 2012-10-03 | 西安电子科技大学 | JSAX (joint simple API (application program interface) for XML (extensible markup language)) parser and parsing method based on syntactic analysis of backtracking automaton |
| CN102833270A (en) * | 2012-09-18 | 2012-12-19 | 山石网科通信技术(北京)有限公司 | Method and device for detecting SQL (structured query language) injection attacks and firewall with device |
-
2017
- 2017-07-25 CN CN201710613907.9A patent/CN107426211B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101267299A (en) * | 2007-03-14 | 2008-09-17 | 阿里巴巴集团控股有限公司 | A method and system for securely display data on the webpage |
| CN101414914A (en) * | 2008-11-26 | 2009-04-22 | 北京星网锐捷网络技术有限公司 | Method and apparatus for filtrating data content, finite state automata and conformation apparatus |
| CN102708155A (en) * | 2012-04-20 | 2012-10-03 | 西安电子科技大学 | JSAX (joint simple API (application program interface) for XML (extensible markup language)) parser and parsing method based on syntactic analysis of backtracking automaton |
| CN102833270A (en) * | 2012-09-18 | 2012-12-19 | 山石网科通信技术(北京)有限公司 | Method and device for detecting SQL (structured query language) injection attacks and firewall with device |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109445564A (en) * | 2018-10-19 | 2019-03-08 | 歌尔科技有限公司 | A kind of usb audio class equipment and its control method, device |
| CN112906003A (en) * | 2021-03-28 | 2021-06-04 | 黑龙江朝南科技有限责任公司 | Detection technology for HTTP smuggling vulnerability |
| CN113645224A (en) * | 2021-08-09 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Network attack detection method, device, equipment and storage medium |
| CN113645224B (en) * | 2021-08-09 | 2022-12-09 | 杭州安恒信息技术股份有限公司 | Network attack detection method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107426211B (en) | 2020-08-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11899786B2 (en) | Detecting security-violation-associated event data | |
| US10033757B2 (en) | Identifying malicious identifiers | |
| US9413776B2 (en) | System for finding code in a data flow | |
| CN107122221B (en) | Compiler for regular expressions | |
| CN113645224B (en) | Network attack detection method, device, equipment and storage medium | |
| US20210021624A1 (en) | Method, electronic device and computer program product for detecting abnormal network request | |
| KR20140061359A (en) | Anchored patterns | |
| US11418520B2 (en) | Passive security analysis with inline active security device | |
| CN107426211B (en) | Network attack detection method and device, terminal equipment and computer storage medium | |
| CN107395599A (en) | Detection method and device, terminal device and the computer-readable storage medium of network attack | |
| US20110004936A1 (en) | Botnet early detection using hybrid hidden markov model algorithm | |
| CN110309658B (en) | Unsafe XSS defense system identification method based on reinforcement learning | |
| CN113660250B (en) | Defense method, device and system based on WEB application firewall and electronic device | |
| US8132182B2 (en) | Parallel processing of triggering rules in SIP event notification filters | |
| US20090077665A1 (en) | Method and applications for detecting computer viruses | |
| Luchaup et al. | Deep packet inspection with DFA-trees and parametrized language overapproximation | |
| Ferdous et al. | Classification of SIP messages by a syntax filter and SVMs | |
| CN107528826A (en) | Detection method and device, terminal device and the computer-readable storage medium of network attack | |
| Pereira et al. | A machine learning approach for prediction of signaling sip dialogs | |
| CN116094850B (en) | Network protocol vulnerability detection method and system based on system state tracking graph guidance | |
| CN114285624B (en) | Attack message identification method, device, network equipment and storage medium | |
| CN109361674A (en) | Bypass stream data detection method, device and the electronic equipment of access | |
| CN115333848A (en) | Container cloud platform network security protection method and device and electronic equipment | |
| Sun et al. | Dfa-based regular expression matching on compressed traffic | |
| CN115913589A (en) | WAF detection method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20190702 Address after: 100024 Beijing Chaoyang District Guanzhuang Dongli (Chaoyang District Non-staple Food Company) 3 1-storey B26 Applicant after: Beijing Pulsar Technology Co.,Ltd. Address before: 100083 Beijing Haidian District College Road No. 5, Building No. 1, Building No. 3, Building No. 1, West 2-007 Applicant before: BEIJING CHAITIN TECH Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| CB02 | Change of applicant information |
Address after: 100024 B26, floor 1, building 3, Guanzhuang Dongli (non staple food company), Chaoyang District, Beijing Applicant after: Beijing Changting Future Technology Co.,Ltd. Address before: 100024 Beijing Chaoyang District Guanzhuang Dongli (Chaoyang District Non-staple Food Company) 3 1-storey B26 Applicant before: Beijing Pulsar Technology Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| CI02 | Correction of invention patent application |
Correction item: Applicant|Address Correct: Beijing Changting Future Technology Co., Ltd|100024 Beijing Chaoyang District Guanzhuang Dongli (Chaoyang District Non-staple Food Company) 3 1-storey B26 False: Beijing Changting Future Technology Co., Ltd|100024 B26, floor 1, building 3, Guanzhuang Dongli (non staple food company), Chaoyang District, Beijing Number: 07-01 Volume: 36 |
|
| CI02 | Correction of invention patent application | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |