CN112583774A - Method and device for detecting attack flow, storage medium and electronic equipment - Google Patents

Method and device for detecting attack flow, storage medium and electronic equipment Download PDF

Info

Publication number
CN112583774A
CN112583774A CN201910944399.1A CN201910944399A CN112583774A CN 112583774 A CN112583774 A CN 112583774A CN 201910944399 A CN201910944399 A CN 201910944399A CN 112583774 A CN112583774 A CN 112583774A
Authority
CN
China
Prior art keywords
client
attack
identification
request
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910944399.1A
Other languages
Chinese (zh)
Inventor
赖文杰
刘燚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Guancheng Technology Co ltd
Original Assignee
Beijing Guancheng Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Guancheng Technology Co ltd filed Critical Beijing Guancheng Technology Co ltd
Priority to CN201910944399.1A priority Critical patent/CN112583774A/en
Publication of CN112583774A publication Critical patent/CN112583774A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method, a device, a storage medium and electronic equipment for detecting attack flow, wherein the method comprises the following steps: acquiring request information sent by a client, and generating identification information corresponding to the client according to the request information; matching the identification information with a preset attack tool identification library, and when the identification information is matched with the attack tool identification library, matching the identification information with a preset white flow identification library; when the identification information is not matched with the white traffic identification library, judging whether abnormality exists according to the request information; and when the request information is abnormal, determining that the client has an attack behavior. By the attack flow detection method, the attack flow detection device, the storage medium and the electronic equipment, various identifications can be collected more comprehensively, the identification collision can be detected, and the judgment error of a single identification library is avoided; whether the client is abnormal or not is further judged based on a behavior detection mechanism, so that the detection accuracy can be improved.

Description

Method and device for detecting attack flow, storage medium and electronic equipment
Technical Field
The invention relates to the technical field of attack traffic detection, in particular to a method and a device for detecting attack traffic, a storage medium and electronic equipment.
Background
At present, the detection of attack behavior of encrypted data is more and more important, and the detection of HTTPS (Hyper Text Transfer Protocol Secure) attack flow is always a difficult point.
Some existing detection schemes carry out detection based on flow behaviors, but service requests and attack tools in certain fixed scenes have similar points on the flow behaviors, and can not be detected by simply depending on the flow behaviors. If JA3 fingerprint (a TLS fingerprint created by three people, John B. Althouse, Jeff Atkinson and Josh Atkins) is simply utilized, under the condition of large flow, collision may exist even if JA3 fingerprint and JA3 fingerprint of an attack tool are normally applied, namely the two fingerprints are the same, so that the detection accuracy of the attack behavior is not high, and the effect is not ideal.
Disclosure of Invention
In order to solve the above problem, embodiments of the present invention provide a method, an apparatus, a storage medium, and an electronic device for detecting an attack traffic.
In a first aspect, an embodiment of the present invention provides a method for detecting attack traffic, including:
acquiring request information sent by a client, and generating identification information corresponding to the client according to the request information;
matching the identification information with a preset attack tool identification library, and matching the identification information with a preset white flow identification library when the identification information is matched with the attack tool identification library;
when the identification information is not matched with the white traffic identification library, judging whether abnormality exists according to the request information;
and when the request information is abnormal, determining that the client has an attack behavior.
In a second aspect, an embodiment of the present invention further provides an apparatus for detecting attack traffic, including:
the acquisition module is used for acquiring request information sent by a client and generating identification information corresponding to the client according to the request information;
the matching module is used for matching the identification information with a preset attack tool identification library, and when the identification information is matched with the attack tool identification library, the identification information is matched with a preset white traffic identification library;
the abnormity judgment module is used for judging whether abnormity exists according to the request information when the identification information is not matched with the white flow identification library;
and the processing module is used for determining that the client has the attack behavior when the request information is abnormal.
In a third aspect, an embodiment of the present invention further provides a computer storage medium, where the computer storage medium stores computer-executable instructions, and the computer-executable instructions are used in any one of the above methods for detecting attack traffic.
In a fourth aspect, an embodiment of the present invention further provides an electronic device, including:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of attack traffic detection described in any one of the above.
In the solution provided by the first aspect of the embodiments of the present invention, whether a client has a suspicion of an attack behavior is comprehensively determined based on a preset attack tool identifier library and a white traffic identifier library, and then further determined based on content in a request message sent by the client, so as to finally determine whether the client has an attack behavior. The method presets an attack tool identifier library and a white flow identifier library, can collect various identifiers more comprehensively, can detect identifier collision and avoid judgment errors of a single identifier library; meanwhile, whether the client is abnormal or not is further judged based on a behavior detection mechanism based on whether abnormal information related to the attack behavior exists in the judgment request information or not, so that the judgment can be more accurately carried out, and the detection accuracy is improved.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart illustrating a method for detecting attack traffic according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a specific method for determining whether there is an anomaly according to request information in the method for detecting attack traffic according to the embodiment of the present invention;
fig. 3 is a schematic structural diagram illustrating an apparatus for detecting attack traffic according to an embodiment of the present invention;
fig. 4 shows a schematic structural diagram of an electronic device for performing a method for detecting attack traffic according to an embodiment of the present invention.
Detailed Description
In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "length", "width", "thickness", "upper", "lower", "front", "rear", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", "clockwise", "counterclockwise", and the like, indicate orientations and positional relationships based on those shown in the drawings, and are used only for convenience of description and simplicity of description, and do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus, should not be considered as limiting the present invention.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present invention, "a plurality" means two or more unless specifically defined otherwise.
In the present invention, unless otherwise expressly specified or limited, the terms "mounted," "connected," "secured," and the like are to be construed broadly and can, for example, be fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
The method for detecting the attack traffic provided by the embodiment of the invention is executed by the local equipment, and the local equipment can be a server or other equipment. Referring to fig. 1, the method includes:
step 101: and acquiring request information sent by the client, and generating identification information corresponding to the client according to the request information.
In the embodiment of the invention, the client can be a device, a browser or an application program which communicates with the local device, and when the client communicates with the local device, the client needs to send request information; for a client with an attack, the client also needs to send request information. Specifically, the request information may be a message requesting establishment of a communication connection, for example, the request information may be a handshake message. After the request message is obtained, the identification information corresponding to the client can be generated based on the field in the request message; meanwhile, by selecting one or more fields with unique numerical values in the request message, the identification information uniquely corresponding to the client can be generated.
Step 102: and matching the identification information with a preset attack tool identification library, and when the identification information is matched with the attack tool identification library, matching the identification information with a preset white flow identification library.
In the embodiment of the invention, an attack tool identification library is preset. Specifically, various attack tools on the market or on the network are collected, different attack tools run on different operating systems, corresponding attack tool identifiers are collected in a mode that the attack tools send request information, and the collected attack tool identifiers are added to the attack tool identifier library. Wherein, the different attack tools refer to attack tools with different names, or attack tools with the same name but different version numbers; correspondingly, "different operating systems" refer to operating systems with different names, or operating systems with the same name but different version numbers, and the name format of the collected attack tool identifier may be: attack tool name + attack tool version number + operating system name + operating system version number, for example: burpesite _ V1.2_ Win10_ V10.0.1.174. In this embodiment, the attack tool refers to a web attack tool, for example, attack tools such as burpaseite, AcunetixAWVS, Detectify, and w3 af; the attack types contained in the attack tool can be divided into a web scanning detection type and a web vulnerability exploiting type; in addition, new attack tools are added continuously over time, so that the attack tool identification library can be updated in real time.
In the embodiment of the invention, the identification information sent by the client is matched with the attack tool identification library, so that whether the identification information is consistent with one of the attack tool identifications can be judged, if the identification information is consistent with the attack tool identification library, the identification information is matched with the attack tool identification library, and the client has higher probability of being an attack tool. In order to avoid the erroneous judgment as much as possible, the further judgment is performed based on the preset white traffic identifier library in this embodiment.
In the embodiment of the invention, similar to the establishment of the attack tool identifier library, the collected legal client side is used for collecting the legal identifier, namely the white traffic identifier, so as to generate the white traffic identifier library. In order to effectively avoid missing of white traffic collection, the white traffic identifier is divided into a browser identifier, a system startup update identifier, a mobile terminal application identifier, and other device application identifiers in this embodiment. Specifically, collecting multiple browsers with different historical versions, and collecting browser identifiers generated by the different browsers under different operating systems; collecting the flow of the operating system starting process and the system updating process, such as TLS (Transport Layer Security) flow, and the like, and extracting and generating a corresponding system starting updating identifier based on the flow; the method comprises the steps of collecting flow of mobile terminal application software such as android and iOS, and extracting and generating corresponding mobile terminal application program identification based on the flow; the method comprises the steps of collecting the flow of application software of other equipment (such as a personal computer and the like), and extracting and generating corresponding application program identification of the other equipment based on the flow. And generating a white flow identification library based on all browser identifications, system startup update identifications, mobile terminal application program identifications and other equipment application program identifications. After the white traffic identification library is generated, when request information sent by a client is received, whether the identification information of the request information is matched with the white traffic identification in the white traffic identification library or not can be judged as required.
Step 103: and when the identification information is not matched with the white traffic identification library, judging whether the abnormality exists according to the request information.
Step 104: and when the request information is abnormal, determining that the client has an attack behavior.
In the embodiment of the invention, when the identification information is matched with the white flow identification library, namely the identification information is consistent with a certain white flow identification, the identification information is consistent with the attack tool identification and the white flow identification, namely the attack tool identification and the white flow identification collide, and the request information can be preliminarily taken as normal flow so as to avoid misjudgment. If the identification information is not matched with the white traffic identification library, it is indicated that the request information corresponding to the identification information is most likely to be a request initiated by an attack tool, and in this embodiment, further determination is performed based on other contents in the request information, so as to determine whether the request information is abnormal, and further determine whether the client has an attack behavior. Specifically, for an attack behavior, the corresponding request information may include one or more items of abnormal information matched with the attack behavior, or the abnormal information may be counted according to the plurality of pieces of request information, and when the abnormal information exists, it may be determined that the client has the attack behavior, and the client is an attack tool.
Optionally, the attack tool identifier in the attack tool identifier library is provided with corresponding attack tool information, where the attack tool information includes one or more of an attack tool name, an attack tool version, and an attack tool operation platform, and the attack tool operation platform may specifically include an operating system name, an operating system version number, and the like, where the attack tool operates; for example, the name of the attack tool identifier is named by "attack tool name + attack tool version number + operating system name + operating system version number", and then the name of the attack tool identifier can be used as the corresponding attack tool information. And when the request information is abnormal, determining the attack tool information of the attack tool identification matched with the identification information in the attack tool identification library, and outputting the attack tool information of the attack tool identification matched with the identification information, so that the attack tool matched with the client side is accurately positioned.
The method for detecting the attack traffic, provided by the embodiment of the invention, comprehensively judges whether the client has the suspicion of the attack behavior based on the preset attack tool identification library and the white traffic identification library, and then further judges based on the content in the request message sent by the client to finally determine whether the client has the attack behavior. The method presets an attack tool identifier library and a white flow identifier library, can collect various identifiers more comprehensively, can detect identifier collision and avoid judgment errors of a single identifier library; meanwhile, whether abnormal information related to the attack behavior exists in the request information is judged, so that whether the client is abnormal can be further judged based on a behavior detection mechanism, the judgment can be more accurately carried out, and the detection accuracy is improved.
On the basis of the foregoing embodiment, the request information includes a handshake message, and the step 101 "generating identification information corresponding to the client according to the request information" includes:
step A1: determining a plurality of fields in a handshake message, and determining one or more values in each field, the handshake message comprising a plurality of items in a protocol version number field, a cipher suite field, an extension information field, an elliptic curve cipher field, and an elliptic curve cipher format field.
In the embodiment of the invention, in the process of handshaking between the client and the local equipment, the client sends the handshaking information. Specifically, the handshake message is a TLS handshake message, the client initiates a TLS request by sending a ClientHello message, the handshake message (i.e., the ClientHello message) at this time generally includes a protocol version number field (TLSVersion), a cipher suite field (Ciphers), and an extension information field (Extensions), and in addition, when an elliptic curve key exchange algorithm needs to be used, the handshake message may further include an elliptic curve cipher field (eliptitcurves) and an elliptic curve cipher format field (eliptitcurvepointformats). The field of the cipher suite comprises the cipher suite and the length of the cipher suite, and each encryption suite generally comprises key exchange, a signature algorithm, an encryption algorithm and a hash algorithm; the extended information field generally includes three parts of Type (Type), Length (Length), and Data (Data).
Step A2: all values in the fields are connected in series to form an integral character string, and fingerprint identification of the client is generated according to the integral character string; and taking the fingerprint identification as identification information of the client.
In this embodiment, all the values of the fields are concatenated to form an integral character string; each field can be divided by ' and simultaneously, each value in each field is separated by ' minus ', then the MD5 hash value of the whole string formed by the strings is calculated, and the JA3 fingerprint with the length of 32 characters is generated, wherein the JA3 fingerprint is the fingerprint identification of the client.
In addition, when the attack tool identifier library and the white traffic identifier library are generated in advance, the identifier in each identifier library may also be a corresponding fingerprint, that is, in step 102, the fingerprint identifier may be compared with the corresponding fingerprint in the identifier library.
Optionally, the request information may further include a client address, and then an address pair is generated based on the client address and a local address of the local device, and the address pair is added to the identification information. Specifically, an IP (Internet Protocol) address may be used to generate an IP address pair, that is, the client address is specifically a client IP address, the local address is a local IP address, clients with different behaviors may be distinguished more accurately based on the address pair, and when request information of the same client in a subsequent statistical preset time period is counted, introduction of other clients may be avoided.
It should be noted that, since the IP address is not fixed, the attack tool identifier library and the white traffic identifier library do not include address pairs, and the matching process in step 102 does not require matching address pairs, but only requires fingerprint identifier matching.
On the basis of the foregoing embodiment, before the above unknown partner 102 "matching the identification information with a preset attack tool identification library", the method further includes:
step B1: the method comprises the steps of obtaining a plurality of same request messages sent by a client in a preset time period, and determining corresponding request frequencies.
Step B2: and when the request frequency is greater than the preset frequency value, matching the identification information of the client with a preset attack tool identification library.
Since the attack behavior is generally high-frequency abnormal behavior, the embodiment of the invention preliminarily filters out non-abnormal behavior based on the request frequency of the client, namely filters out request information with lower request frequency, and considers the request information as normal information. In the embodiment, the low-frequency flow is not considered, so that the processing amount can be reduced, and the detection efficiency can be improved. The unit of the request frequency in this embodiment may be times/minute, the corresponding preset frequency value may be 20 times/minute, 30 times/minute, and the like, and other values may also be set based on experience, which is not limited in this embodiment.
On the basis of the above embodiment, when the identification information matches the white traffic identification library, further determination is made based on the browser parameters in the request information. Specifically, the method further comprises:
step C1: and when the identification information is matched with the white traffic identification library, judging whether browser parameters exist in the request information.
Step C2: when browser parameters exist in the request information, determining that the client is normal; and when the browser parameters do not exist in the request information, executing a process of judging whether the abnormality exists according to the request information.
In the embodiment of the invention, when the identification information is matched with the white traffic identification library, the client is a legal client with a normal higher probability; in order to avoid misjudgment, judging based on browser parameters in request information, and when the request information contains the browser parameters, indicating that the request information is sent based on a browser, and determining that the client is normal at the moment because an attack tool is different from the browser; otherwise, the client still has an abnormal suspicion, and then, the client can determine whether there is an abnormality based on the process of determining whether there is an abnormality according to the request information in step 103.
Specifically, when the request message is a TLS handshake message, a green (generation extension And subsystem extension) entry And an alpn (application Layer Protocol) entry are included. The GREASE entry is an Extension reservation type value in the TLS protocol ClientHello, is generally sent by Google browser, and can be regarded as normal traffic sent from the browser when the GREASE entry exists. ALPN is an application layer protocol negotiation, also typically done by the browser, and when an ALPN entry is present, it can also be assumed that the request is normal traffic from the browser.
On the basis of the above embodiment, in the step 103 "determining whether there is an abnormality according to the request information", a plurality of behaviors of the client may be detected, and when there is one or more behaviors, the behavior of the client may be determined to be abnormal. Specifically, as shown in fig. 2, "determining whether there is an abnormality according to the request information" includes:
step 1031: counting a plurality of identical request messages sent by a client within a preset time period to generate a statistical detection parameter, and determining a protocol detection parameter of the request message; the statistical detection parameters comprise one or more of request frequency, port distribution continuity, flow time interval variance and packet length variance of a downlink data packet, and the protocol detection parameters comprise one or more of random values, continuous number of visible characters in the random values, repetition rate of the random values in a plurality of request messages and number of encryption kits;
step 1032: and when at least one of the statistical detection parameters and the protocol detection parameters is abnormal, determining that the client is abnormal.
In the embodiment of the invention, each request message comprises corresponding protocol detection parameters, such as random values and the like; meanwhile, the corresponding statistical detection parameters, such as request frequency and the like, can also be determined based on the statistical results of the plurality of request information. When at least one parameter is abnormal, the client side can be determined to have abnormality. Specifically, the client abnormality can be determined when one parameter is abnormal; for example, when the request frequency is abnormal, it may be determined that the client is abnormal. Or, the client is determined to be abnormal only when a plurality of parameters are abnormal; for example, at least two parameter anomalies are required to determine a client anomaly. In this embodiment, since the preliminary determination is performed based on the two identifier libraries in step 102, and it needs to be determined whether the request information of the abnormal process in step 103 has a high probability of being abnormal, the client may be considered to be abnormal when there is an abnormality in one parameter. At this time, a parameter may be determined, and then whether the parameter is abnormal or not may be determined; if the parameter is abnormal, it is not necessary to judge whether other parameters are abnormal, so that the processing amount can be reduced, and the processing efficiency can be further improved.
The statistical detection parameter and the protocol detection parameter in this embodiment may both include multiple parameters, and the "at least one parameter of the statistical detection parameter and the protocol detection parameter" refers to one or more of a request frequency, a port distribution continuity, a flow time interval variance, a packet length variance of a downlink data packet, a random number, a continuous number of visible characters in the random number, a repetition rate of the random number in multiple request information, and a number of encryption suites.
In an embodiment of the present invention, the process of "generating the statistical detection parameters" in step 1031 includes: one or more of a process of generating a request frequency, a process of generating port distribution continuity, a process of generating a stream time interval variance, and a process of generating a packet length variance of a downstream packet.
Specifically, the process of generating the request frequency includes:
step D1: generating a request frequency f of the client according to the number n of the same request messages sent by the client in a preset time period, and:
Figure BDA0002223772210000101
t is the duration of a preset time period.
The process of generating port distribution continuity includes:
step D2: counting all ports used by a client in a preset time period, determining a port value of each port, and sequencing all the port values according to the size of the port values; determining a median of the port values, taking the port value matched with the median as a standard port value, and taking a plurality of port values adjacent to the standard port value as effective port values; and when the sequence of the standard port value and the effective port value is equal in difference, determining that the port distribution has continuity.
In the embodiment of the invention, when the client establishes connection with the local equipment, especially when the attack tool establishes connection with the local equipment, a plurality of connections are established, and further a plurality of ports exist. Taking a median M of the port values of all the ports, and if the median M corresponds to a yth port value, the yth port value is a standard port value; the port value adjacent to the y-th port value is a valid port value. In this embodiment, "adjacent to the standard port value" refers to a port value within a certain distance from the standard port value, and is not limited to two port values on both sides of the standard port value. For example, the (y-2) th port value, the (y-1) th port value, the (y + 1) th port value, and the (y + 2) th port value can be all valid port values. When the sequence of the standard port value and the effective port value is equal in difference, the port distribution is determined to have continuity. For example, if the five port values of the y-2 th port value, the y-1 st port value, the y-th port value, the y +1 st port value and the y +2 nd port value are arranged in an equal difference manner, the port distribution has continuity; otherwise the port distribution has no continuity. When the number of ports is an even number, the number of standard port values determined based on the median may also be two, and the number of standard port values is not specifically limited in this embodiment.
The process of generating the flow time interval variance includes:
step D3: determining a stream time interval t between two adjacent request messages sent by a client within a preset time periodiAnd determining the mean of all stream time intervals
Figure BDA0002223772210000111
Further calculating the flow time interval variance
Figure BDA0002223772210000112
n1Is the number of streaming time intervals determined within a preset time period.
In the embodiment of the invention, each request message has a corresponding time parameter, and the time parameter can be the time when the client sends the request message or the time when the local device receives the request message; the time interval between two time-adjacent request messages is the stream time interval, and the corresponding stream time interval variance can be determined based on all the stream time intervals.
The process of generating the packet length variance of the downlink data packet comprises the following steps:
step D4: determining the packet length x of a downlink data packet received by a client in a preset time periodiAnd determining the mean of all packet lengths
Figure BDA0002223772210000121
Further calculating the variance of packet length
Figure BDA0002223772210000122
n2Is the determined number of downlink data packets within a preset time period.
In the embodiment of the present invention, when the request frequency is greater than a certain threshold (for example, 100 times/minute, etc.), it indicates that the request frequency of the client is too abnormal, and at this time, the client may be considered to be abnormal. Since the distribution of the ports used by the attack tool has continuity, when the port distribution has continuity, the condition of the port used by the client is abnormal, that is, the client is considered to be abnormal. If the flow time interval variance is small (e.g., less than 5, etc.), indicating that the ue regularly or even periodically sends the request message, the ue may be considered abnormal. After receiving the request information sent by the client, the local device sends a corresponding data packet, namely a downlink data packet, to the client; if the variance of the packet length of the downlink data packet is small (for example, less than 5), it indicates that the client has a maximum probability of repeatedly requesting the same data packet, and at this time, the client may also be considered to be abnormal.
Further, the protocol detection parameters may generally be determined directly based on the request information. Specifically, the Random number in the protocol detection parameter may be a number in a Random (Random) field in the TLS handshake message, and if the Random numbers are all 0 or all 1, it is described that the "Random number" is not generated randomly, and the client may be considered to be abnormal. If the number of consecutive visible characters in the random number is large, for example, greater than 10, the random number is very likely not to be generated randomly, and the client may be considered abnormal in this case. The number of encryption suites can be determined based on the value of ciphersuites in the TLS protocol ClientHello, that is, the number of encryption suites provided for the local device by the client to select can be determined, and if the number of encryption suites is too large (for example, greater than 40), the client can be considered to be abnormal. Further, based on the random number value in the plurality of request messages, a repetition rate of the random number value may be determined; for example, if 5 random values of the 10 random values are completely the same, the repetition rate is 50%; if the repetition rate of the random number is high, it can also be stated that the random number is not randomly generated, and at this time, the client is considered to be abnormal.
Optionally, when determining that the client is abnormal based on the parameters, a corresponding abnormal behavior point may be generated. For example, if all the random values of the client are 0, the corresponding abnormal behavior points are all 0 random values. The abnormal behavior of the client is conveniently analyzed subsequently based on the abnormal behavior point, and whether the behavior of the client is abnormal or not is judged more accurately subsequently.
The method for detecting the attack traffic, provided by the embodiment of the invention, comprehensively judges whether the client has the suspicion of the attack behavior based on the preset attack tool identification library and the white traffic identification library, and then further judges based on the content in the request message sent by the client to finally determine whether the client has the attack behavior. The method presets an attack tool identifier library and a white flow identifier library, can collect various identifiers more comprehensively, can detect identifier collision and avoid judgment errors of a single identifier library; meanwhile, whether the client is abnormal or not is further judged based on a behavior detection mechanism based on whether abnormal information related to the attack behavior exists in the judgment request information or not, so that the judgment can be more accurately carried out, and the detection accuracy is improved. Whether the identifier collision is detected can be effectively judged based on the browser parameters in the request information; the request information of the client is comprehensively judged based on multiple parameters in the statistical detection parameters and the protocol detection parameters, so that the behavior of the client can be more accurately evaluated, and the detection result is more accurate. And the corresponding attack tool information can be determined by utilizing the attack tool identification library, so that the attack tool matched with the client can be accurately positioned.
The above describes in detail the flow of the method for detecting attack traffic, which may also be implemented by a corresponding apparatus, and the structure and function of the apparatus are described in detail below.
An apparatus for detecting attack traffic, which is provided in an embodiment of the present invention and is shown in fig. 3, includes:
an obtaining module 31, configured to obtain request information sent by a client, and generate identification information corresponding to the client according to the request information;
the matching module 32 is configured to match the identification information with a preset attack tool identification library, and when the identification information is matched with the attack tool identification library, match the identification information with a preset white traffic identification library;
an anomaly determination module 33, configured to determine whether an anomaly exists according to the request information when the identification information is not matched with the white traffic identification library;
and the processing module 34 is configured to determine that the client has an attack behavior when the request information is abnormal.
On the basis of the foregoing embodiment, the request information includes a handshake message, and the generating, by the obtaining module 31, the identification information corresponding to the client according to the request information includes:
determining a plurality of fields in the handshake message, and determining one or more values in each field, wherein the handshake message comprises a plurality of items in a protocol version number field, a cipher suite field, an extension information field, an elliptic curve cipher field, and an elliptic curve cipher format field;
all values in the fields are connected in series to form an integral character string, and a fingerprint identifier of the client is generated according to the integral character string; and taking the fingerprint identification as the identification information of the client.
On the basis of the above embodiment, the apparatus further includes: a frequency determination module;
before the matching module 32 matches the identification information with a preset attack tool identification library, the frequency determination module is configured to:
acquiring a plurality of same request messages sent by the client within a preset time period, and determining corresponding request frequencies; and when the request frequency is greater than a preset frequency value, matching the identification information of the client with a preset attack tool identification library.
On the basis of the above embodiment, the apparatus further includes: a browser judging module;
the browser judging module is used for judging whether browser parameters exist in the request information or not when the identification information is matched with the white traffic identification library; when browser parameters exist in the request information, the client is determined to be normal; when the browser parameter does not exist in the request information, the abnormality determining module 33 executes the process of determining whether there is an abnormality according to the request information.
On the basis of the above embodiment, the abnormality determining module 33 includes:
the parameter determining unit is used for counting a plurality of identical request messages sent by the client within a preset time period, generating a statistical detection parameter and determining a protocol detection parameter of the request messages; the statistical detection parameters comprise one or more of request frequency, port distribution continuity, flow time interval variance and packet length variance of downlink data packets, and the protocol detection parameters comprise one or more of random values, continuous number of visible characters in the random values, repetition rate of the random values in the plurality of request messages and number of encryption kits;
and the abnormity judging unit is used for determining that the client side has abnormity when at least one of the statistical detection parameters and the protocol detection parameters is abnormal.
On the basis of the above embodiment, the generating of the statistical detection parameter by the parameter determining unit includes:
one or more of a process of generating a request frequency, a process of generating port distribution continuity, a process of generating a flow time interval variance, and a process of generating a packet length variance of a downlink data packet;
wherein the process of generating the request frequency comprises: generating a request frequency f of the client according to the number n of the same request messages sent by the client in a preset time period, and:
Figure BDA0002223772210000151
t is the duration of the preset time period;
the process of generating port distribution continuity includes: counting all ports used by the client within a preset time period, determining the port value of each port, and sequencing all the port values according to the size of the port values; determining a median of the port values, taking the port value matched with the median as a standard port value, and taking a plurality of port values adjacent to the standard port value as effective port values; when the sequence formed by the standard port value and the effective port value is equal in difference, determining that the port distribution has continuity;
the process of generating the flow time interval variance comprises: determining a stream time interval t between two adjacent request messages sent by the client within a preset time periodiAnd determining the mean of all said flow time intervals
Figure BDA0002223772210000152
Further calculating the flow time interval variance
Figure BDA0002223772210000153
n1The number of streaming time intervals determined within a preset time period;
the process of generating the packet length variance of the downlink data packet includes: determining the packet length x of the downlink data packet received by the client within a preset time periodiAnd determining the mean of all said packet lengths
Figure BDA0002223772210000154
Further calculating the variance of packet length
Figure BDA0002223772210000155
n2Is the determined number of downlink data packets within a preset time period.
On the basis of the above embodiment, the processing module 34 is further configured to:
when the request information is abnormal, determining attack tool information of an attack tool identifier matched with the identifier information in the attack tool identifier library, wherein the attack tool information comprises one or more of an attack tool name, an attack tool version and an attack tool running platform; and outputting the attack tool information of the attack tool identification matched with the identification information.
The device for detecting the attack traffic, provided by the embodiment of the invention, comprehensively judges whether the client has the suspicion of the attack behavior based on the preset attack tool identification library and the white traffic identification library, and then further judges based on the content in the request message sent by the client to finally determine whether the client has the attack behavior. The method presets an attack tool identifier library and a white flow identifier library, can collect various identifiers more comprehensively, can detect identifier collision and avoid judgment errors of a single identifier library; meanwhile, whether the client is abnormal or not is further judged based on a behavior detection mechanism based on whether abnormal information related to the attack behavior exists in the judgment request information or not, so that the judgment can be more accurately carried out, and the detection accuracy is improved. Whether the identifier collision is detected can be effectively judged based on the browser parameters in the request information; the request information of the client is comprehensively judged based on multiple parameters in the statistical detection parameters and the protocol detection parameters, so that the behavior of the client can be more accurately evaluated, and the detection result is more accurate. And the corresponding attack tool information can be determined by utilizing the attack tool identification library, so that the attack tool matched with the client can be accurately positioned.
Embodiments of the present invention further provide a computer storage medium, where the computer storage medium stores computer-executable instructions, which include a program for executing the method for detecting attack traffic, and the computer-executable instructions may execute the method in any of the method embodiments.
The computer storage media may be any available media or data storage device that can be accessed by a computer, including but not limited to magnetic memory (e.g., floppy disks, hard disks, magnetic tape, magneto-optical disks (MOs), etc.), optical memory (e.g., CDs, DVDs, BDs, HVDs, etc.), and semiconductor memory (e.g., ROMs, EPROMs, EEPROMs, non-volatile memory (NAND FLASH), Solid State Disks (SSDs)), etc.
Fig. 4 shows a block diagram of an electronic device according to another embodiment of the present invention. The electronic device 1100 may be a host server with computing capabilities, a personal computer PC, or a portable computer or terminal that is portable, or the like. The specific embodiment of the present invention does not limit the specific implementation of the electronic device.
The electronic device 1100 includes at least one processor (processor)1110, a Communications Interface 1120, a memory 1130, and a bus 1140. The processor 1110, the communication interface 1120, and the memory 1130 communicate with each other via the bus 1140.
The communication interface 1120 is used for communicating with network elements including, for example, virtual machine management centers, shared storage, etc.
Processor 1110 is configured to execute programs. Processor 1110 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement embodiments of the present invention.
The memory 1130 is used for executable instructions. The memory 1130 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory. The memory 1130 may also be a memory array. The storage 1130 may also be partitioned and the blocks may be combined into virtual volumes according to certain rules. The instructions stored by the memory 1130 are executable by the processor 1110 to enable the processor 1110 to perform the method of attack traffic detection in any of the method embodiments described above.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A method of attack traffic detection, comprising:
acquiring request information sent by a client, and generating identification information corresponding to the client according to the request information;
matching the identification information with a preset attack tool identification library, and matching the identification information with a preset white flow identification library when the identification information is matched with the attack tool identification library;
when the identification information is not matched with the white traffic identification library, judging whether abnormality exists according to the request information;
and when the request information is abnormal, determining that the client has an attack behavior.
2. The method of claim 1, wherein the request information comprises a handshake message, and wherein generating identification information corresponding to the client according to the request information comprises:
determining a plurality of fields in the handshake message, and determining one or more values in each field, wherein the handshake message comprises a plurality of items in a protocol version number field, a cipher suite field, an extension information field, an elliptic curve cipher field, and an elliptic curve cipher format field;
all values in the fields are connected in series to form an integral character string, and a fingerprint identifier of the client is generated according to the integral character string; and taking the fingerprint identification as the identification information of the client.
3. The method according to claim 1, further comprising, before the matching the identification information with a preset attack tool identification library, the following steps:
acquiring a plurality of same request messages sent by the client within a preset time period, and determining corresponding request frequencies;
and when the request frequency is greater than a preset frequency value, matching the identification information of the client with a preset attack tool identification library.
4. The method of claim 1, further comprising:
when the identification information is matched with the white traffic identification library, judging whether browser parameters exist in the request information or not;
when browser parameters exist in the request information, the client is determined to be normal; and when the browser parameters do not exist in the request information, executing the process of judging whether the abnormality exists according to the request information.
5. The method of claim 1, wherein the determining whether an anomaly exists according to the request information comprises:
counting a plurality of identical request messages sent by the client within a preset time period to generate a statistical detection parameter, and determining a protocol detection parameter of the request message; the statistical detection parameters comprise one or more of request frequency, port distribution continuity, flow time interval variance and packet length variance of downlink data packets, and the protocol detection parameters comprise one or more of random values, continuous number of visible characters in the random values, repetition rate of the random values in the plurality of request messages and number of encryption kits;
and when at least one of the statistical detection parameter and the protocol detection parameter is abnormal, determining that the client is abnormal.
6. The method of claim 5, wherein generating the statistical detection parameters comprises:
one or more of a process of generating a request frequency, a process of generating port distribution continuity, a process of generating a flow time interval variance, and a process of generating a packet length variance of a downlink data packet;
wherein the process of generating the request frequency comprises: generating a request frequency f of the client according to the number n of the same request messages sent by the client in a preset time period, and:
Figure FDA0002223772200000021
t is the duration of the preset time period;
the process of generating port distribution continuity includes: counting all ports used by the client within a preset time period, determining the port value of each port, and sequencing all the port values according to the size of the port values; determining a median of the port values, taking the port value matched with the median as a standard port value, and taking a plurality of port values adjacent to the standard port value as effective port values; when the sequence formed by the standard port value and the effective port value is equal in difference, determining that the port distribution has continuity;
the process of generating the flow time interval variance comprises: determining a stream time interval t between two adjacent request messages sent by the client within a preset time periodiAnd determining the mean t of all said flow time intervals, and calculating the flow time interval variance
Figure FDA0002223772200000031
n1The number of streaming time intervals determined within a preset time period;
the process of generating the packet length variance of the downlink data packet includes: determining the packet length x of the downlink data packet received by the client within a preset time periodiAnd determining the mean of all said packet lengths
Figure FDA0002223772200000032
Further calculating the variance of packet length
Figure FDA0002223772200000033
n2Is the determined number of downlink data packets within a preset time period.
7. The method of any one of claims 1-6, further comprising:
when the request information is abnormal, determining attack tool information of an attack tool identifier matched with the identifier information in the attack tool identifier library, wherein the attack tool information comprises one or more of an attack tool name, an attack tool version and an attack tool running platform;
and outputting the attack tool information of the attack tool identification matched with the identification information.
8. An apparatus for attack traffic detection, comprising:
the acquisition module is used for acquiring request information sent by a client and generating identification information corresponding to the client according to the request information;
the matching module is used for matching the identification information with a preset attack tool identification library, and when the identification information is matched with the attack tool identification library, the identification information is matched with a preset white traffic identification library;
the abnormity judgment module is used for judging whether abnormity exists according to the request information when the identification information is not matched with the white flow identification library;
and the processing module is used for determining that the client has the attack behavior when the request information is abnormal.
9. A computer storage medium having computer-executable instructions stored thereon for performing the method of attack traffic detection according to any one of claims 1-7.
10. An electronic device, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of attack traffic detection according to any one of claims 1 to 7.
CN201910944399.1A 2019-09-30 2019-09-30 Method and device for detecting attack flow, storage medium and electronic equipment Pending CN112583774A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910944399.1A CN112583774A (en) 2019-09-30 2019-09-30 Method and device for detecting attack flow, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910944399.1A CN112583774A (en) 2019-09-30 2019-09-30 Method and device for detecting attack flow, storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN112583774A true CN112583774A (en) 2021-03-30

Family

ID=75116667

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910944399.1A Pending CN112583774A (en) 2019-09-30 2019-09-30 Method and device for detecting attack flow, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN112583774A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113765911A (en) * 2021-09-02 2021-12-07 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for detecting webshell encrypted flow
CN114726579A (en) * 2022-03-08 2022-07-08 北京百度网讯科技有限公司 Method, apparatus, device, storage medium and program product for defending against network attacks

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070240207A1 (en) * 2004-04-20 2007-10-11 Ecole Polytechnique Federale De Lausanne (Epfl) Method of Detecting Anomalous Behaviour in a Computer Network
CN103023725A (en) * 2012-12-20 2013-04-03 北京工业大学 Anomaly detection method based on network flow analysis
CN104836702A (en) * 2015-05-06 2015-08-12 华中科技大学 Host network abnormal behavior detection and classification method under large flow environment
CN106982206A (en) * 2017-03-10 2017-07-25 中国科学院信息工程研究所 A kind of malice scanning defence method adaptively changed based on IP address and system
CN107483502A (en) * 2017-09-28 2017-12-15 深信服科技股份有限公司 A kind of method and device for detecting remaining attack
CN109413044A (en) * 2018-09-26 2019-03-01 中国平安人寿保险股份有限公司 A kind of request recognition methods of abnormal access and terminal device
CN109688137A (en) * 2018-12-27 2019-04-26 深信服科技股份有限公司 A kind of detection method, system and the associated component of SQL injection attack

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070240207A1 (en) * 2004-04-20 2007-10-11 Ecole Polytechnique Federale De Lausanne (Epfl) Method of Detecting Anomalous Behaviour in a Computer Network
CN103023725A (en) * 2012-12-20 2013-04-03 北京工业大学 Anomaly detection method based on network flow analysis
CN104836702A (en) * 2015-05-06 2015-08-12 华中科技大学 Host network abnormal behavior detection and classification method under large flow environment
CN106982206A (en) * 2017-03-10 2017-07-25 中国科学院信息工程研究所 A kind of malice scanning defence method adaptively changed based on IP address and system
CN107483502A (en) * 2017-09-28 2017-12-15 深信服科技股份有限公司 A kind of method and device for detecting remaining attack
CN109413044A (en) * 2018-09-26 2019-03-01 中国平安人寿保险股份有限公司 A kind of request recognition methods of abnormal access and terminal device
CN109688137A (en) * 2018-12-27 2019-04-26 深信服科技股份有限公司 A kind of detection method, system and the associated component of SQL injection attack

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113765911A (en) * 2021-09-02 2021-12-07 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for detecting webshell encrypted flow
CN114726579A (en) * 2022-03-08 2022-07-08 北京百度网讯科技有限公司 Method, apparatus, device, storage medium and program product for defending against network attacks
CN114726579B (en) * 2022-03-08 2024-02-09 北京百度网讯科技有限公司 Method, device, equipment, storage medium and program product for defending network attack

Similar Documents

Publication Publication Date Title
US11070569B2 (en) Detecting outlier pairs of scanned ports
EP3691218A1 (en) Method and device for identifying encrypted data stream
KR102040990B1 (en) Detection of infected network devices via analysis of responseless outgoing network traffic
CN109194680B (en) Network attack identification method, device and equipment
US11770397B2 (en) Malicious port scan detection using source profiles
US11711389B2 (en) Scanner probe detection
US20190297402A1 (en) Network telemetry with byte distribution and cryptographic protocol data elements
CN110417717B (en) Login behavior identification method and device
US11770396B2 (en) Port scan detection using destination profiles
US11316872B2 (en) Malicious port scan detection using port profiles
EP3718260A1 (en) Systems and methods for determining flow and path analytics of an application of a network using sampled packet inspection
CN112583774A (en) Method and device for detecting attack flow, storage medium and electronic equipment
CN110619022B (en) Node detection method, device, equipment and storage medium based on block chain network
CN111163114A (en) Method and apparatus for detecting network attacks
CN113678419B (en) Port scan detection
CN111314348B (en) Method and device for establishing trust degree model, trust evaluation and equipment authentication
JP2020014061A (en) Information processing device, communication inspection method, and program
JP2010239392A (en) System, device and program for controlling service disabling attack
US10523702B2 (en) Methods and apparatus to control network connections
EP4106268B1 (en) Method for detecting anomalies in ssl and/or tls communications, corresponding device, and computer program product
CN113992404B (en) Attack evidence recording method and device
CN109787969B (en) Host identity validity detection method and device and identity detection equipment
Satoh et al. Identifying user authentication methods on connections for SSH dictionary attack detection
CN116436670A (en) DoH server detection and identification method based on access mode
CN117220991A (en) Network risk detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210330