CN114465710A - Vulnerability detection method, device, equipment and storage medium based on flow - Google Patents

Vulnerability detection method, device, equipment and storage medium based on flow Download PDF

Info

Publication number
CN114465710A
CN114465710A CN202210074455.2A CN202210074455A CN114465710A CN 114465710 A CN114465710 A CN 114465710A CN 202210074455 A CN202210074455 A CN 202210074455A CN 114465710 A CN114465710 A CN 114465710A
Authority
CN
China
Prior art keywords
network monitoring
request
hash function
data request
request packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210074455.2A
Other languages
Chinese (zh)
Inventor
陈勇
马维士
刘加瑞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Anhui Huayun'an Technology Co ltd
Original Assignee
Anhui Huayun'an Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Anhui Huayun'an Technology Co ltd filed Critical Anhui Huayun'an Technology Co ltd
Priority to CN202210074455.2A priority Critical patent/CN114465710A/en
Publication of CN114465710A publication Critical patent/CN114465710A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a vulnerability detection method, device, equipment and storage medium based on flow, which are applied to the technical field of network security, and the method comprises the following steps: acquiring mirror image flow of a data request packet in an interactive state of a network monitoring client and a network monitoring server, analyzing the mirror image flow of the data request packet, and acquiring request unique address information, a request message and a response message of an HTTP (hyper text transport protocol) protocol after analysis; extracting the unique address information of the request or the request message containing a password hash function by using a regular expression, and determining a function value corresponding to the password hash function; and judging that the response message contains a function value corresponding to the password hash function, and determining that a bug exists in the interaction state of the network monitoring client and the network monitoring server. The embodiment of the application monitors and analyzes the flow of the data request packet, so that the behavior that the vulnerability scene is attacked by utilization is accurately judged, and the technical problem that whether the vulnerability exists cannot be accurately judged based on the flow is solved.

Description

Vulnerability detection method, device, equipment and storage medium based on flow
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for detecting a vulnerability based on traffic.
Background
With the rapid development of network technology, a vulnerability existing in a network becomes an important factor influencing network security, the vulnerability is a defect existing in the specific implementation of hardware, software and protocols or an operating system security strategy, so that an attacker can access or destroy an operating system without authorization, at present, the vulnerability can be verified by monitoring flow only based on fixed characteristics to judge vulnerability detection or vulnerability utilization, the behavior of vulnerability detection on a random password hash function cannot be judged, and the vulnerability detection result of the random password hash function cannot be accurately judged.
Disclosure of Invention
In view of this, embodiments of the present application provide a method for detecting a vulnerability based on traffic, where a HTTP protocol request initiated by a network monitoring client is used to obtain traffic of a data request packet for monitoring and analysis, so as to accurately determine a behavior of vulnerability attack using an array expression of a cryptographic hash function, and solve a technical problem that whether a vulnerability can be accurately determined based on traffic.
In a first aspect, an embodiment of the present application provides a method for detecting a vulnerability based on traffic, where the method includes:
acquiring mirror image flow of a data request packet in an interactive state of a network monitoring client and a network monitoring server, analyzing the mirror image flow of the data request packet, and acquiring request unique address information, a request message and a response message of an HTTP (hyper text transport protocol) protocol after analysis;
extracting the unique address information of the request or the request message containing a password hash function by using a regular expression, and determining a function value corresponding to the password hash function;
and judging that the response message contains a function value corresponding to the password hash function, and determining that a vulnerability exists in the interaction state of the network monitoring client and the network monitoring server.
With reference to the first aspect, an embodiment of the present application provides a first possible implementation manner of the first aspect, where before obtaining the mirror traffic of the data request packet in the interaction state between the network monitoring client and the network monitoring server, the method further includes:
receiving a bidirectional forwarding message sent by a network monitoring client;
and obtaining a data request packet of the network monitoring client according to the bidirectional forwarding message, and sending the data request packet containing the network monitoring client to a network monitoring server so that the network monitoring server establishes a communication link with the network monitoring client according to the data request packet.
With reference to the first possible implementation manner of the first aspect, an embodiment of the present application provides a second possible implementation manner of the first aspect, where obtaining a data request packet of a network monitoring client according to the bidirectional forwarding packet includes:
analyzing the bidirectional forwarding message to obtain a request parameter, a request address, a request mode and a request domain name of the bidirectional forwarding message stored in the bidirectional forwarding message;
and combining the request parameters, the request address, the request mode and the request domain name to obtain a data request packet.
With reference to the first possible implementation manner or the second possible implementation manner of the first aspect, an embodiment of the present application provides a third possible implementation manner of the first aspect, where obtaining a mirror flow of a data request packet in an interaction state between a network monitoring client and a network monitoring server, performing analysis processing on the mirror flow of the data request packet, and obtaining request unique address information, a request packet, and a response packet of an HTTP protocol after the analysis, the method includes:
acquiring mirror image flow of a data request packet under the interaction state of the network monitoring client and the network monitoring server through a grabbing tool;
and analyzing the mirror image flow of the data request packet by adopting a preset TCP/IP four-layer model, and obtaining the request unique address information, the request message and the response message of the HTTP protocol after analysis.
With reference to the first possible implementation manner or the second possible implementation manner of the first aspect, an embodiment of the present application provides a fifth possible implementation manner of the first aspect, where extracting, by using a regular expression, the request unique address information or the request packet includes a cryptographic hash function, and determining a function value corresponding to the cryptographic hash function, includes:
judging whether the request unique address information or the request message contains a password hash function or not by using a regular expression;
and if the request unique address information or the request message contains a password hash function, calculating a function value corresponding to the password hash function.
With reference to the first possible implementation manner or the second possible implementation manner of the first aspect, an embodiment of the present application provides a sixth possible implementation manner of the first aspect, where determining that a vulnerability exists in an interaction state between the network monitoring client and the network monitoring server further includes:
judging whether the function value corresponding to the calculated password hash function is in a response message of the data request packet or not;
and if not, the data request packet does not have a bug in the interaction state of the network monitoring client and the network monitoring server.
In a second aspect, an embodiment of the present application further provides a device for detecting a vulnerability based on traffic, where the device includes:
the system comprises an acquisition module, a network monitoring server and a network monitoring client, wherein the acquisition module acquires the mirror image flow of a data request packet in an interactive state of the network monitoring client and the network monitoring server, analyzes the mirror image flow of the data request packet, and acquires unique request address information, a request message and a response message of an HTTP (hyper text transport protocol) protocol after analysis;
the computing module is used for extracting the unique address information of the request or the request message containing a password hash function by using a regular expression and determining a function value corresponding to the password hash function;
and the judging module is used for judging that the response message contains a function value corresponding to the password hash function and determining that a bug exists in the interaction state of the network monitoring client and the network monitoring server.
With reference to the first possible implementation manner of the second aspect, an embodiment of the present application provides a second possible implementation manner of the first aspect, where the obtaining module includes:
the capturing unit is used for acquiring the mirror image flow of the data request packet under the interaction state of the network monitoring client and the network monitoring server through a capturing tool;
and the analysis unit is used for analyzing the mirror flow of the data request packet by adopting a preset TCP/IP four-layer model and obtaining the request unique address information, the request message and the response message of the HTTP protocol after analysis.
In a third aspect, an embodiment of the present application further provides a computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the steps of the method for detecting a vulnerability based on traffic when the computer program is executed.
In a fourth aspect, the present application provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method for detecting a vulnerability based on traffic are performed.
According to the method, the device and the system for detecting the vulnerability based on the flow, the mirror flow of a data request packet in an interactive state of a network monitoring client and a network monitoring server is obtained, the mirror flow of the data request packet is analyzed, and the unique request address information, the request message and the response message of an HTTP (hyper text transport protocol) protocol are obtained after the analysis; extracting the unique address information of the request or the request message containing a password hash function by using a regular expression, and determining a function value corresponding to the password hash function; and judging that the response message contains a function value corresponding to the password hash function, and determining that a bug exists in the interaction state of the network monitoring client and the network monitoring server. The technical problem that whether the loophole exists cannot be accurately judged based on the flow can be solved, the fact that a detection mode is executed periodically depending on the experience of personnel is avoided, and the accuracy of loophole identification is greatly improved.
Further, the vulnerability detection method based on the flow provided by the embodiment of the application has the following beneficial effects: before obtaining the mirror image flow of the data request packet in the interactive state of the network monitoring client and the network monitoring server, the method also comprises the steps of responding to a service request initiated by the network monitoring client, configuring the bidirectional forwarding message mirror image of the service request on an observation window of a switch, and obtaining the data request packet of the network monitoring client after the switch analyzes the bidirectional forwarding message; then, the exchanger analyzes the mirror image flow of the acquired data request packet to obtain the request unique address information, the request message and the response message of the HTTP, and acquires the flow of the data request packet to perform monitoring analysis based on the HTTP request initiated by the network monitoring client, so that the vulnerability easy to attack is accurately found, the behavior that the vulnerability scene is attacked by the utilization is accurately judged, and the vulnerability identification accuracy is effectively improved; according to the service request of the HTTP protocol, the regular expression is used for extracting the unique address information of the request or the request message contains the password hash function, so that the behavior of carrying out vulnerability attack by using the array expression of the password hash function can be accurately judged under the condition of ensuring the safety of a transmission channel.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 shows a schematic flow chart of a vulnerability detection method based on traffic provided in an embodiment of the present application.
Fig. 2 is a schematic flowchart illustrating a process of parsing a data request packet in another method for detecting a vulnerability based on traffic according to an embodiment of the present disclosure.
Fig. 3 is a schematic flow chart illustrating a process of determining a function value corresponding to a cryptographic hash function in a vulnerability detection method based on traffic according to an embodiment of the present application.
Fig. 4 shows a schematic structural diagram of a vulnerability detection apparatus based on traffic provided in an embodiment of the present application.
Fig. 5 shows a schematic structural diagram of a computer device provided in an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, as presented in the figures, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.
With the continuous development of computer technology, the utilization rate of computer networks is increasing continuously, but computer networks bring convenience to people's lives, and meanwhile, the problem of computer network security also frequently occurs, so that potential safety hazards existing in the networks are found, and the method has very important practical significance for improving the computer network environment.
In view of the fact that scene vulnerability identification is requested to be performed on unique address information in a manual mode in the prior art, embodiments of the present application provide a vulnerability detection method and device based on traffic, which are described below by embodiments.
Fig. 1 shows a schematic flow chart of a vulnerability detection method based on traffic provided in an embodiment of the present application; as shown in fig. 1, the method specifically comprises the following steps:
step S10, obtaining mirror image traffic of the data request packet in the interaction state of the network monitoring client and the network monitoring server, analyzing the mirror image traffic of the data request packet, and obtaining the request unique address information, the request message, and the response message of the HTTP protocol after analysis.
Step S10 is implemented specifically, after the network monitoring client establishes communication with the network monitoring server through the source port or the mirror port according to the configured mirror function of the interactive machine, the switch obtains the mirror flow of the data request packet on the observation window in the interactive state between the network monitoring client and the network monitoring server through the grasping tool, analyzes the mirror flow of the data request packet by using the TCP/IP four-layer model according to the deep packet detection mode, and obtains the request unique address information, the request packet, and the response packet of the HTTP protocol after analysis.
Step S20, extracting the request unique address information or the request message containing the password hash function by using the regular expression, and determining the function value corresponding to the password hash function.
When the step S20 is implemented specifically, the regular expressions are used to match the request unique address information and the request message, respectively, and the array expressions of the password hash function included in the request unique address information and the request message are screened out according to the matching result, and the function value corresponding to the password hash function is determined.
For example: if a password hash function is obtained from the request unique address information according to the regular expression, determining a function value corresponding to the array expression of the password hash function as a matching result; if the password hash function is obtained from the request message according to the regular expression, determining a function value corresponding to the array expression of the password hash function as a matching result; and if the request message contains the unique address information and the function value corresponding to the array expression of the two password hash functions, taking one of the unique address information and the request message as the function value corresponding to the array expression of the password hash function as a matching result.
And step S30, judging that the response message contains a function value corresponding to the password hash function, and determining that a vulnerability exists in the interaction state of the network monitoring client and the network monitoring server.
Step S30 is implemented specifically, the network monitoring client sends response data to the network monitoring server through the response object, performs traffic analysis on the data stream of the response data using the analyzer, obtains a response packet of the HTTP protocol after analysis, determines whether the response packet includes a function value corresponding to the cryptographic hash function, and determines that a vulnerability exists in an interactive state between the network monitoring client and the network monitoring server if the response packet includes the function value corresponding to the cryptographic hash function.
In a possible implementation, in an embodiment of the method for detecting a vulnerability based on traffic, step S10 further includes:
and step S0A, receiving the bidirectional forwarding message sent by the network monitoring client.
Step S0B, according to the bidirectional forwarding message, obtaining a data request packet of the network monitoring client, and sending the data request packet containing the network monitoring client to the network monitoring server, so that the network monitoring server establishes a communication link with the network monitoring client according to the data request packet.
When the steps S0A and S0B are implemented specifically, the network monitoring client configures a bidirectional forwarding packet to a mirror port GE0/0/1 of the interactive machine in a mirror manner, the interactive machine configures a received bidirectional forwarding packet to an observation port GE0/0/3 of the interactive machine in a mirror manner through the mirror port GE0/0/2, the switch performs monitoring analysis on the bidirectional forwarding packet through the observation window GE0/0/3 according to preset data start information and end flag to obtain a data request packet of the network monitoring client, and sends the data request packet of the network monitoring client to the network monitoring server, so that the network monitoring server establishes traffic monitoring with the network monitoring client according to the data request packet, for example: the switch adopts Huawei switch, and the mirror image configuration command for establishing the network monitoring client and the network monitoring server through the observation port is as follows:
<Huawei>system-view
[Huawei]observe-port 1interface gigabitethernet 0/0/3
[Huawei]interface gigabitethernet 0/0/2
[Huawei-GigabitEthernet0/0/2]port-mirroring to observe-port 1both。
in a possible implementation scheme, in step S0B, the obtaining, by the switch, a data request packet of the network monitoring client according to the configured bidirectional forwarding packet includes:
and S0B1, analyzing the bidirectional forwarding message to obtain the request parameters, the request address, the request mode and the request domain name of the bidirectional forwarding message stored in the bidirectional forwarding message.
And step S0B2, combining the request parameters, the request address, the request mode and the request domain name to obtain a data request packet.
When the steps S0B1 and S0B2 are specifically implemented, the bidirectional forwarding packet is acquired from the observation window of the interactive machine through the Spring frame according to the HTTP protocol request of the network monitoring client, the bidirectional forwarding packet is analyzed according to the preset data start information and end flag, the request parameter, the request address, the request mode, and the request domain name of the bidirectional forwarding packet are obtained, and the request parameter, the request address, the request mode, and the request domain name in the bidirectional forwarding packet are combined in a serialized manner, so that the data request packet in the binary form is obtained.
In a possible implementation scheme, fig. 2 is a schematic flowchart illustrating a process of analyzing a data request packet in a vulnerability detection method based on traffic provided in an embodiment of the present application; in step S10, the obtaining of the mirror traffic of the data request packet in the interaction state between the network monitoring client and the network monitoring server, analyzing the mirror traffic of the data request packet, and obtaining the request unique address information, the request packet, and the response packet of the HTTP protocol after analysis includes:
step S101, acquiring mirror image flow of a data request packet under the interaction state of a network monitoring client and a network monitoring server through a grabbing tool;
step S102, a preset TCP/IP four-layer model is adopted to analyze the mirror flow of the data request packet, and unique request address information, a request message and a response message of the HTTP protocol are obtained after analysis.
The method comprises the steps of S101 and S102, when the method is concretely implemented, acquiring mirror image flow of a data request packet under the interactive state of a network monitoring client and a network monitoring server according to a capture tool of website flow, uploading the mirror image flow to a data link layer in a data frame mode according to network types by adopting a preset TCP/IP four-layer model, grouping the received mirror image flow to a transmission layer in an IP message format and a data segment format according to different paths of a TCP/IP protocol stack by the data link layer last time, recombining the grouped mirror image flow by the transmission layer, sending the recombined mirror image flow to an application layer, analyzing the mirror image flow of the data request packet by the application layer according to different application protocols, and obtaining request unique address information, a request message and a response message of an HTTP protocol after analysis.
In a possible implementation, fig. 3 is a schematic flowchart illustrating a process of determining a function value corresponding to a cryptographic hash function in a vulnerability detection method based on traffic according to an embodiment of the present application; in step S20, the extracting, by using a regular expression, the request unique address information or the request message includes a password hash function, and determining a function value corresponding to the password hash function, includes:
step S201, using a regular expression, determining whether the request unique address information or the request message includes a password hash function.
Step S202, if the request unique address information or the request message contains the password hash function, determining a function value corresponding to the password hash function.
When the steps S201 and S202 are implemented specifically, a matching formula of the regular expression is used to perform string matching with the request unique address information, and whether the request unique address information includes the password hash function is determined, if yes, an array expression of the password hash function is obtained, for example: ^ (?md 5) ·) $ and md5 is a character string; performing character string matching on the request message by using a matching formula of the regular expression, judging whether the request message contains a password hash function, if so, obtaining an array expression of the password hash function, namely determining a function value corresponding to the password hash function, wherein the function value comprises the following steps: the matching formula of the regular expression sed's/. md5(\ ([ ^) ] \\ \ used) } 1/gi', md5 is a string.
In a possible implementation, the step 30 further includes:
step S301, determining whether the calculated function value corresponding to the cryptographic hash function is in a response packet of the data request packet.
Step S302, if not, the data request packet has no bug in the interaction state of the network monitoring client and the network monitoring server.
In specific implementation, the steps S301 and S302 determine whether the response message includes a function value corresponding to the password hash function according to the response message of the HTTP protocol, and determine that no vulnerability exists in the interaction state of the network monitoring client and the network monitoring server if the response message does not include the function value corresponding to the password hash function.
Fig. 4 shows a schematic structural diagram of a vulnerability detection apparatus 40 based on traffic provided in an embodiment of the present application, and as shown in fig. 4, the apparatus includes:
the obtaining module 401 obtains the mirror flow of the data request packet in the interaction state of the network monitoring client and the network monitoring server, analyzes the mirror flow of the data request packet, and obtains the request unique address information, the request message, and the response message of the HTTP protocol after the analysis.
The calculation module 402 extracts the request unique address information or the request message including the password hash function by using the regular expression, and determines a function value corresponding to the password hash function.
The determining module 403 determines that the response packet includes a function value corresponding to the cryptographic hash function, and determines that a vulnerability exists in the interaction state between the network monitoring client and the network monitoring server.
In a possible implementation, the obtaining module includes:
the grasping unit 4011 obtains, by a grasping tool, a mirror image flow of the data request packet in an interaction state of the network monitoring client and the network monitoring server.
The analysis unit 4012 analyzes the mirror flow of the data request packet by using a preset TCP/IP four-layer model, and obtains the request unique address information, the request message, and the response message of the HTTP protocol after the analysis.
In one possible implementation, the computing module includes:
the determining unit 4021 determines whether the request unique address information or the request message includes a cryptographic hash function by using a regular expression.
The determining unit 4022 determines a function value corresponding to the password hash function if the request unique address information or the request message includes the password hash function.
When the device is implemented specifically, after a network monitoring client establishes communication with a network monitoring server through a source port or a mirror port according to the configured mirror function of an interactive machine, a switch acquires mirror flow of a data request packet on an observation window in an interactive state of the network monitoring client and the network monitoring server through a grabbing tool, analyzes the mirror flow of the data request packet by using a TCP/IP four-layer model according to a deep message detection mode, and obtains request unique address information, a request message and a response message of an HTTP protocol after analysis; respectively matching the request unique address information and the request message by using a regular expression, screening out a number group expression of a password hash function contained in the request unique address information and the request message according to a matching result, and determining a function value corresponding to the password hash function; the network monitoring client sends response data to the network monitoring server through the response object, an analyzer is used for carrying out flow analysis on data flow of the response data, response messages of an HTTP protocol are obtained after analysis, whether the response messages contain function values corresponding to the password hash functions or not is judged, and if the response messages contain the function values corresponding to the password hash functions, it is determined that a vulnerability exists between the network monitoring client and the network monitoring server in an interactive state.
Corresponding to the method for detecting a vulnerability based on traffic in fig. 1, an embodiment of the present invention further provides a computer device 50, as shown in fig. 5, the device includes a memory 501, a processor 502, and a computer program stored on the memory 501 and executable on the processor 502, wherein the processor 502 implements the method when executing the computer program.
Acquiring mirror image flow of a data request packet in an interactive state of a network monitoring client and a network monitoring server, analyzing the mirror image flow of the data request packet, and acquiring request unique address information, a request message and a response message of an HTTP (hyper text transport protocol) protocol after analysis;
extracting the unique address information of the request or the request message containing the password hash function by using a regular expression, and determining a function value corresponding to the password hash function;
and judging that the response message contains a function value corresponding to the password hash function, and determining that a bug exists in the interaction state of the network monitoring client and the network monitoring server.
Corresponding to the method for detecting a vulnerability based on traffic in fig. 1, an embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, performs the following steps:
acquiring mirror image flow of a data request packet in an interactive state of a network monitoring client and a network monitoring server, analyzing the mirror image flow of the data request packet, and acquiring request unique address information, a request message and a response message of an HTTP (hyper text transport protocol) protocol after analyzing;
extracting the unique address information of the request or the request message containing a password hash function by using a regular expression, and determining a function value corresponding to the password hash function;
and judging that the response message contains a function value corresponding to the password hash function, and determining that a bug exists in the interaction state of the network monitoring client and the network monitoring server.
Based on the analysis, compared with the prior art that vulnerability detection is performed by periodically executing scanning manually based on a vulnerability scanner, the method for detecting the vulnerability of the traffic provided by the embodiment of the application acquires the traffic of a data request packet for monitoring and analyzing based on an HTTP (hyper text transport protocol) protocol request initiated by a network monitoring client, so that the behavior that a vulnerability scene is attacked by utilization is accurately judged, the behavior that vulnerability attack is performed by an array expression of a cryptographic hash function is accurately judged, the technical problem that whether vulnerability exists cannot be accurately judged based on the traffic is solved, the problem that a detection mode is periodically executed depending on personnel experience is avoided, and the vulnerability identification accuracy is greatly improved.
The device for detecting the vulnerability of the traffic provided by the embodiment of the application can be specific hardware on the equipment or software or firmware installed on the equipment. The device provided by the embodiment of the present application has the same implementation principle and technical effect as the foregoing method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the foregoing method embodiments where no part of the device embodiments is mentioned. It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the foregoing systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments provided in the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus once an item is defined in one figure, it need not be further defined and explained in subsequent figures, and moreover, the terms "first", "second", "third", etc. are used merely to distinguish one description from another and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present application, and are used for illustrating the technical solutions of the present application, but not limiting the same, and the scope of the present application is not limited thereto, and although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope disclosed in the present application; such modifications, changes or substitutions do not depart from the spirit and scope of the present disclosure, which should be construed in light of the above teachings. Are intended to be covered by the scope of this application.

Claims (10)

1. A method for detecting a vulnerability based on traffic is characterized by comprising the following steps:
acquiring mirror image flow of a data request packet in an interactive state of a network monitoring client and a network monitoring server, analyzing the mirror image flow of the data request packet, and acquiring request unique address information, a request message and a response message of an HTTP (hyper text transport protocol) protocol after analysis;
extracting the request unique address information or the request message containing a password hash function by using a regular expression, and determining a function value corresponding to the password hash function;
and judging that the response message contains a function value corresponding to the password hash function, and determining that a vulnerability exists in the interaction state of the network monitoring client and the network monitoring server.
2. The method for vulnerability detection based on traffic volume according to claim 1, wherein before obtaining the mirror traffic volume of the data request packet in the interaction state of the network monitoring client and the network monitoring server, further comprising:
receiving a bidirectional forwarding message sent by a network monitoring client;
and obtaining a data request packet of the network monitoring client according to the bidirectional forwarding message, and sending the data request packet containing the network monitoring client to a network monitoring server so that the network monitoring server establishes a communication link with the network monitoring client according to the data request packet.
3. The method according to claim 2, wherein obtaining a data request packet of a network monitoring client according to the bidirectional forwarding packet comprises:
analyzing the bidirectional forwarding message to obtain a request parameter, a request address, a request mode and a request domain name of the bidirectional forwarding message stored in the bidirectional forwarding message;
and combining the request parameters, the request address, the request mode and the request domain name to obtain a data request packet.
4. The method for detecting vulnerabilities based on traffic according to claim 1, wherein obtaining mirror traffic of a data request packet in an interactive state between a network monitoring client and a network monitoring server, analyzing the mirror traffic of the data request packet, and obtaining request unique address information, a request message, and a response message of an HTTP protocol after analyzing, comprises:
acquiring mirror image flow of a data request packet under the interaction state of the network monitoring client and the network monitoring server through a grabbing tool;
and analyzing the mirror image flow of the data request packet by adopting a preset TCP/IP four-layer model, and obtaining the request unique address information, the request message and the response message of the HTTP protocol after analysis.
5. The method for detecting a vulnerability based on traffic according to claim 1, wherein the step of extracting the request unique address information or the request message by using a regular expression includes a password hash function, and determining a function value corresponding to the password hash function includes:
judging whether the request unique address information or the request message contains a password hash function or not by using a regular expression;
and if the request unique address information or the request message contains a password hash function, calculating a function value corresponding to the password hash function.
6. The method of claim 1, further comprising:
judging whether the function value corresponding to the calculated password hash function is in a response message of the data request packet or not;
and if not, the data request packet does not have a bug in the interaction state of the network monitoring client and the network monitoring server.
7. A traffic-based vulnerability detection apparatus, the apparatus comprising:
the system comprises an acquisition module, a network monitoring server and a network monitoring client, wherein the acquisition module acquires the mirror image flow of a data request packet in an interactive state of the network monitoring client and the network monitoring server, analyzes the mirror image flow of the data request packet, and acquires unique request address information, a request message and a response message of an HTTP (hyper text transport protocol) protocol after analysis;
the computing module is used for extracting the unique address information of the request or the request message containing a password hash function by using a regular expression and determining a function value corresponding to the password hash function;
and the judging module is used for judging that the response message contains a function value corresponding to the password hash function and determining that a bug exists in the interaction state of the network monitoring client and the network monitoring server.
8. The traffic-based vulnerability detection apparatus of claim 7, wherein the obtaining module comprises:
the capturing unit is used for acquiring the mirror image flow of the data request packet under the interaction state of the network monitoring client and the network monitoring server through a capturing tool;
and the analysis unit is used for analyzing the mirror flow of the data request packet by adopting a preset TCP/IP four-layer model and obtaining the request unique address information, the request message and the response message of the HTTP protocol after analysis.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the computer program performs the steps of the method for detecting a traffic-based vulnerability of any one of the preceding claims 1 to 7.
10. A computer-readable storage medium, having stored thereon a computer program for performing, when being executed by a processor, the steps of the method for traffic-based vulnerability detection according to any of claims 1 to 7.
CN202210074455.2A 2022-01-21 2022-01-21 Vulnerability detection method, device, equipment and storage medium based on flow Pending CN114465710A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210074455.2A CN114465710A (en) 2022-01-21 2022-01-21 Vulnerability detection method, device, equipment and storage medium based on flow

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210074455.2A CN114465710A (en) 2022-01-21 2022-01-21 Vulnerability detection method, device, equipment and storage medium based on flow

Publications (1)

Publication Number Publication Date
CN114465710A true CN114465710A (en) 2022-05-10

Family

ID=81411556

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210074455.2A Pending CN114465710A (en) 2022-01-21 2022-01-21 Vulnerability detection method, device, equipment and storage medium based on flow

Country Status (1)

Country Link
CN (1) CN114465710A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115174245A (en) * 2022-07-15 2022-10-11 湖北天融信网络安全技术有限公司 Test method and system based on DoIP protocol detection
CN115314322A (en) * 2022-10-09 2022-11-08 安徽华云安科技有限公司 Vulnerability detection confirmation method, device, equipment and storage medium based on flow

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115174245A (en) * 2022-07-15 2022-10-11 湖北天融信网络安全技术有限公司 Test method and system based on DoIP protocol detection
CN115314322A (en) * 2022-10-09 2022-11-08 安徽华云安科技有限公司 Vulnerability detection confirmation method, device, equipment and storage medium based on flow

Similar Documents

Publication Publication Date Title
CN108809890B (en) Vulnerability detection method, test server and client
KR20200033092A (en) An apparatus for network monitoring based on edge computing and method thereof, and system
CN114465710A (en) Vulnerability detection method, device, equipment and storage medium based on flow
US10972496B2 (en) Upload interface identification method, identification server and system, and storage medium
JP2015511338A (en) Method and system for ensuring the reliability of IP data provided by a service provider
KR20140034045A (en) Detection of infected network devices via analysis of responseless outgoing network traffic
CA3159619C (en) Packet processing method and apparatus, device, and computer-readable storage medium
CN111371774A (en) Information processing method and device, equipment and storage medium
CN113518042B (en) Data processing method, device, equipment and storage medium
JP6691268B2 (en) Monitoring device, monitoring method, and monitoring program
CN114553730B (en) Application identification method and device, electronic equipment and storage medium
CN114172703A (en) Malicious software identification method, device and medium
JP2023516621A (en) Web attack detection and blocking system and method by artificial intelligence machine learning behavior-based web protocol analysis
JP5531064B2 (en) COMMUNICATION DEVICE, COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND COMMUNICATION PROGRAM
CN115633359A (en) PFCP session security detection method, device, electronic equipment and storage medium
CN115314322A (en) Vulnerability detection confirmation method, device, equipment and storage medium based on flow
US9049170B2 (en) Building filter through utilization of automated generation of regular expression
KR102001814B1 (en) A method and apparatus for detecting malicious scripts based on mobile device
EP3298746B1 (en) Offloading web security services to client side
CN112995277B (en) Access processing method and device and proxy server
CN112367326B (en) Method and device for identifying traffic of Internet of vehicles
RU2777348C1 (en) Computing apparatus and method for identifying compromised apparatuses based on dns tunnelling detection
US20230224318A1 (en) Application security testing based on live traffic
JP7306456B2 (en) Information protection device, information protection method and program
WO2023216792A1 (en) Attack detection method, and apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination