CN115865457A - Network attack behavior identification method, server and medium - Google Patents

Network attack behavior identification method, server and medium Download PDF

Info

Publication number
CN115865457A
CN115865457A CN202211490024.0A CN202211490024A CN115865457A CN 115865457 A CN115865457 A CN 115865457A CN 202211490024 A CN202211490024 A CN 202211490024A CN 115865457 A CN115865457 A CN 115865457A
Authority
CN
China
Prior art keywords
access request
address information
information
message header
header information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211490024.0A
Other languages
Chinese (zh)
Inventor
周杰
杨俊�
王雪飞
李远祥
肖欢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Agricultural Bank of China
Original Assignee
Agricultural Bank of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Agricultural Bank of China filed Critical Agricultural Bank of China
Priority to CN202211490024.0A priority Critical patent/CN115865457A/en
Publication of CN115865457A publication Critical patent/CN115865457A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a network attack behavior identification method, a server and a medium, wherein the method comprises the following steps: receiving an access request initiated by a user terminal, and acquiring IP address information corresponding to the access request and a request message carried by the access request; performing message analysis on the request message to acquire message header information of the request message; respectively obtaining weights corresponding to the IP address information and the message header information, and obtaining an access request fingerprint corresponding to an access request according to the IP address information, the weight corresponding to the IP address information, the message header information and the weight corresponding to the message header information; inquiring attack behavior fingerprints stored locally to acquire similarity of the access request fingerprints; and when the similarity of the access request fingerprints is larger than the similarity threshold value, determining that the access request is a network attack behavior, and carrying out blocking processing on the access request. The problem of the server among the prior art to the lower rate of discernment of network attack action is solved.

Description

Network attack behavior identification method, server and medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method, a server, and a medium for identifying a network attack behavior.
Background
Browsing web pages through various user terminals has become an indispensable content in people's work and life. The user terminal accesses the website by initiating an http request to the server. Based on the above, a hacker pretends to be a common user terminal to initiate an http request to the server, and attacks the website after the server receives the http request.
In the prior art, a server identifies a network attack behavior by comparing an IP address carried in an http request with an IP address stored in the http request and initiating a network attack. However, the identification method can not cope with network attacks performed by dialing the IP in seconds, and hackers continuously convert the IP address to initiate an http request to the server, so that the server cannot identify the attack behavior through the IP address, and the identification rate of the network attack behavior is low.
Disclosure of Invention
The application provides a network attack behavior identification method, a server and a medium, which are used for solving the problem that the server has a low network attack behavior identification rate in the prior art.
In a first aspect, the present application provides a method for identifying a network attack behavior, including: receiving an access request initiated by a user terminal, and acquiring IP address information corresponding to the access request and a request message carried by the access request; performing message analysis on the request message to acquire message header information of the request message; respectively obtaining the weights corresponding to the IP address information and the message header information, and obtaining an access request fingerprint corresponding to the access request according to the IP address information, the weight corresponding to the IP address information, the message header information and the weight corresponding to the message header information; inquiring locally stored attack behavior fingerprints to acquire the similarity of the access request fingerprints; and when the similarity of the access request fingerprints is larger than the similarity threshold value, determining that the access request is a network attack behavior, and carrying out blocking processing on the access request.
In a specific embodiment, the obtaining, according to the IP address information, the weight corresponding to the IP address information, the packet header information, and the weight corresponding to the packet header information, an access request fingerprint corresponding to the access request includes: generating an IP address information character string according to the IP address information and the corresponding weight of the IP address information; generating a message header information character string according to the message header information and the weight corresponding to the message header information; and combining the IP address information character string and the message header information character string to generate an access request fingerprint corresponding to the access request.
In a specific embodiment, the querying a locally stored attack behavior fingerprint to obtain similarity of the access request fingerprint includes: inquiring locally stored attack behavior fingerprints, comparing IP address information in the access request fingerprints with IP address information in the attack behavior fingerprints, and adding weights corresponding to the IP address information into the similarity of the access request fingerprints when the IP address information in the access request fingerprints is determined to be the same as the IP address information in the attack behavior fingerprints; and comparing the message header information in the access request fingerprint with the message header information in the attack behavior fingerprint, and adding the weight corresponding to the message header information into the similarity of the access request fingerprint when the message header information in the access request fingerprint is determined to be the same as the message header information in the attack behavior fingerprint.
In one embodiment, the IP address information includes request source IP address information and destination IP address information; the message header information includes: user terminal data information, historical access page information, browser information, and host information.
In a second aspect, the present application provides a server comprising: the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for receiving an access request initiated by a user terminal and acquiring IP address information corresponding to the access request and a request message carried by the access request; the acquisition module is further configured to perform packet parsing on the request packet, and acquire packet header information of the request packet; the processing module is used for respectively acquiring the weights corresponding to the IP address information and the message header information, and acquiring an access request fingerprint corresponding to the access request according to the IP address information, the weight corresponding to the IP address information, the message header information and the weight corresponding to the message header information; the processing module is further used for inquiring the attack behavior fingerprint stored locally and acquiring the similarity of the access request fingerprint; the processing module is further configured to determine that the access request is a network attack behavior and perform a blocking process on the access request when it is determined that the similarity of the access request fingerprints is greater than a similarity threshold.
In a specific embodiment, the processing module is specifically configured to: generating an IP address information character string according to the IP address information and the corresponding weight of the IP address information; generating a message header information character string according to the message header information and the weight corresponding to the message header information; and combining the IP address information character string and the message header information character string to generate an access request fingerprint corresponding to the access request.
In a specific embodiment, the processing module is specifically configured to: inquiring locally stored attack behavior fingerprints, comparing IP address information in the access request fingerprints with IP address information in the attack behavior fingerprints, and adding weights corresponding to the IP address information into the similarity of the access request fingerprints when the IP address information in the access request fingerprints is determined to be the same as the IP address information in the attack behavior fingerprints; and comparing the message header information in the access request fingerprint with the message header information in the attack behavior fingerprint, and adding the weight corresponding to the message header information into the similarity of the access request fingerprint when the message header information in the access request fingerprint is determined to be the same as the message header information in the attack behavior fingerprint.
In one embodiment, the IP address information includes request source IP address information and destination IP address information; the message header information includes: user terminal data information, historical access page information, browser information, and host information.
In a third aspect, the present application provides a server, comprising: a processor, a memory, a communication interface; the memory is used for storing executable instructions of the processor; wherein the processor is configured to perform the method of identifying a cyber-attack behavior of the first aspect via execution of the executable instructions.
In a fourth aspect, the present application provides a readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the network attack behavior identification method according to the first aspect.
The application provides a network attack behavior identification method, a server and a medium, wherein the method comprises the following steps: receiving an access request initiated by a user terminal, and acquiring IP address information corresponding to the access request and a request message carried by the access request; analyzing the request message to obtain message header information of the request message; respectively obtaining weights corresponding to the IP address information and the message header information, and obtaining an access request fingerprint corresponding to the access request according to the IP address information, the weight corresponding to the IP address information, the message header information and the weight corresponding to the message header information; inquiring the attack behavior fingerprint stored locally to obtain the similarity of the access request fingerprint; and when the similarity of the access request fingerprint is determined to be greater than the similarity threshold, determining that the access request is a network attack behavior, and carrying out blocking processing on the access request. Compared with the prior art that the network attack behavior is identified by comparing the IP address with the IP address which is stored by the server and launches the network attack, the method and the device for identifying the network attack behavior acquire the access request fingerprint according to the IP address information and the corresponding weight thereof, the message header information and the corresponding weight thereof, acquire the similarity of the access request fingerprint according to the locally stored attack behavior fingerprint, and determine that the access request is the network attack behavior and carry out the blocking processing on the network attack behavior when the similarity is greater than the similarity threshold. Therefore, even if a hacker continuously changes the IP address, the server can still identify the attack behavior by means of the similarity of the access request fingerprint containing the message header information, the identification rate of the server to the network attack behavior is effectively improved, and the problem of low identification rate of the network attack behavior caused by the fact that the server cannot accurately identify the network attack behavior through the IP address in the prior art is solved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and those skilled in the art can obtain other drawings without inventive labor.
Fig. 1 is a schematic flowchart of a first embodiment of a method for identifying a network attack behavior provided by the present application;
fig. 2 is a schematic flowchart of a second embodiment of a method for identifying a network attack behavior provided by the present application;
FIG. 3 is a schematic structural diagram of an embodiment of a server provided in the present application;
fig. 4 is a schematic structural diagram of another embodiment of a server provided in the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments that can be made by one skilled in the art based on the embodiments in the present application in light of the present disclosure are within the scope of the present application.
The terms "first," "second," "third," "fourth," and the like in the description and claims of this application and in the preceding drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Today, when network information is updated rapidly, browsing web pages through various user terminals has become an indispensable content in people's work and life. The user terminal accesses the website by sending an http request to the server. Based on the above, a hacker pretends to be a common user terminal to initiate an http request to the server, and attacks the website after the server receives the http request.
In the prior art, a server identifies a network attack behavior by comparing an IP address carried in an http request with an IP address stored in the http request and initiating a network attack. However, the identification method can not cope with network attacks in a second IP dialing mode, and hackers continuously convert IP addresses to send http requests to the server, so that the server cannot identify attacks through the IP addresses, and the identification rate of the network attacks is low.
Based on the technical problems, the technical idea process of the application is as follows: how to deal with the network attack which is carried out by adopting the second dialing IP mode improves the identification rate of the server to the network attack behavior.
The technical solution of the present application will be described in detail below with reference to specific examples. It should be noted that the following specific embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments.
Fig. 1 is a schematic flowchart of a first embodiment of a method for identifying a network attack behavior provided by the present application. Referring to fig. 1, the method for identifying a network attack behavior specifically includes the following steps:
step S101: receiving an access request initiated by a user terminal, and acquiring IP address information corresponding to the access request and a request message carried by the access request.
In this embodiment, the server receives an access request initiated by the user terminal, which may be, for example, a request initiated by the user terminal to access a web page. And the server acquires the IP address information corresponding to the access request and the carried request message.
Step S102: and analyzing the request message to acquire message header information of the request message.
In this embodiment, the request packet is usually in a text format, and header information of the request packet can be obtained through packet parsing. Illustratively, the message header information may be Host information "Host =10.22.22.22" that initiates the access request.
Step S103: and respectively obtaining the weights corresponding to the IP address information and the message header information, and obtaining an access request fingerprint corresponding to the access request according to the IP address information, the weight corresponding to the IP address information, the message header information and the weight corresponding to the message header information.
In this embodiment, the IP address information and the message header information correspond to different weights, respectively. Illustratively, the IP address information is "DstIP =192.168.0.8", the weight corresponding to the IP address information may be 1, the header information of the packet is "Cookie =1660392043", and the weight corresponding to the header information of the packet may be 95. According to the IP address information, the weight corresponding to the IP address information, the message header information and the weight corresponding to the message header information, obtaining an access request fingerprint corresponding to an access request as' 01: dstIP:192.168.0.8;90: cookie:1660392043".
Step S104: and inquiring the attack behavior fingerprint stored locally to obtain the similarity of the access request fingerprint.
Step S105: and when the similarity of the access request fingerprints is greater than the similarity threshold value, determining that the access request is a network attack behavior, and carrying out blocking processing on the access request.
In this embodiment, the server locally stores the attack behavior fingerprint, and the server obtains the similarity of the access request fingerprint by querying the attack behavior fingerprint. Illustratively, the server queries the locally stored attack behavior fingerprint as "DstIP:192.168.0.5; cookie:1660392043 "the similarity of the access request fingerprint is 90.
And when the similarity of the access request fingerprints is determined to be larger than the similarity threshold, determining that the access request is the network attack behavior. Illustratively, the similarity threshold may be 80. In the above example, the similarity between the access request fingerprint and the header information of the attack behavior fingerprint is 90, and if the similarity is greater than the similarity threshold, it may be determined that the access request is a network attack behavior, and the access request is blocked.
In particular, the blocking process may be to deny the access request and locally store the access request fingerprint as an attack behavior fingerprint.
In this embodiment, an access request initiated by a user terminal is received, and IP address information corresponding to the access request and a request message carried by the access request are acquired; analyzing the request message to obtain message header information of the request message; respectively obtaining weights corresponding to the IP address information and the message header information, and obtaining an access request fingerprint corresponding to the access request according to the IP address information, the weight corresponding to the IP address information, the message header information and the weight corresponding to the message header information; inquiring the attack behavior fingerprint stored locally to obtain the similarity of the access request fingerprint; and when the similarity of the access request fingerprint is determined to be greater than the similarity threshold, determining that the access request is a network attack behavior, and carrying out blocking processing on the access request. Compared with the prior art that the network attack behavior is identified by comparing the IP address with the IP address which is stored by the server and launches the network attack, the method and the device for identifying the network attack behavior acquire the access request fingerprint according to the IP address information and the corresponding weight thereof, the message header information and the corresponding weight thereof, acquire the similarity of the access request fingerprint according to the locally stored attack behavior fingerprint, and determine that the access request is the network attack behavior and carry out the blocking processing on the network attack behavior when the similarity is greater than the similarity threshold. Therefore, even if a hacker continuously changes the IP address, the server can still identify the attack behavior by means of the similarity of the access request fingerprints containing the message header information, the identification rate of the server to the network attack behavior is effectively improved, and the problem that the identification rate of the network attack behavior is low because the server cannot accurately identify the network attack behavior through the IP address in the prior art is solved.
Fig. 2 is a schematic flowchart of a second embodiment of a method for identifying a network attack behavior provided by the present application, and referring to fig. 2 on the basis of the embodiment shown in fig. 1, the method for identifying a network attack behavior specifically includes the following steps:
step S201: receiving an access request initiated by a user terminal, and acquiring IP address information corresponding to the access request and a request message carried by the access request.
Step S202: and analyzing the request message to acquire message header information of the request message.
Step S203: respectively acquiring weights corresponding to the IP address information and the message header information, and generating an IP address information character string according to the IP address information and the corresponding weights of the IP address information; generating a message header information character string according to the message header information and the weight corresponding to the message header information; and merging the IP address information character string and the message header information character string to generate an access request fingerprint corresponding to the access request.
In this embodiment, the IP address information includes request source IP address information and destination IP address information. The request source IP address information SrcIp is source IP address information of the access request, and the target IP address information DstIp is target IP address information of the access request. For example, the request source IP address information SrcIp may have a weight of 99, and the destination IP address information DstIp may have a weight of 1.
And generating an IP address information character string according to the IP address information and the corresponding weight of the IP address information. Illustratively, the IP address information is "DstIP =192.168.0.8", the weight corresponding to the destination IP address information DstIP is 1, and the generated IP address information string is "01: dstIP:192.168.0.8".
In this embodiment, the message header information includes: user terminal data information, historical access page information, browser information, and host information. Specifically, the Cookie is data information written into the user terminal by the server when the user terminal accesses the server for the last time; the historical access page information Reference is the last access page information of the user terminal; the browser information User-Agent is the name and version number of a browser used for the User terminal to access; the Host information Host is the Host name of the user terminal. The message header information may further include: request Path information Path, request parameter information Params, and other custom header information.
For example, the weight corresponding to the message header information may be as shown in table 1 below:
table 1 message header information and corresponding weights
Message header information name Weight of
Cookie for data information of user terminal jsessionId:99; session:90, respectively; and others: 2
Historical access page information Reference 5
Browser information User-Agent 5
Host information Host 2
Request Path information Path 2
Params request parameter information 5
Custom header information 4
And generating a message header information character string according to the message header information and the weight corresponding to the message header information. Illustratively, the Host information is "Host =10.22.22.22", and the weight corresponding to the Host information Host is 2; the user terminal data information is 'Cookie = 1660392043', and the weight corresponding to the Cookie of the user terminal data information is 90. Then, according to the message header information and the weight corresponding to the message header information, the generated message header information character string is "02: and (4) Host:10.22.22.22;90: cookie:1660392043".
In this embodiment, the IP address information character string and the message header information character string are merged to generate an access request fingerprint corresponding to the access request.
Illustratively, the IP address information string is "01: dstIP:192.168.0.8", the message header information string is" 02: host:10.22.22.22;90: and (3) Cookie:1660392043 "combines the IP address information character string and the message header information character string to generate an access request fingerprint" 01: dstIP:192.168.0.8;02: and (4) Host:10.22.22.22;90: cookie:1660392043".
Step S204: inquiring locally stored attack behavior fingerprints, comparing IP address information in the access request fingerprints with IP address information in the attack behavior fingerprints, and when the IP address information in the access request fingerprints is determined to be the same as the IP address information in the attack behavior fingerprints, adding weights corresponding to the IP address information into the similarity of the access request fingerprints; and comparing the message header information in the access request fingerprint with the message header information in the attack behavior fingerprint, and adding the weight corresponding to the message header information into the similarity of the access request fingerprint when the message header information in the access request fingerprint is determined to be the same as the message header information in the attack behavior fingerprint.
In this embodiment, the server queries an attack behavior fingerprint stored locally, compares IP address information in the access request fingerprint with IP address information in the attack behavior fingerprint, and when it is determined that the IP address information is the same, adds a weight corresponding to the IP address information to the similarity of the access request fingerprint; and comparing the message header information in the access request fingerprint with the message header information in the attack behavior fingerprint, and when the message header information is determined to be the same, adding the weight corresponding to the message header information into the similarity of the access request fingerprint.
Illustratively, the attack behavior fingerprint queried for local storage is "DstIP:192.168.0.8; host:10.11.22.33; cookie:1660392043", the access request fingerprint corresponding to the access request is" 01: dstIP:192.168.0.8;02: host:10.22.22.22;95: cookie:1660392043". Comparing the attack behavior fingerprint with the access request fingerprint to determine that the IP address information is the same, and then adding the weight '1' corresponding to the target IP address information DstIP into the similarity of the access request fingerprint; and if the data information Cookies of the user terminals are the same, the weight '90' corresponding to the data information Cookies of the user terminals is added into the similarity of the access request fingerprints. Thus, the similarity of the access request fingerprints is 91.
In this embodiment, in order to save storage space and also for information security, after combining the IP address information character string and the message header information character string, the IP address information character string and the message header information character string may be compressed by using a character string compression technology, so as to generate an access request fingerprint corresponding to an access request. Illustratively, the string compression technique may be huffman coding. Accordingly, the attack behavior fingerprint stored locally by the server is also a character string which is subjected to Huffman coding. Before comparing the attack behavior fingerprint with the access request fingerprint, character string decoding is carried out on the attack behavior fingerprint and the access request fingerprint, and then comparison between IP address information and message header information is carried out.
Step S205: and when the similarity of the access request fingerprints is greater than the similarity threshold value, determining that the access request is a network attack behavior, and carrying out blocking processing on the access request.
In this embodiment, an IP address information character string and a message header information character string are generated according to the IP address information, the message header information, and weights corresponding to the information, respectively, and the character strings are combined to generate an access request fingerprint corresponding to an access request; and comparing the IP address information and the message header information in the access request fingerprint with the IP address information and the message header information in the attack behavior fingerprint respectively, and when the information is determined to be the same, recording the corresponding weight into the similarity of the access request fingerprint. By generating the access request fingerprint in the form of the character string by using the IP address information and the message header information and comparing the character string with the attack behavior fingerprint, the server can more accurately identify the attack behavior, the identification rate of the server on the network attack behavior is further improved, and the problem of lower identification rate of the network attack behavior in the prior art, which is caused by the fact that the server cannot accurately identify the network attack behavior through the IP address, is solved.
The following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.
FIG. 3 is a schematic structural diagram of an embodiment of a server provided in the present application; as shown in fig. 3, the server 30 includes: an acquisition module 31 and a processing module 32. The obtaining module 31 is configured to receive an access request initiated by a user terminal, and obtain IP address information corresponding to the access request and a request packet carried by the access request. The obtaining module 31 is further configured to perform message parsing on the request message, and obtain message header information of the request message. The processing module 32 is configured to obtain weights corresponding to the IP address information and the packet header information, respectively, and obtain an access request fingerprint corresponding to the access request according to the IP address information, the weight corresponding to the IP address information, the packet header information, and the weight corresponding to the packet header information. The processing module 32 is further configured to query the locally stored attack behavior fingerprint, and obtain similarity of the access request fingerprint. The processing module 32 is further configured to determine that the access request is a network attack behavior when it is determined that the similarity of the access request fingerprint is greater than the similarity threshold, and perform blocking processing on the access request.
The server provided in the embodiment of the present application may execute the technical solutions shown in the foregoing method embodiments, and the implementation principles and beneficial effects are similar, which are not described herein again.
In a possible implementation, the processing module 32 is specifically configured to generate an IP address information string according to the IP address information and the corresponding weight of the IP address information; generating a message header information character string according to the message header information and the weight corresponding to the message header information; and merging the IP address information character string and the message header information character string to generate an access request fingerprint corresponding to the access request.
The server provided in the embodiment of the present application may execute the technical solutions shown in the above method embodiments, and the implementation principles and beneficial effects thereof are similar, and are not described herein again.
In a possible implementation, the processing module 32 is specifically configured to query a locally stored attack behavior fingerprint, compare the IP address information in the access request fingerprint with the IP address information in the attack behavior fingerprint, and when it is determined that the IP address information in the access request fingerprint is the same as the IP address information in the attack behavior fingerprint, add a weight corresponding to the IP address information into the similarity of the access request fingerprint; and comparing the message header information in the access request fingerprint with the message header information in the attack behavior fingerprint, and adding the weight corresponding to the message header information into the similarity of the access request fingerprint when the message header information in the access request fingerprint is determined to be the same as the message header information in the attack behavior fingerprint.
The IP address information includes: requesting source IP address information and destination IP address information. The message header information includes: user terminal data information, historical access page information, browser information, and host information.
The server provided in the embodiment of the present application may execute the technical solutions shown in the above method embodiments, and the implementation principles and beneficial effects thereof are similar, and are not described herein again.
Fig. 4 is a schematic structural diagram of another server provided in the present application. As shown in fig. 4, the server 40 includes: a processor 41, a memory 42, and a communication interface 43; wherein, the memory 42 is used for storing executable instructions of the processor 41; processor 41 is configured to perform the solution in any of the method embodiments described above via execution of executable instructions.
Alternatively, the memory 42 may be separate or integrated with the processor 41.
Optionally, when the memory 42 is a device independent from the processor 41, the server 40 may further include: a bus 44 for connecting the above devices.
The server is configured to execute the technical solution in any of the foregoing method embodiments, and the implementation principle and the technical effect are similar, which are not described herein again.
The embodiment of the present application further provides a readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the computer program implements the technical solutions provided by any of the foregoing embodiments.
Those of ordinary skill in the art will understand that: all or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The foregoing program may be stored in a computer-readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and these modifications or substitutions do not depart from the scope of the technical solutions of the embodiments of the present application.

Claims (10)

1. A network attack behavior identification method is characterized by comprising the following steps:
receiving an access request initiated by a user terminal, and acquiring IP address information corresponding to the access request and a request message carried by the access request;
performing message analysis on the request message to acquire message header information of the request message;
respectively obtaining the weights corresponding to the IP address information and the message header information, and obtaining an access request fingerprint corresponding to the access request according to the IP address information, the weight corresponding to the IP address information, the message header information and the weight corresponding to the message header information;
inquiring locally stored attack behavior fingerprints to acquire the similarity of the access request fingerprints;
and when the similarity of the access request fingerprints is larger than a similarity threshold value, determining that the access request is a network attack behavior, and carrying out blocking processing on the access request.
2. The method for identifying the network attack behavior according to claim 1, wherein the obtaining an access request fingerprint corresponding to the access request according to the IP address information, the weight corresponding to the IP address information, the packet header information, and the weight corresponding to the packet header information includes:
generating an IP address information character string according to the IP address information and the corresponding weight of the IP address information;
generating a message header information character string according to the message header information and the weight corresponding to the message header information;
and combining the IP address information character string and the message header information character string to generate an access request fingerprint corresponding to the access request.
3. The method for identifying network attack behaviors according to claim 1 or 2, wherein the querying a locally stored attack behavior fingerprint to obtain similarity of the access request fingerprint comprises:
inquiring locally stored attack behavior fingerprints, comparing IP address information in the access request fingerprints with IP address information in the attack behavior fingerprints, and adding weights corresponding to the IP address information into the similarity of the access request fingerprints when the IP address information in the access request fingerprints is determined to be the same as the IP address information in the attack behavior fingerprints;
and comparing the message header information in the access request fingerprint with the message header information in the attack behavior fingerprint, and adding the weight corresponding to the message header information into the similarity of the access request fingerprint when the message header information in the access request fingerprint is determined to be the same as the message header information in the attack behavior fingerprint.
4. The method for identifying cyber attack behavior according to claim 1,
the IP address information includes: requesting source IP address information and destination IP address information;
the message header information includes: user terminal data information, historical access page information, browser information, and host information.
5. A server, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for receiving an access request initiated by a user terminal and acquiring IP address information corresponding to the access request and a request message carried by the access request;
the acquisition module is further configured to perform packet parsing on the request packet, and acquire packet header information of the request packet;
the processing module is used for respectively acquiring the weights corresponding to the IP address information and the message header information and acquiring an access request fingerprint corresponding to the access request according to the IP address information, the weight corresponding to the IP address information, the message header information and the weight corresponding to the message header information;
the processing module is further configured to query locally stored attack behavior fingerprints and obtain similarity of the access request fingerprints;
the processing module is further configured to determine that the access request is a network attack behavior and perform a blocking process on the access request when it is determined that the similarity of the access request fingerprints is greater than a similarity threshold.
6. The server according to claim 5, wherein the processing module is specifically configured to:
generating an IP address information character string according to the IP address information and the corresponding weight of the IP address information;
generating a message header information character string according to the message header information and the weight corresponding to the message header information;
and merging the IP address information character string and the message header information character string to generate an access request fingerprint corresponding to the access request.
7. The server according to claim 5 or 6, wherein the processing module is specifically configured to:
inquiring locally stored attack behavior fingerprints, comparing IP address information in the access request fingerprints with IP address information in the attack behavior fingerprints, and adding weights corresponding to the IP address information into the similarity of the access request fingerprints when the IP address information in the access request fingerprints is determined to be the same as the IP address information in the attack behavior fingerprints;
and comparing the message header information in the access request fingerprint with the message header information in the attack behavior fingerprint, and when the message header information in the access request fingerprint is determined to be the same as the message header information in the attack behavior fingerprint, adding the weight corresponding to the message header information into the similarity of the access request fingerprint.
8. The server according to claim 5,
the IP address information includes: requesting source IP address information and destination IP address information;
the message header information includes: user terminal data information, historical access page information, browser information, and host information.
9. A server, comprising:
a processor, a memory, a communication interface;
the memory is used for storing executable instructions of the processor;
wherein the processor is configured to perform the method of identifying a cyber-attack behavior of any one of claims 1 to 4 via execution of the executable instructions.
10. A readable storage medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements the method for identifying cyber attack behavior according to any one of claims 1 to 4.
CN202211490024.0A 2022-11-25 2022-11-25 Network attack behavior identification method, server and medium Pending CN115865457A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211490024.0A CN115865457A (en) 2022-11-25 2022-11-25 Network attack behavior identification method, server and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211490024.0A CN115865457A (en) 2022-11-25 2022-11-25 Network attack behavior identification method, server and medium

Publications (1)

Publication Number Publication Date
CN115865457A true CN115865457A (en) 2023-03-28

Family

ID=85666436

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211490024.0A Pending CN115865457A (en) 2022-11-25 2022-11-25 Network attack behavior identification method, server and medium

Country Status (1)

Country Link
CN (1) CN115865457A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116094848A (en) * 2023-04-11 2023-05-09 中国工商银行股份有限公司 Access control method, device, computer equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116094848A (en) * 2023-04-11 2023-05-09 中国工商银行股份有限公司 Access control method, device, computer equipment and storage medium
CN116094848B (en) * 2023-04-11 2023-06-27 中国工商银行股份有限公司 Access control method, device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
CN113316926B (en) Domain name processing method, device, electronic equipment and storage medium
US8782068B2 (en) Method, apparatus and system for protocol identification
CN109951435B (en) Equipment identifier providing method and device and risk control method and device
CN108809890B (en) Vulnerability detection method, test server and client
WO2015165296A1 (en) Method and device for identifying protocol type
CN108494755B (en) Method and device for transmitting Application Programming Interface (API) request
CN110430188B (en) Rapid URL filtering method and device
CN113366815B (en) Network resource request method, device, electronic equipment and storage medium
CN108093026B (en) Method and device for processing multi-tenant request
CN106656998B (en) server communication method and device
KR20140063859A (en) Methods and apparatus for progressive pattern matching in a mobile environment
CN111314301A (en) Website access control method and device based on DNS (Domain name Server) analysis
CN107592299B (en) Proxy internet access identification method, computer device and computer readable storage medium
CN115865457A (en) Network attack behavior identification method, server and medium
CN108055299B (en) Portal page pushing method, network access server and Portal authentication system
CN113055420B (en) HTTPS service identification method and device and computing equipment
CN111385360A (en) Terminal equipment identification method and device and computer readable storage medium
US9325743B2 (en) Information processing apparatus, method, and program
EP3603026A1 (en) Determining that multiple requests are received from a particular user device
CN106803830B (en) Method, device and system for identifying internet access terminal and User Identity Module (UIM) card
CN110944037B (en) Method, computer device and storage medium for client cache change configuration
CN110750290B (en) Software version upgrading method and device based on DNS query
CN114417198A (en) Phishing early warning method, phishing early warning device, phishing early warning system
CN113434792B (en) Training method of network address matching model and network address matching method
CN114070819B (en) Malicious domain name detection method, device, electronic device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination