CN111708649B - Attack detection method and system for service application system - Google Patents
Attack detection method and system for service application system Download PDFInfo
- Publication number
- CN111708649B CN111708649B CN202010522156.1A CN202010522156A CN111708649B CN 111708649 B CN111708649 B CN 111708649B CN 202010522156 A CN202010522156 A CN 202010522156A CN 111708649 B CN111708649 B CN 111708649B
- Authority
- CN
- China
- Prior art keywords
- application system
- service application
- attack
- scheme
- schemes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 45
- 238000000034 method Methods 0.000 claims abstract description 59
- 238000012360 testing method Methods 0.000 claims description 59
- 238000004458 analytical method Methods 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 17
- 238000012544 monitoring process Methods 0.000 description 42
- 230000008569 process Effects 0.000 description 21
- 230000000739 chaotic effect Effects 0.000 description 16
- 230000002159 abnormal effect Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 11
- 238000011156 evaluation Methods 0.000 description 10
- 238000012545 processing Methods 0.000 description 9
- 230000005856 abnormality Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 4
- 238000002347 injection Methods 0.000 description 4
- 239000007924 injection Substances 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000005553 drilling Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 238000009530 blood pressure measurement Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 239000000047 product Substances 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/008—Reliability or availability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Quality & Reliability (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a method and a system for detecting attack of a service application system, wherein the method comprises the following steps: determining a high availability level of the service application system according to the application system attribute of the service application system; determining a plurality of corresponding attack schemes according to the high-availability capacity level, and forming a combined attack scheme according to the plurality of attack schemes; according to the combined attack scheme, the attack detection is carried out on the service application system, and the invention can verify the capability of the service application system for bearing faults by simulating the faults possibly happening in reality and evaluate the high availability capability of the service application system.
Description
Technical Field
The present invention relates to the field of system attack detection technologies, and in particular, to a method and a system for detecting attack of a service application system.
Background
Currently, cloud computing technology and distributed technology have been widely used in application architecture. A business application transaction often requires multiple application interfaces and multiple server nodes. While the transaction request flows through the nodes, if the nodes are abnormal, the transaction failure is caused. Meanwhile, due to the failure of individual nodes, the request pressure of the remaining nodes is increased, if the system cannot be automatically repaired, the remaining nodes are gradually destroyed, and finally the whole system avalanche is caused.
Generally, in a service application system based on a distributed and cloud computing technology architecture, a high available mechanism is considered in the design of the architecture, so that when one or more nodes in the system run abnormally, service application transactions can still be normally performed. However, because the real environment is very complex, some unforeseen errors can occur, so that a high-availability mechanism is not really effective, and a large number of transaction errors occur when the system serves outside.
Disclosure of Invention
The invention aims to provide a service application system attack detection method, which is used for verifying the capability of a service application system for bearing faults by simulating faults possibly happening in reality and evaluating the high availability capability of the service application system. Another object of the present invention is to provide a system for detecting attack of a service application system. It is a further object of the invention to provide a computer device. It is a further object of the invention to provide a readable medium.
In order to achieve the above objective, an aspect of the present invention discloses a method for detecting attack of a service application system, including:
determining a high availability level of the service application system according to the application system attribute of the service application system;
determining a plurality of corresponding attack schemes according to the high-availability capacity level, and forming a combined attack scheme according to the plurality of attack schemes;
and carrying out attack detection on the service application system according to the combined attack scheme.
Preferably, the determining a plurality of attack schemes according to the high availability level, and forming a combined attack scheme according to the plurality of attack schemes specifically includes:
determining all preset schemes of the service application system according to the high available capacity level of the service application system and the preset scheme corresponding to each high available capacity level;
determining a historical attack scheme of the service application system according to the system information of the service application system;
and selecting at least two schemes from the preset scheme and the historical attack scheme to be combined to obtain a combined attack scheme.
Preferably, the determining the high availability capability level of the service application system according to the application system attribute of the service application system specifically includes:
determining the fault type of the service application system according to the application system attribute of the service application system;
and determining the high availability level of the service application system according to the fault type of the service application system and the corresponding relation between the preset fault type and the high availability level.
Preferably, the method further comprises:
and obtaining a historical attack scheme according to the historical faults of the service application system.
Preferably, the method further comprises the step of pre-forming the preset scheme:
determining key influencing factors of a business application system, wherein the key influencing factors comprise at least one of IO class, network class and thread class;
and setting a preset scheme for testing key influence factors of the service application system according to the system category.
The invention also discloses a system for detecting attack of the service application system, which comprises:
the system grade determining unit is used for determining the high available capacity grade of the service application system according to the application system attribute of the service application system;
an attack scheme combining unit, configured to determine a plurality of corresponding attack schemes according to the high availability capability level, and form a combined attack scheme according to the plurality of attack schemes;
and the attack detection unit is used for carrying out attack detection on the service application system according to the combined attack scheme.
Preferably, the attack scheme combining unit is specifically configured to determine all preset schemes of the service application system according to the high available capability level of the service application system and preset schemes corresponding to each high available capability level, determine a historical attack scheme of the service application system according to system information of the service application system, and select at least two schemes from the preset schemes and the historical attack scheme to combine to obtain a combined attack scheme.
Preferably, the system level determining unit is specifically configured to determine a fault type of the service application system according to an application system attribute of the service application system, and determine a high availability level of the service application system according to the fault type of the service application system and a preset correspondence between the fault type and the high availability level.
Preferably, the method further comprises:
and the historical fault analysis unit is used for obtaining a historical attack scheme according to the historical faults of the service application system.
Preferably, the method further comprises a scheme presetting unit, wherein the scheme presetting unit is used for presetting key influence factors of the service application system, and setting a preset scheme for testing the key influence factors of the service application system according to the system category, and the key influence factors comprise at least one of IO class, network class and thread class.
The invention also discloses a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor,
the processor, when executing the program, implements the method as described above.
The invention also discloses a computer readable medium, on which a computer program is stored,
the program, when executed by a processor, implements the method as described above.
The invention determines the high availability level requirement of the service application system according to the system attribute of the service application system, determines the corresponding attack scheme according to the high availability level of the service application system, and forms a combined attack scheme according to a plurality of attack schemes. The obtained combined attack scheme directly interferes with an operation node of the application to perform attack detection, so that the capability of the service application system for bearing faults formed by the combined attack scheme is verified, the usability of the service application system is evaluated, and the normal operation of service application transactions is ensured through evaluation and architecture design.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of one embodiment of a method for detecting attack by a service application system according to the present invention;
FIG. 2 is a flowchart of a specific embodiment S100 of a method for detecting attack on a service application system according to the present invention;
FIG. 3 is a flowchart of a specific embodiment S200 of a method for detecting attack on a service application system according to the present invention;
FIG. 4 is a flowchart of a method S500 for detecting a service application attack according to an embodiment of the present invention;
FIG. 5 is a flowchart of a method S000 for detecting a service application attack according to one embodiment of the present invention;
FIG. 6 is a block diagram illustrating one embodiment of a system for detecting attacks on a business application system in accordance with the present invention;
FIG. 7 is a block diagram illustrating a system for detecting a business application system attack in accordance with one embodiment of the present invention including a historical failure analysis unit;
FIG. 8 is a block diagram illustrating a system for detecting a business application system attack in accordance with one embodiment of the present invention, including a scheme preset unit;
fig. 9 shows a schematic diagram of a computer device suitable for use in implementing embodiments of the invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
According to one aspect of the invention, the embodiment discloses a method for detecting attack of a service application system. As shown in fig. 1, in this embodiment, the method includes:
s100: and determining the high availability capacity level of the service application system according to the application system attribute of the service application system.
S200: and determining a plurality of corresponding attack schemes according to the high-availability capacity level, and forming a combined attack scheme according to the plurality of attack schemes.
S300: and carrying out attack detection on the service application system according to the combined attack scheme.
The invention determines the high availability level requirement of the service application system according to the system attribute of the service application system, determines the corresponding attack scheme according to the high availability level of the service application system, and forms a combined attack scheme according to a plurality of attack schemes. The obtained combined attack scheme directly interferes with an operation node of the application to perform attack detection, so that the capability of the service application system for bearing faults formed by the combined attack scheme is verified, the usability of the service application system is evaluated, and the normal operation of service application transactions is ensured through evaluation and architecture design.
In a preferred embodiment, as shown in fig. 2, the S100 may specifically include:
s110: and determining the fault type of the service application system according to the application system attribute of the service application system.
S120: and determining the high availability level of the service application system according to the fault type of the service application system and the corresponding relation between the preset fault type and the high availability level.
It can be understood that in the preferred embodiment, the high available capacity levels of the service application system are divided, each high available capacity level formulates a reasonable fault attack rule, an attack scheme suitable for the fault type of the service application system is selected, and the combined attack scheme is automatically arranged and generated, so that the high available architecture of the application design can reach the real target. And the available attack schemes are determined according to the high availability level of the service application system and then combined to obtain a combined attack scheme, so that the attack scheme with good detection effect can be determined quickly and efficiently, and the problem of low detection efficiency caused by detecting massive attack schemes one by one is avoided.
In a specific example, each service application system may set a high availability level according to requirements imposed on the high availability capability of the service application system by the attribute such as the type of fault. Assuming that the level is 1-5, the level 1 allows the service system to be down, but only the standby server needs to be started within N minutes, and the level 5 requires any abnormality of all nodes of the system, and the normal operation of the whole system cannot be influenced. In other embodiments, the division of the high available capacity level may be determined according to the actual situation, which is not limited by the present invention.
In a preferred embodiment, as shown in fig. 3, the step S200 may specifically include:
s210: and determining all preset schemes of the service application system according to the high available capacity level of the service application system and the preset scheme corresponding to each high available capacity level.
S220: and determining a historical attack scheme of the service application system according to the system information of the service application system.
S230: and selecting at least two schemes from the preset scheme and the historical attack scheme to be combined to obtain a combined attack scheme.
It will be appreciated that in the preferred embodiment, a large number of preset schemes may be preset in the exercise warehouse, and then the large number of preset schemes are divided into preset schemes corresponding to each high availability capability level according to the high availability capability level of the service application system, and a fault boundary is formulated for each level. Therefore, when each combined attack scheme is generated to perform fault injection, only the fault type required by the current level is needed to be selected, and the pertinence and the effectiveness of the fault injection are enhanced. Assuming that the exercise warehouse has 100 schemes, 3 schemes are selected for superposition in each combined attack scheme, the exercise is neededA scheme. And after the application high availability capacity grade is divided according to the application high availability capacity grade, only 40 fault types are needed to be exercised, only a plurality of schemes are needed to be exercised, and the exercise efficiency is greatly improved.
Furthermore, in the preferred embodiment, a two-part solution is provided in the drill warehouse. One part is a historical attack scheme formed according to faults which occur historically, and the other part is a preset scheme formed according to faults which possibly occur on a system and considered by testers, compared with the scheme for waiting for the occurrence of new faults, the scheme aiming at different technical architectures can be formulated through analysis of the application technical architecture and input into a warehouse in advance, so that targeted fault tests can be conducted.
In a preferred embodiment, the method may further comprise:
s400: and obtaining a historical attack scheme according to the historical faults of the service application system.
It can be understood that in the preferred embodiment, for the service application system to be attacked and detected, a history fault occurs in the history operation and detection process, which indicates that the service transaction corresponding to the history fault may cause a problem in the service application system, and a history attack scheme may be formed according to the transaction information corresponding to the history fault, so as to be used for attack detection of the subsequent service application systems of the same type, so as to improve the comprehensiveness of attack detection.
In a preferred embodiment, as shown in fig. 4, the method may further comprise:
s510: and when the detection result of the attack detection is abnormal, setting the combined attack scheme corresponding to the attack detection as a fault attack scheme.
S520: and counting abnormal frequencies of the fault attack scheme detection results in the attack detection process of a plurality of service application systems, and determining the use priority of the fault attack scheme according to the abnormal frequencies.
S530: and carrying out attack detection on the service application systems in sequence according to the order of using priority of the fault attack scheme.
It can be understood that in the preferred embodiment, the combination attack schemes corresponding to the abnormal detection result of each attack are marked, and the probability that the system is abnormal is counted for each combination attack scheme, so that the use priority is set for the combination attack scheme with the abnormal result, and when the drilling scheme is generated, the attack detection is performed by preferentially adopting the combination attack scheme with the high problem priority, thereby improving the efficiency of fault detection. It should be noted that, the partial fault attack scheme can supplement the conventional attack detection mode for forming a combined attack scheme, so as to improve the efficiency and accuracy of attack detection.
In a preferred embodiment, as shown in fig. 5, the method may further include a step S000 of pre-forming the preset scheme:
s010: determining key influencing factors of the business application system, wherein the key influencing factors comprise at least one of IO class, network class and thread class.
S020: and setting a preset scheme for testing key influence factors of the service application system according to the system category.
It can be appreciated that in the preferred embodiment, key influence factors of different service application systems are obtained by analyzing characteristics of the service application systems, and preset schemes with different key influence factors are input for targeted detection. The key influencing factors include at least one of IO class, network class and thread class. For example, for a business application system with higher IO, a fault method can be recorded by taking IO as a center, for example, every 10 minutes, the IO is raised for 30 seconds, and simultaneously, the CPU abnormality is combined. Aiming at the service application system with higher network consumption, network delay, network packet loss and other faults can be injected. For applications where the threads are complex, some thread failures may be injected, such as creating an abort for their threads.
Therefore, through analyzing the high availability level of the application, the preset scheme of key influence factors applicable to the service application system is selected, the historical attack scheme and the fault attack scheme with the use priority are combined, and then all schemes can be randomly combined to arrange and complete a plurality of combined attack schemes. Compared with a purely random attack scheme, the scheme used in the method is more targeted, can be generated according to the architectural characteristics of the application, and has more authenticity because part of combined fault types are cases which actually happen in the past. Compared with purely manual fault arrangement, the use scheme has certain randomness, can jump out of the thought limit of the testers, and provides more possible fault combinations.
In a preferred embodiment, in the attack detection of the service application system according to the combined attack scheme, the attack detection of the service application system may be performed by a service application system high availability analysis device. The high availability analysis device can comprise an automatic evaluation module, a chaotic engineering module, a pressure testing module and a monitoring module.
The automatic evaluation module is used for determining test information of a service application system to be tested according to a test request of a user, forming an attack instruction according to the test information and transmitting the attack instruction to the chaotic engineering module.
The chaotic engineering module is used for forming a pressure measurement instruction according to the attack instruction, forming an attack plan for testing high availability of the system, and carrying out fault attack on the service application system to be tested according to the attack plan, wherein the attack plan is formed according to a combined attack scheme. The fault attack is a reliability detection method for causing the abnormality of part of nodes of the service application system by injecting faults into the service application system, so that whether the service application system can still normally provide service under the condition of the abnormality of part of nodes is tested, and the high availability of the service application system is determined. At present, fault injection based on software is common, and faults at a hardware level are caused by generating errors at the software level. There are many injection modes, such as modifying memory data, generating faults through application software or generating faults through underlying software such as an operating system, etc.
The pressure testing module is used for receiving the pressure testing instruction transmitted by the chaotic engineering module, forming testing information according to the pressure testing instruction, and initiating a service transaction request to the service application system to be tested according to the testing information.
The monitoring module is used for monitoring transaction process information of the business application system responding to the business transaction request so as to evaluate the business application system according to the transaction process information to obtain a high-availability fault analysis result.
It can be understood that the device realizes the customization of fault attack in a flow way through the automatic evaluation module, the chaotic engineering module, the pressure test module and the monitoring module, controls the fault attack and monitors the transaction processing process of the service application system, realizes the automatic high availability analysis of the service application system, and avoids the problem that the existing analysis system needs frequent intervention of a user to realize the low efficiency of the high availability analysis of the service application system. The high availability analysis device of the business application system can automatically generate and execute attack plans and pressure tests according to the test request of the user, and can process a large number of containers or server nodes at one time. Meanwhile, whether the external service of the service application system is normal during fault attack is not required to be monitored manually, and the monitoring module can monitor the running state of the service application system during testing to determine whether the system is high in availability, so that the testing efficiency is improved, and the testing complexity of the service application system is reduced.
In a preferred embodiment, the automatic evaluation module may receive or acquire a preset test request of the user, where the test request at least includes system information of the service application system to be tested, and the automatic evaluation module may determine information of the service application system to be tested according to the test request of the user, so that the automatic evaluation module may determine test information of the service application system to be tested and a high availability level of the system according to the test request. Furthermore, an attack instruction is formed according to the test information and is transmitted to the chaotic engineering module for subsequent high availability test. Preferably, the automatic evaluation module may transmit the attack instruction to the chaotic engineering module through an API (Application Program Interface ) interface. Similarly, the chaotic engineering module may also transmit the attack plan to the pressure testing module by forming an API interface.
In a preferred embodiment, the chaotic engineering module is specifically configured to obtain test information of a service application system to be tested according to the attack instruction, determine a pressure test plan according to the test information, form a pressure test instruction according to the test information and the pressure test plan, and transmit the pressure test instruction to the pressure test module.
It can be understood that the chaotic engineering module transmits the pressure testing instruction comprising the testing information and the pressure testing plan to the pressure testing module mainly in an HTTP request mode, and requests to perform a pressure testing task, namely the pressure testing module can execute the pressure testing plan according to preset information to simulate normal business transaction so as to realize high availability detection, analysis and evaluation of the business application system in the actual working environment.
In a preferred embodiment, the pressure testing module is specifically configured to determine, according to the pressure testing instruction, a server address, a request access path, a request parameter, a request success return state, a request failure return state, and test information of a number of requests initiated per second of the to-be-tested service application system, and initiate a service transaction request to the to-be-tested service application system through an application server according to the test information.
It will be appreciated that in the stress test module, a stress test plan for a specific business application system has been stored, and that a stress test plan may mainly contain the following information: the server address of the service application system to be tested, the request access path, the request parameters, the request success return state, the request failure return state and the test information of the number of initiated requests per second. Meanwhile, after the pressure test task is started, the pressure test module can press a preset mode in the pressure test plan, initiate a request to the application server in an HTTP or RPC mode, detect transaction process information returned by the application server, and judge whether the application server can normally respond according to the transaction process information such as a 'request successful return state', a 'request failure return state', and the like.
In a preferred embodiment, the chaotic engineering module is specifically configured to combine at least two of a plurality of preset attack schemes to obtain a plurality of combined attack schemes, time-arrange the plurality of combined attack schemes to obtain an attack plan, and transmit the attack plan to an application server, so that the application server sequentially inputs the combined attack schemes into the service application system to be tested to perform fault attack.
It can be understood that the chaotic engineering module mainly provides the drilling arrangement capability of the combined attack scheme for the user, at least two of the multiple attack schemes with different faults are combined to obtain multiple combined attack schemes, and then the multiple combined attack schemes are planned and arranged in a time line mode, so that a complete attack plan is obtained. An API interface for automatically generating the exercise scheme is also provided.
More preferably, the chaotic engineering module can send the well-arranged fault attack plan to the application server in a mode of HTTP request and the like, and the attack plan can be preferably described by using a JSON data format. In one specific example, the attack plan in data format may be expressed as:
in a preferred embodiment, the application server runs an Agent client, the client mainly receives the HTTP request of the chaotic engineering module, stores JSON data of the attack plan into a local SQLite database after receiving the request, starts a fault execution thread when the system runs to a specified time xxxxA, executes a specified fault when the specified fault start offset time is reached in the fault execution thread, and ends the fault and returns to normal when the specified fault end offset time is reached.
In a preferred embodiment, the monitoring module is configured to obtain at least one of application monitoring information, service monitoring information and application container monitoring information of a service application system in response to a service transaction request, obtain transaction process information, determine whether the transaction process information is abnormal according to historical transaction information, and if so, send alarm information to the chaotic engineering module.
More preferably, the monitoring module may monitor transaction process information of the service application system in response to the service transaction request through the application server. Specifically, a monitoring thread can be further set in the Agent client of the application server, the application server can report at least one of the acquired application monitoring information, service monitoring information and application container monitoring information of the service application system in response to the service transaction request to the monitoring module at regular time through the HTTP interface, and therefore the monitoring module can determine whether the service application system is abnormal or not according to the transaction process information so as to evaluate the service application system to obtain a high-availability fault analysis result.
It is understood that in one specific example, the monitoring module may include a steady state monitoring unit and a monitoring analysis unit. The steady state monitoring unit may include an application monitoring subunit, a service monitoring subunit, and an application container monitoring subunit. Specifically, in the system architecture, various monitoring components are integrated in the service application system, and each component sends corresponding monitoring information to each monitoring subunit. For example, the application monitoring component may upload the number of business transactions per second, the transaction success rate, the failure rate (request success, business transaction failure) to the application monitoring subunit. The service monitor component may upload the transaction amount, success rate, failure rate (request direct failure, e.g., 500 error, 404 error) of the technical service component involved in the transaction to the service monitor subunit. Because the application system is different in containers, the application container monitoring subunit may include a PaaS module and an IaaS, where the monitoring component of the PaaS container reports the application container CPU, the memory, and the disk IO to the PaaS module. And the monitoring component of the IaaS container sends the information such as CPU, memory, disk IO and the like of the application server to the IaaS module.
The monitoring analysis unit can adopt AIOps monitoring to perform abnormality early warning. The AIOps monitoring is mainly used for acquiring and processing the monitoring information obtained in the steady-state monitoring unit in real time in a Kafka message mode, and performing fitting comparison with the historical transaction condition, if a large difference between the monitoring information and the historical condition is found, an alarm is sent to the chaotic engineering module, the abnormal test result is indicated, and even if the system does not have any error, the task of the test is failed.
Therefore, the high availability fault analysis result obtained by evaluating the service application system is mainly judged by AIOps monitoring, and the system can still work normally after the abnormality occurs to the individual nodes in one high availability system for the distributed system. And therefore cannot be determined simply from the data of "steady state monitoring". Furthermore, even though the data of "steady state monitoring" is normal, the CPU may be only slightly higher, but the number of business transactions per second fluctuates greatly compared with the prior art, and the high availability of the whole system is not up to standard, and the fluctuation needs to be identified by "AIOps monitoring".
The business transaction corresponding to the business application system can be formed, and then the business transaction is input into the business application system to simulate the normal business transaction process of the business application system. And then, according to the combined attack scheme, the attack is launched to the node server of the system so as to detect whether various attacks in the normal business transaction process can cause the business application system to be abnormal. The system can monitor and analyze the business transaction of the system in various monitoring modes, if the information in the business transaction process is abnormal, the detection result is considered to be abnormal, and the detection result can be fed back to the technician, and the technician improves and redesigns the system architecture of the business application system, so that the effectiveness of the business application system can be continuously improved. Of course, in other embodiments, other existing attack detection methods may be used to detect the service application system, which is not limited by the present invention.
Based on the same principle, as shown in fig. 6, the embodiment also discloses a system for detecting attack of the service application system. The system includes a system level determination unit 11, an attack scenario combination unit 12, and an attack detection unit 13.
Wherein the system level determining unit 11 is configured to determine a high availability capability level of the service application system according to an application system attribute of the service application system.
The attack scenario combining unit 12 is configured to determine a corresponding plurality of attack scenarios according to the high available capability level, and form a combined attack scenario according to the plurality of attack scenarios.
The attack detection unit 13 is configured to perform attack detection on the service application system according to the combined attack scheme.
In a preferred embodiment, the attack scenario combining unit 12 is specifically configured to determine all preset scenarios of the service application system according to the high available capability level of the service application system and preset scenarios corresponding to each high available capability level, determine a historical attack scenario of the service application system according to system information of the service application system, and select at least two scenarios from the preset scenarios and the historical attack scenario to combine to obtain a combined attack scenario.
In a preferred embodiment, the system level determining unit 11 is specifically configured to determine a fault type of the service application system according to an application system attribute of the service application system, and determine a high availability level of the service application system according to the fault type of the service application system and a correspondence between a preset fault type and the high availability level.
In a preferred embodiment, as shown in fig. 7, the system further comprises a historical failure analysis unit 14. The historical fault analysis unit 14 is configured to obtain a historical attack scenario according to a historical fault of the service application system.
In a preferred embodiment, as shown in fig. 8, a recipe presetting unit 10 is further included. The scheme presetting unit 10 is configured to preset key influencing factors of the service application system, and set a preset scheme for testing the key influencing factors of the service application system according to the system category, where the key influencing factors include at least one of an IO class, a network class, and a thread class.
Since the principle of solving the problem of the system is similar to that of the above method, the implementation of the system can be referred to the implementation of the method, and will not be repeated here.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer device, which may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
In a typical example, the computer apparatus includes a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the program to implement a method performed by a client as described above, or where the processor executes the program to implement a method performed by a server as described above.
Referring now to FIG. 9, a schematic diagram of a computer device 600 suitable for use in implementing embodiments of the present application is shown.
As shown in fig. 9, the computer apparatus 600 includes a Central Processing Unit (CPU) 601, which can perform various appropriate works and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM)) 603. In the RAM603, various programs and data required for the operation of the system 600 are also stored. The CPU601, ROM602, and RAM603 are connected to each other through a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, mouse, etc.; an output portion 607 including a Cathode Ray Tube (CRT), a liquid crystal feedback device (LCD), and the like, and a speaker, and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The drive 610 is also connected to the I/O interface 605 as needed. Removable media 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on drive 610 as needed, so that a computer program read therefrom is mounted as needed as storage section 608.
In particular, according to embodiments of the present invention, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present invention include a computer program product comprising a computer program tangibly embodied on a machine-readable medium, the computer program comprising program code for performing the method shown in the flowchart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in one or more software and/or hardware elements when implemented in the present application.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.
Claims (8)
1. The attack detection method for the service application system is characterized by comprising the following steps:
determining a high availability level of the service application system according to the application system attribute of the service application system;
determining a plurality of corresponding attack schemes according to the high-availability capacity level, and forming a combined attack scheme according to the plurality of attack schemes;
performing attack detection on the service application system according to the combined attack scheme;
the determining the high availability capability level of the service application system according to the application system attribute of the service application system specifically comprises the following steps:
determining the fault type of the service application system according to the application system attribute of the service application system;
determining the high availability level of the service application system according to the fault type of the service application system and the corresponding relation between the preset fault type and the high availability level;
the determining a plurality of corresponding attack schemes according to the high availability capacity level, and forming a combined attack scheme according to the plurality of attack schemes specifically includes:
determining all preset schemes of the service application system according to the high available capacity level of the service application system and the preset scheme corresponding to each high available capacity level;
determining a historical attack scheme of the service application system according to the system information of the service application system;
and selecting at least two schemes from the preset scheme and the historical attack scheme to be combined to obtain a combined attack scheme.
2. The method for detecting a service application system attack according to claim 1, further comprising:
and obtaining a historical attack scheme according to the historical faults of the service application system.
3. The attack detection method of a service application system according to claim 1, further comprising the step of pre-forming the preset scheme:
determining key influencing factors of a business application system, wherein the key influencing factors comprise at least one of IO class, network class and thread class;
and setting a preset scheme for testing key influence factors of the business application system according to the system category.
4. A system for attack detection by a service application system, comprising:
the system grade determining unit is used for determining the high available capacity grade of the service application system according to the application system attribute of the service application system;
an attack scheme combining unit, configured to determine a plurality of corresponding attack schemes according to the high availability capability level, and form a combined attack scheme according to the plurality of attack schemes;
the attack detection unit is used for carrying out attack detection on the service application system according to the combined attack scheme;
the system grade determining unit is specifically configured to determine a fault type of the service application system according to an application system attribute of the service application system, and determine a high availability grade of the service application system according to the fault type of the service application system and a preset correspondence between the fault type and the high availability grade;
the attack scheme combining unit is specifically configured to determine all preset schemes of the service application system according to the high available capability level of the service application system and preset schemes corresponding to each high available capability level, determine a historical attack scheme of the service application system according to system information of the service application system, and select at least two schemes from the preset schemes and the historical attack scheme to combine to obtain a combined attack scheme.
5. The system for detecting a business application system attack of claim 4, further comprising:
and the historical fault analysis unit is used for obtaining a historical attack scheme according to the historical faults of the service application system.
6. The attack detection system according to claim 4, further comprising a scheme presetting unit configured to pre-determine key influencing factors of the service application system, and set a preset scheme for testing the key influencing factors of the service application system according to a system class, where the key influencing factors include at least one of an IO class, a network class, and a thread class.
7. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that,
the processor implementing the method according to any of claims 1-3 when executing the program.
8. A computer readable medium having a computer program stored thereon, characterized in that,
the program, when executed by a processor, implements a method as claimed in any one of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010522156.1A CN111708649B (en) | 2020-06-10 | 2020-06-10 | Attack detection method and system for service application system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010522156.1A CN111708649B (en) | 2020-06-10 | 2020-06-10 | Attack detection method and system for service application system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111708649A CN111708649A (en) | 2020-09-25 |
| CN111708649B true CN111708649B (en) | 2024-04-09 |
Family
ID=72539955
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010522156.1A Active CN111708649B (en) | 2020-06-10 | 2020-06-10 | Attack detection method and system for service application system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111708649B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107273744A (en) * | 2016-03-31 | 2017-10-20 | 恩智浦有限公司 | Electronic installation and guard method |
| US9948663B1 (en) * | 2015-12-07 | 2018-04-17 | Symantec Corporation | Systems and methods for predicting security threat attacks |
| CN109559583A (en) * | 2017-09-27 | 2019-04-02 | 华为技术有限公司 | Failure simulation method and its device |
| CN109799804A (en) * | 2018-12-29 | 2019-05-24 | 中南大学 | A kind of diagnosis algorithm appraisal procedure and system based on random fault injection |
| CN109886475A (en) * | 2019-01-24 | 2019-06-14 | 广西电网有限责任公司电力科学研究院 | The information security Situation Awareness System of metering automation system based on AI |
-
2020
- 2020-06-10 CN CN202010522156.1A patent/CN111708649B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9948663B1 (en) * | 2015-12-07 | 2018-04-17 | Symantec Corporation | Systems and methods for predicting security threat attacks |
| CN107273744A (en) * | 2016-03-31 | 2017-10-20 | 恩智浦有限公司 | Electronic installation and guard method |
| CN109559583A (en) * | 2017-09-27 | 2019-04-02 | 华为技术有限公司 | Failure simulation method and its device |
| CN109799804A (en) * | 2018-12-29 | 2019-05-24 | 中南大学 | A kind of diagnosis algorithm appraisal procedure and system based on random fault injection |
| CN109886475A (en) * | 2019-01-24 | 2019-06-14 | 广西电网有限责任公司电力科学研究院 | The information security Situation Awareness System of metering automation system based on AI |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111708649A (en) | 2020-09-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111708650B (en) | High-availability analysis method and system for business application system | |
| CN104834602B (en) | A kind of program dissemination method, device and program delivery system | |
| CN107992410B (en) | Software quality monitoring method and device, computer equipment and storage medium | |
| CN113326181A (en) | Fuzzy test method, device and storage medium for stateful network protocol | |
| US20130061202A1 (en) | Methods for assessing deliverable product quality and devices thereof | |
| US10942832B2 (en) | Real time telemetry monitoring tool | |
| US10019309B2 (en) | Analytics-based dynamic adaptation of client-server mobile applications | |
| US20160085664A1 (en) | Generating a fingerprint representing a response of an application to a simulation of a fault of an external service | |
| CN114609995B (en) | Fault control method, device, system, equipment, medium and product | |
| CN111708649B (en) | Attack detection method and system for service application system | |
| CN109274533B (en) | Web service fault positioning device and method based on rule engine | |
| CN108390770B (en) | Information generation method and device and server | |
| CN116319421A (en) | Fault detection method and device based on cloud platform, fault detection system and medium | |
| CN112416731B (en) | Stability monitoring method and device applied to block chain system | |
| CN113487186A (en) | Client fault drilling method, device, computer system and readable storage medium | |
| CN113656313A (en) | Automatic test processing method and device | |
| CN112148621A (en) | Test method and device and electronic equipment | |
| CN110362464B (en) | Software analysis method and equipment | |
| CN110955597A (en) | Object testing method and device, electronic equipment and computer readable storage medium | |
| CN111371650B (en) | Flow forwarding-based quasi-production equipment testing method and system | |
| US10491650B1 (en) | Monitoring performance of computing devices | |
| CN113032194A (en) | Physical machine container availability testing method and device | |
| CN115454819A (en) | Test method, device, equipment and storage medium for block chain cross-chain system | |
| JP6597133B2 (en) | Error reproduction program, error reproduction method, and error reproduction apparatus | |
| CN114090357A (en) | Hard disk performance test method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |