CN113486343A - Attack behavior detection method, device, equipment and medium - Google Patents
Attack behavior detection method, device, equipment and medium Download PDFInfo
- Publication number
- CN113486343A CN113486343A CN202110791433.3A CN202110791433A CN113486343A CN 113486343 A CN113486343 A CN 113486343A CN 202110791433 A CN202110791433 A CN 202110791433A CN 113486343 A CN113486343 A CN 113486343A
- Authority
- CN
- China
- Prior art keywords
- attack
- database
- traffic
- protocol
- http
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 123
- 238000000034 method Methods 0.000 claims abstract description 35
- 230000006399 behavior Effects 0.000 claims description 159
- 230000004044 response Effects 0.000 claims description 17
- 238000010801 machine learning Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 12
- 238000012549 training Methods 0.000 claims description 5
- 206010001488 Aggression Diseases 0.000 claims description 3
- 230000016571 aggressive behavior Effects 0.000 claims description 3
- 208000012761 aggressive behavior Diseases 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 5
- 230000003044 adaptive effect Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application discloses a method, a device, equipment and a medium for detecting an attack behavior, wherein the acquired network traffic is divided into database protocol traffic and HTTP protocol traffic by using a protocol identification algorithm. And setting a detection rule according to the attack characteristics corresponding to the database type, and setting an HTTP protocol flow detection rule according to the attack words of the HTTP protocol. And determining whether the database protocol flow has an attack behavior or not based on a detection rule corresponding to the database type. And determining whether the HTTP traffic has an attack behavior or not based on the HTTP traffic detection rule. The method adopts a suitable detection mode aiming at the network flow of different protocol types, and sets matched detection rules based on different database types, thereby realizing the comprehensive detection of the attack behavior and improving the detection rate of the attack behavior. The detection rules are divided finely, so that the detection rules are more targeted, and the accuracy of attack behavior detection is improved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a computer-readable storage medium for detecting an attack behavior.
Background
The Aggressive Behavior (Aggressive Behavior) refers to a Behavior of destroying or acquiring the server authority by using existing vulnerabilities or high authorities of the database to perform malicious operations. The identification of the attack behavior is a main technical difficulty of database application system protection, and how to accurately and efficiently distinguish and judge the database operation behavior to find out the attack behavior is a difficult problem of database security protection.
At present, security protection aiming at a database only stops detecting key words, and network flow is matched with set key words, so that whether the network flow has an attack behavior or not is determined. The key words are generally extracted from operation sentences with high threat to a network system, and the coverage range of the key words is relatively broad, so that the detection rate of detecting attack behaviors based on key word matching is low.
Therefore, how to improve the detection rate of the attack behavior is a problem to be solved by those skilled in the art.
Disclosure of Invention
The embodiment of the application aims to provide a method, a device, equipment and a computer readable storage medium for detecting an attack behavior, which can improve the detection rate of the attack behavior.
In order to solve the foregoing technical problem, an embodiment of the present application provides a method for detecting an attack behavior, including:
dividing the acquired network traffic into database protocol traffic and HTTP protocol traffic by using a protocol identification algorithm;
determining whether the database protocol traffic has an attack behavior or not based on a detection rule corresponding to the database type; the detection rule is set according to attack characteristics corresponding to the type of the database;
determining whether the HTTP protocol flow has an attack behavior or not based on an HTTP protocol flow detection rule; the HTTP traffic detection rule is set according to attack words of the HTTP.
Optionally, the determining whether the database protocol traffic has an attack behavior based on the detection rule corresponding to the database type includes:
determining the database type to which the database protocol flow belongs by using a database type identification algorithm;
and identifying whether the attack behavior exists in the protocol flow of the database according to a detection rule corresponding to the type of the database.
Optionally, the detection rule contains an attack order matching the database type; correspondingly, the identifying whether the database protocol traffic has an attack behavior according to the detection rule corresponding to the database type includes:
and determining that an attack behavior exists in the database protocol traffic under the condition that the database protocol traffic contains a command statement matched with the attack command.
Optionally, after the determining that there is an attack behavior in the database protocol traffic, the method further includes:
and generating alarm information of successful flow attack of the database protocol.
Optionally, the HTTP protocol traffic detection rule is an attack lexicon model, where the attack lexicon model includes attack words and constraints between the attack words;
correspondingly, the determining whether the HTTP protocol traffic has an attack behavior based on the HTTP protocol traffic detection rule includes:
matching the HTTP protocol flow with a set attack word bank model;
and under the condition that target HTTP protocol traffic matched with the attack word bank model exists in the HTTP protocol traffic, judging that the HTTP protocol traffic has an attack behavior.
Optionally, the method further comprises:
and determining a target database type corresponding to the target HTTP protocol flow based on the command statement contained in the target HTTP protocol flow.
Optionally, after the determining that there is an attack behavior in the HTTP protocol traffic, the method further includes:
acquiring a response data packet corresponding to the HTTP protocol flow; the response data packet is obtained according to database feedback corresponding to the type of the target database;
and under the condition that the response data packet carries information of successful execution, judging that the attack result of the attack behavior existing in the HTTP protocol flow is attack success.
Optionally, the method further comprises:
performing behavior analysis on the target network traffic with the determined attack behavior by using a machine learning model, and determining the attack behavior and the attack level in the target network traffic; different attack grades correspond to different alarm modes;
the machine learning model is obtained by training data flow under a normal operation state and characteristic information corresponding to various attack behaviors by using a clustering algorithm.
The embodiment of the application also provides a device for detecting the attack behavior, which comprises a dividing unit, a first determining unit and a second determining unit;
the dividing unit is used for dividing the acquired network traffic into database protocol traffic and HTTP protocol traffic by using a protocol identification algorithm;
the first determining unit is configured to determine whether the database protocol traffic has an attack behavior based on a detection rule corresponding to a database type; the detection rule is set according to attack characteristics corresponding to the type of the database;
the second determining unit is used for determining whether the HTTP traffic has an attack behavior based on an HTTP traffic detection rule; the HTTP traffic detection rule is set according to attack words of the HTTP.
Optionally, the first determination unit comprises a type determination subunit and an identification subunit;
the type determining subunit is used for determining the database type to which the database protocol flow belongs by using a database type identification algorithm;
and the identification subunit identifies whether the attack behavior exists in the protocol flow of the database according to a detection rule corresponding to the type of the database.
Optionally, the detection rule contains an attack order matching the database type; correspondingly, the identification subunit is configured to determine that an attack action exists in the database protocol traffic when the database protocol traffic includes a command statement matching the attack command.
Optionally, the system further comprises a generating unit;
and the generating unit is used for generating the alarm information of successful attack of the database protocol flow after the attack behavior in the database protocol flow is determined.
Optionally, the HTTP protocol traffic detection rule is an attack lexicon model, where the attack lexicon model includes attack words and constraints between the attack words; the second determining unit comprises a matching subunit and a judging subunit;
the matching subunit is used for matching the HTTP protocol flow with a set attack word bank model;
the judging subunit is configured to judge that an attack behavior exists in the HTTP protocol traffic when a target HTTP protocol traffic matching the attack thesaurus model exists in the HTTP protocol traffic.
Optionally, the device further comprises a type determining unit;
the type determining unit is configured to determine, based on a command statement included in the target HTTP protocol traffic, a target database type corresponding to the target HTTP protocol traffic.
Optionally, the system further comprises an acquisition unit and a determination unit;
the acquiring unit is used for acquiring a response data packet corresponding to the HTTP protocol flow after the HTTP protocol flow is determined to have the attack behavior; the response data packet is obtained according to database feedback corresponding to the type of the target database;
and the judging unit is used for judging that the attack result of the attack behavior existing in the HTTP protocol flow is attack success under the condition that the response data packet carries the information of successful execution.
Optionally, an analysis unit is further included;
the analysis unit is used for performing behavior analysis on the target network traffic with the determined attack behavior by using a machine learning model, and determining the attack behavior and the attack level in the target network traffic; different attack grades correspond to different alarm modes;
the machine learning model is obtained by training data flow under a normal operation state and characteristic information corresponding to various attack behaviors by using a clustering algorithm.
The embodiment of the present application further provides a device for detecting an attack behavior, including:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the method for detecting an attack behavior as described in any one of the above.
An embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method for detecting an attack behavior as described in any one of the above are implemented.
According to the technical scheme, the acquired network traffic is divided into database protocol traffic and HTTP protocol traffic by using a protocol identification algorithm. In consideration of differences in characteristics of attack behaviors in different types of protocols and different types of databases, in the technical scheme, the detection rules can be set according to the attack characteristics corresponding to the types of the databases, and each type of database has the corresponding detection rule. The HTTP protocol traffic detection rule may be set according to an attack word of the HTTP protocol. After the database protocol traffic is obtained through division, whether attack behaviors exist in the database protocol traffic can be determined based on detection rules corresponding to the database types. After the HTTP protocol traffic is obtained through division, whether the HTTP protocol traffic has an attack behavior or not can be determined based on an HTTP protocol traffic detection rule. The network flow is divided based on the protocol types, the adaptive detection mode is adopted for the network flow of different protocol types, and the matched detection rule is set based on different database types, so that the comprehensive detection of the attack behavior is realized, and the detection rate of the attack behavior is improved. In the technical scheme, the detection rules are finely divided to be more targeted, so that the accuracy of attack behavior detection is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application, the drawings needed for the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained by those skilled in the art without inventive effort.
Fig. 1 is a schematic view of a scenario for detecting an attack behavior according to an embodiment of the present application;
fig. 2 is a flowchart of a method for detecting an attack behavior according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an attack detection apparatus according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a device for detecting an attack behavior according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without any creative effort belong to the protection scope of the present application.
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings.
In the traditional method, the attack behavior is detected by adopting a key word matching method, and the detection rate of detecting the attack behavior based on the key word matching is low due to the fact that the coverage range of the key words is relatively one-sided.
In practical application, the key words may be involved in normal network operation behaviors, and according to a key word matching mode, as long as data matched with the key words appears in network traffic, it is determined that the attack behaviors exist in the network traffic, so that the normal network operation behaviors are misjudged as the attack behaviors, and the false alarm rate for detecting the attack behaviors based on key word matching is high.
Therefore, the embodiment of the application provides a method, a device, equipment and a computer readable storage medium for detecting an attack behavior, and the method, the device, the equipment and the computer readable storage medium divide the acquired network traffic into database Protocol traffic and Hyper Text Transfer Protocol (HTTP) Protocol traffic by using a Protocol identification algorithm; determining whether the protocol flow of the database has an attack behavior or not based on a detection rule corresponding to the type of the database; and determining whether the HTTP traffic has an attack behavior or not based on the HTTP traffic detection rule. The detection rules can be set according to attack characteristics corresponding to the types of the database; the HTTP protocol traffic detection rule may be set according to an attack word of the HTTP protocol.
As shown in fig. 1, which is a scene schematic diagram for detecting an attack behavior provided in an embodiment of the present application, after network traffic is acquired, based on a set protocol identification algorithm, which traffic in the network traffic belongs to a database protocol traffic and which traffic belongs to an HTTP protocol traffic can be identified. Considering that the types of the databases set by the data stream protocol are various, and different attack characteristics corresponding to different types of databases are different, the detection rule corresponding to each database type can be set. In fig. 1, n database types are taken as an example, and different numbers are used to distinguish different database types and detection rules. In the embodiment of the present application, the HTTP protocol traffic detection rule may be set according to an attack word of the HTTP protocol.
For the database protocol traffic, a corresponding detection rule can be selected to analyze the database protocol traffic based on the database type to which the database protocol traffic belongs, so as to determine whether the database protocol traffic has an attack behavior. For HTTP protocol traffic, whether there is an attack behavior in the HTTP protocol traffic may be determined based on HTTP protocol traffic detection rules. In the embodiment of the application, the network traffic is divided based on the protocol types, the adaptive detection mode is adopted for the network traffic of different protocol types, and the matched detection rule is set based on different database types, so that the comprehensive detection of the attack behavior is realized, and the detection rate of the attack behavior is improved. The detection rules are divided finely, so that the detection rules are more targeted, and the accuracy of attack behavior detection is improved.
Next, a method for detecting an attack behavior provided in an embodiment of the present application is described in detail. Fig. 2 is a flowchart of a method for detecting an attack behavior according to an embodiment of the present application, where the method includes:
s201: and dividing the acquired network traffic into database protocol traffic and HTTP protocol traffic by using a protocol identification algorithm.
The flows of different protocol types have different corresponding attack characteristics, and therefore, in the embodiment of the application, in order to improve the detection rate of the attack behavior, the detection modes corresponding to the flows of different protocol types can be set for the different protocol types.
The protocol types may include a database protocol and an HTTP protocol, which have different syntax structures and different protocols often have their own words. In practical applications, the protocol recognition algorithm can distinguish which traffic in the network traffic belongs to the database protocol traffic and which traffic belongs to the HTTP protocol traffic based on the syntax structure and words specific to each protocol.
S202: and determining whether the database protocol flow has an attack behavior or not based on a detection rule corresponding to the database type.
The database protocol may include a variety of database types, such as MSSQL (Microsoft Structured Query Language Server, Microsoft developed services database), MYSQL
(relational Database), ORACLE (ORACLE Database), etc.
Different types of databases have different corresponding attack behaviors, so in the embodiment of the application, a corresponding detection rule can be set for each database type according to the attack characteristic corresponding to each database type.
In practical application, a database type identification algorithm can be utilized to determine the database type to which the database protocol flow belongs; and identifying whether the protocol flow of the database has an attack behavior or not according to a detection rule corresponding to the type of the database.
Considering the difference between the execution commands corresponding to different database types, for example, the xp _ cmdshell execution command only appears in MSSQL. Therefore, in practical application, the attack command matching the database type can be used as a detection rule, that is, for each data path type, the detection rule may include the attack command matching the database type.
In the case that the database protocol traffic contains a command statement matching the attack command, it can be determined that there is an attack behavior in the database protocol traffic.
S203: and determining whether the HTTP traffic has an attack behavior or not based on the HTTP traffic detection rule.
In the embodiment of the present application, the HTTP protocol traffic detection rule may be set according to an attack word of the HTTP protocol.
Under the condition that the traffic matched with the attack words contained in the HTTP traffic detection rule exists in the HTTP traffic, the fact that the HTTP traffic has the attack behavior can be determined.
According to the technical scheme, the acquired network traffic is divided into database protocol traffic and HTTP protocol traffic by using a protocol identification algorithm. In consideration of differences in characteristics of attack behaviors in different types of protocols and different types of databases, in the technical scheme, the detection rules can be set according to the attack characteristics corresponding to the types of the databases, and each type of database has the corresponding detection rule. The HTTP protocol traffic detection rule may be set according to an attack word of the HTTP protocol. After the database protocol traffic is obtained through division, whether attack behaviors exist in the database protocol traffic can be determined based on detection rules corresponding to the database types. After the HTTP protocol traffic is obtained through division, whether the HTTP protocol traffic has an attack behavior or not can be determined based on an HTTP protocol traffic detection rule. The network flow is divided based on the protocol types, the adaptive detection mode is adopted for the network flow of different protocol types, and the matched detection rule is set based on different database types, so that the comprehensive detection of the attack behavior is realized, and the detection rate of the attack behavior is improved. In the technical scheme, the detection rules are finely divided to be more targeted, so that the accuracy of attack behavior detection is improved.
Considering that the database belongs to an intranet, if an attack behavior exists in the protocol traffic of the database, the database is proved to be lost, and at this time, the server can be considered to be invaded. Therefore, after the attack behavior in the database protocol traffic is determined, the alarm information of the success of the database protocol traffic attack can be generated.
By generating the alarm information, management personnel can find the attack behavior in the network system in time, so that measures can be taken in time, and the harm of the attack behavior to the network system is reduced.
In order to improve the accuracy of attack behavior detection, when a protocol traffic detection rule is set, the incidence relation, the front-back sequence and the like between different attack words can be fully considered. In practical application, attack words with relevance appearing under each attack behavior and the front-back sequence between the attack words can be used as limiting conditions between the attack words. In particular implementations, the constraints may be recorded in the form of a regular matching expression.
In the embodiment of the application, the HTTP protocol traffic detection rule may be presented in the form of an attack thesaurus model. The attack lexicon model may include attack words and constraints between the attack words.
When detecting whether the HTTP protocol flow has an attack behavior, matching the HTTP protocol flow with a set attack word bank model; and under the condition that target HTTP traffic matched with the attack word bank model exists in the HTTP protocol traffic, judging that the HTTP protocol traffic has an attack behavior.
By considering the limiting conditions between attack words, the matching requirement of the network flow and the attack words is improved, so that the situation that the normal network operation behavior is mistakenly judged as the attack behavior when the attack words are involved in the normal network operation behavior can be effectively solved, and the false alarm rate of attack behavior detection is effectively reduced.
For the HTTP protocol traffic, when it is determined that the HTTP protocol traffic has an attack behavior, it cannot be determined whether the attack behavior is successful, so in this embodiment of the present application, a target database type corresponding to the target HTTP protocol traffic may be determined based on a command statement included in the target HTTP protocol traffic.
After determining that the HTTP protocol flow has the attack behavior, acquiring a response data packet corresponding to the HTTP protocol flow; and the response data packet is obtained according to the database feedback corresponding to the type of the target database.
The response packet may carry an execution result, and the execution result may include an execution failure, an execution success, or an execution delay. The execution delay refers to that whether the current execution result is failed or successful cannot be determined.
Under the condition that the response data packet carries the information of successful execution, the attack result of the attack behavior existing in the HTTP protocol flow can be judged as successful attack.
For the HTTP protocol traffic, whether the attack behavior is successful or not can be determined by the execution result carried in the corresponding response packet. Alarm information may be generated for attack behavior for which the attack was successful.
On the basis of the attack behavior detection, in order to further improve the accuracy of the attack behavior detection, the network traffic may be analyzed in a machine learning manner. In practical application, the machine learning model can be obtained by training data flow under a normal running state and characteristic information corresponding to various attack behaviors.
The machine learning model can identify common historical attack behaviors, normal operation behaviors, and attack behaviors that deviate from the normal operation behaviors.
In the embodiment of the application, a machine learning model can be utilized to perform behavior analysis on the target network traffic with the determined attack behavior, so as to determine the attack behavior and the attack level in the target network traffic; different attack levels correspond to different alarm modes.
In a specific implementation, the attack level may be divided according to the threat level of the attack behavior to the network system. The higher the attack level, the greater the threat of the attack behavior to the network system. For example, the attack level may include a high risk level, a medium low risk level.
For example, operations with clear behaviors such as command execution or authority promotion and high risk level may be directly determined as high risk level. Operations such as adding and deleting of the database, creation of the database and the like also occur in daily data operation and can be defined as medium-low risk levels.
And the alarm information can be directly produced for the high-risk level attack behavior.
For the attack behaviors at the medium-low risk level, a machine learning algorithm can be utilized to carry out more comprehensive analysis on the network flow corresponding to the attack behaviors at the medium-low risk level, the network flow is compared with the normal operation data flow at ordinary times, if the network flow which is the same as or similar to the normal operation data flow exists, the network flow belongs to the normal service flow, and at the moment, alarm information does not need to be generated, so that the false alarm rate is reduced.
Fig. 3 is a schematic structural diagram of a detection apparatus for an attack behavior according to an embodiment of the present application, including a dividing unit 31, a first determining unit 32, and a second determining unit 33;
a dividing unit 31, configured to divide the acquired network traffic into database protocol traffic and HTTP protocol traffic by using a protocol identification algorithm;
the first determining unit 32 is configured to determine whether there is an attack behavior in the database protocol traffic based on a detection rule corresponding to the database type; the detection rules are set according to attack characteristics corresponding to the types of the database;
a second determining unit 33, configured to determine whether there is an attack behavior in the HTTP protocol traffic based on the HTTP protocol traffic detection rule; the HTTP traffic detection rule is set according to attack words of the HTTP.
Optionally, the first determination unit comprises a type determination subunit and an identification subunit;
the type determining subunit is used for determining the database type to which the database protocol flow belongs by using a database type identification algorithm;
and the identification subunit identifies whether the protocol flow of the database has an attack behavior according to a detection rule corresponding to the type of the database.
Optionally, the detection rule comprises an attack order matched with the database type; correspondingly, the identification subunit is used for determining that an attack behavior exists in the database protocol traffic under the condition that the database protocol traffic contains a command statement matched with the attack command.
Optionally, the system further comprises a generating unit;
and the generating unit is used for generating the alarm information of successful attack of the database protocol flow after the attack behavior is determined in the database protocol flow.
Optionally, the HTTP protocol traffic detection rule is an attack lexicon model, wherein the attack lexicon model includes attack words and constraints between the attack words; the second determining unit comprises a matching subunit and a judging subunit;
the matching subunit is used for matching the HTTP protocol flow with the set attack word bank model;
and the judging subunit is used for judging that the HTTP protocol traffic has an attack behavior under the condition that the target HTTP protocol traffic matched with the attack word bank model exists in the HTTP protocol traffic.
Optionally, the device further comprises a type determining unit;
and the type determining unit is used for determining the target database type corresponding to the target HTTP protocol flow based on the command statement contained in the target HTTP protocol flow.
Optionally, the system further comprises an acquisition unit and a determination unit;
the acquiring unit is used for acquiring a response data packet corresponding to the HTTP protocol flow after the fact that the HTTP protocol flow has the attack behavior is determined; the response data packet is obtained according to database feedback corresponding to the type of the target database;
and the judging unit is used for judging that the attack result of the attack behavior existing in the HTTP protocol flow is attack success under the condition that the response data packet carries the information of successful execution.
Optionally, an analysis unit is further included;
the analysis unit is used for carrying out behavior analysis on the target network traffic with the determined attack behavior by utilizing the machine learning model, and determining the attack behavior and the attack level in the target network traffic; different attack grades correspond to different alarm modes;
the machine learning model is obtained by training data flow under a normal operation state and characteristic information corresponding to various attack behaviors by using a clustering algorithm.
The description of the features in the embodiment corresponding to fig. 3 may refer to the related description of the embodiment corresponding to fig. 2, and is not repeated here.
According to the technical scheme, the acquired network traffic is divided into database protocol traffic and HTTP protocol traffic by using a protocol identification algorithm. In consideration of differences in characteristics of attack behaviors in different types of protocols and different types of databases, in the technical scheme, the detection rules can be set according to the attack characteristics corresponding to the types of the databases, and each type of database has the corresponding detection rule. The HTTP protocol traffic detection rule may be set according to an attack word of the HTTP protocol. After the database protocol traffic is obtained through division, whether attack behaviors exist in the database protocol traffic can be determined based on detection rules corresponding to the database types. After the HTTP protocol traffic is obtained through division, whether the HTTP protocol traffic has an attack behavior or not can be determined based on an HTTP protocol traffic detection rule. The network flow is divided based on the protocol types, the adaptive detection mode is adopted for the network flow of different protocol types, and the matched detection rule is set based on different database types, so that the comprehensive detection of the attack behavior is realized, and the detection rate of the attack behavior is improved. In the technical scheme, the detection rules are finely divided to be more targeted, so that the accuracy of attack behavior detection is improved.
Fig. 4 is a schematic structural diagram of an attack detection device 40 provided in an embodiment of the present application, including:
a memory 41 for storing a computer program;
a processor 42 for executing a computer program for implementing the steps of the method for detecting an attack behavior as described in any one of the above.
The embodiment of the application further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of the method for detecting an attack behavior as described above are implemented.
The method, the apparatus, the device and the computer-readable storage medium for detecting an attack behavior provided by the embodiments of the present application are described in detail above. The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Claims (11)
1. A method for detecting an attack, comprising:
dividing the acquired network traffic into database protocol traffic and HTTP protocol traffic by using a protocol identification algorithm;
determining whether the database protocol traffic has an attack behavior or not based on a detection rule corresponding to the database type; the detection rule is set according to attack characteristics corresponding to the type of the database;
determining whether the HTTP protocol flow has an attack behavior or not based on an HTTP protocol flow detection rule; the HTTP traffic detection rule is set according to attack words of the HTTP.
2. The method for detecting an attack behavior according to claim 1, wherein the determining whether the attack behavior exists in the database protocol traffic based on the detection rule corresponding to the database type includes:
determining the database type to which the database protocol flow belongs by using a database type identification algorithm;
and identifying whether the attack behavior exists in the protocol flow of the database according to a detection rule corresponding to the type of the database.
3. The method according to claim 2, wherein the detection rule includes an attack order matching the database type; correspondingly, the identifying whether the database protocol traffic has an attack behavior according to the detection rule corresponding to the database type includes:
and determining that an attack behavior exists in the database protocol traffic under the condition that the database protocol traffic contains a command statement matched with the attack command.
4. The method according to claim 3, further comprising, after said determining that there is an attack in said database protocol traffic:
and generating alarm information of successful flow attack of the database protocol.
5. The method according to claim 1, wherein the HTTP protocol traffic detection rule is an attack lexicon model, wherein the attack lexicon model includes attack words and constraints between the attack words;
correspondingly, the determining whether the HTTP protocol traffic has an attack behavior based on the HTTP protocol traffic detection rule includes:
matching the HTTP protocol flow with a set attack word bank model;
and under the condition that target HTTP protocol traffic matched with the attack word bank model exists in the HTTP protocol traffic, judging that the HTTP protocol traffic has an attack behavior.
6. The method for detecting an offensive behavior of claim 5, further comprising:
and determining a target database type corresponding to the target HTTP protocol flow based on the command statement contained in the target HTTP protocol flow.
7. The method according to claim 6, further comprising, after said determining that there is an attack on said HTTP protocol traffic:
acquiring a response data packet corresponding to the HTTP protocol flow; the response data packet is obtained according to database feedback corresponding to the type of the target database;
and under the condition that the response data packet carries information of successful execution, judging that the attack result of the attack behavior existing in the HTTP protocol flow is attack success.
8. The method for detecting an aggressive behavior according to any one of claims 1 to 7, further comprising:
performing behavior analysis on the target network traffic with the determined attack behavior by using a machine learning model, and determining the attack behavior and the attack level in the target network traffic; different attack grades correspond to different alarm modes;
the machine learning model is obtained by training data flow under a normal operation state and characteristic information corresponding to various attack behaviors by using a clustering algorithm.
9. The device for detecting the attack behavior is characterized by comprising a dividing unit, a first determining unit and a second determining unit;
the dividing unit is used for dividing the acquired network traffic into database protocol traffic and HTTP protocol traffic by using a protocol identification algorithm;
the first determining unit is configured to determine whether the database protocol traffic has an attack behavior based on a detection rule corresponding to a database type; the detection rule is set according to attack characteristics corresponding to the type of the database;
the second determining unit is used for determining whether the HTTP traffic has an attack behavior based on an HTTP traffic detection rule; the HTTP traffic detection rule is set according to attack words of the HTTP.
10. An apparatus for detecting an attack behavior, comprising:
a memory for storing a computer program;
a processor for executing the computer program for carrying out the steps of the method of detecting an attack behavior according to any one of claims 1 to 8.
11. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the method for detecting an attack behavior according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110791433.3A CN113486343A (en) | 2021-07-13 | 2021-07-13 | Attack behavior detection method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110791433.3A CN113486343A (en) | 2021-07-13 | 2021-07-13 | Attack behavior detection method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113486343A true CN113486343A (en) | 2021-10-08 |
Family
ID=77938492
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110791433.3A Pending CN113486343A (en) | 2021-07-13 | 2021-07-13 | Attack behavior detection method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113486343A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114039776A (en) * | 2021-11-09 | 2022-02-11 | 北京天融信网络安全技术有限公司 | Method and device for generating flow detection rule, electronic equipment and storage medium |
| CN114186225A (en) * | 2021-12-07 | 2022-03-15 | 北京天融信网络安全技术有限公司 | Database detection method and device, electronic equipment and storage medium |
| CN116582347A (en) * | 2023-06-05 | 2023-08-11 | 北京网藤科技有限公司 | Security detection method, security detection device, electronic equipment and medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105656886A (en) * | 2015-12-29 | 2016-06-08 | 北京邮电大学 | Method and device for detecting website attack behaviors based on machine learning |
| CN107968791A (en) * | 2017-12-15 | 2018-04-27 | 杭州迪普科技股份有限公司 | A kind of detection method and device of attack message |
| CN110830416A (en) * | 2018-08-08 | 2020-02-21 | 北京京东尚科信息技术有限公司 | Network intrusion detection method and device |
| CN111885061A (en) * | 2020-07-23 | 2020-11-03 | 深信服科技股份有限公司 | Network attack detection method, device, equipment and medium |
| CN112769833A (en) * | 2021-01-12 | 2021-05-07 | 恒安嘉新(北京)科技股份公司 | Method and device for detecting command injection attack, computer equipment and storage medium |
-
2021
- 2021-07-13 CN CN202110791433.3A patent/CN113486343A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105656886A (en) * | 2015-12-29 | 2016-06-08 | 北京邮电大学 | Method and device for detecting website attack behaviors based on machine learning |
| CN107968791A (en) * | 2017-12-15 | 2018-04-27 | 杭州迪普科技股份有限公司 | A kind of detection method and device of attack message |
| CN110830416A (en) * | 2018-08-08 | 2020-02-21 | 北京京东尚科信息技术有限公司 | Network intrusion detection method and device |
| CN111885061A (en) * | 2020-07-23 | 2020-11-03 | 深信服科技股份有限公司 | Network attack detection method, device, equipment and medium |
| CN112769833A (en) * | 2021-01-12 | 2021-05-07 | 恒安嘉新(北京)科技股份公司 | Method and device for detecting command injection attack, computer equipment and storage medium |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114039776A (en) * | 2021-11-09 | 2022-02-11 | 北京天融信网络安全技术有限公司 | Method and device for generating flow detection rule, electronic equipment and storage medium |
| CN114039776B (en) * | 2021-11-09 | 2024-03-15 | 北京天融信网络安全技术有限公司 | Method and device for generating flow detection rule, electronic equipment and storage medium |
| CN114186225A (en) * | 2021-12-07 | 2022-03-15 | 北京天融信网络安全技术有限公司 | Database detection method and device, electronic equipment and storage medium |
| CN116582347A (en) * | 2023-06-05 | 2023-08-11 | 北京网藤科技有限公司 | Security detection method, security detection device, electronic equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Uwagbole et al. | Applied machine learning predictive analytics to SQL injection attack detection and prevention | |
| CN110233849B (en) | Method and system for analyzing network security situation | |
| CN113486343A (en) | Attack behavior detection method, device, equipment and medium | |
| US9781139B2 (en) | Identifying malware communications with DGA generated domains by discriminative learning | |
| CN106961419B (en) | WebShell detection method, device and system | |
| CN107666490B (en) | A kind of suspicious domain name detection method and device | |
| CN110602029B (en) | Method and system for identifying network attack | |
| CN108989150B (en) | Login abnormity detection method and device | |
| CN108924118B (en) | Method and system for detecting database collision behavior | |
| CN108737336B (en) | Block chain-based threat behavior processing method and device, equipment and storage medium | |
| Krishnaveni et al. | Ensemble approach for network threat detection and classification on cloud computing | |
| CN113704328B (en) | User behavior big data mining method and system based on artificial intelligence | |
| CN112866292B (en) | Attack behavior prediction method and device for multi-sample combination attack | |
| CN107294953A (en) | Attack operation detection method and device | |
| CN116016198B (en) | Industrial control network topology security assessment method and device and computer equipment | |
| CN114154990B (en) | Big data anti-attack method based on online payment and storage medium | |
| CN112637194A (en) | Security event detection method and device, electronic equipment and storage medium | |
| CN113704772B (en) | Safety protection processing method and system based on user behavior big data mining | |
| CN112948725A (en) | Phishing website URL detection method and system based on machine learning | |
| CN112073396A (en) | Method and device for detecting transverse movement attack behavior of intranet | |
| CN114866338B (en) | Network security detection method and device and electronic equipment | |
| CN114205146B (en) | Processing method and device for multi-source heterogeneous security log | |
| CN109324985A (en) | A kind of SQL injection recognition methods of the automatic adaptation scene based on machine learning | |
| CN113779564A (en) | Security event prediction method and device | |
| US20200226257A1 (en) | System and method for identifying activity in a computer system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |