CN117040833A - Service attack detection method, device, equipment and computer readable storage medium - Google Patents
Service attack detection method, device, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN117040833A CN117040833A CN202310988454.3A CN202310988454A CN117040833A CN 117040833 A CN117040833 A CN 117040833A CN 202310988454 A CN202310988454 A CN 202310988454A CN 117040833 A CN117040833 A CN 117040833A
- Authority
- CN
- China
- Prior art keywords
- service
- domain name
- real
- blacklist
- access log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 63
- 230000002159 abnormal effect Effects 0.000 claims abstract description 73
- 238000000034 method Methods 0.000 claims abstract description 46
- 230000006399 behavior Effects 0.000 claims description 36
- 238000004891 communication Methods 0.000 claims description 8
- 238000007726 management method Methods 0.000 description 41
- 238000012550 audit Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 4
- 238000002955 isolation Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000010365 information processing Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a service attack detection method, a device, equipment and a computer readable storage medium, wherein the method comprises the following steps: acquiring an abnormal domain name acquired by an acquisition node, and generating a blacklist according to the abnormal domain name, wherein a service containing loopholes is deployed on the acquisition node, and the service containing loopholes does not actively request to resolve the domain name; acquiring a real-time access log of a service acquired by a service node, wherein the service node is provided with a normal service; and if the domain name corresponding to the real-time access log is matched with the domain name in the blacklist, determining that the access operation corresponding to the real-time access log is abnormal attack operation. The invention improves the comprehensiveness and timeliness of attack detection.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a service attack detection method, apparatus, device, and computer readable storage medium.
Background
DNS (Domain Name System ) is one of the core infrastructures in the internet, and many internet applications need to rely on DNS services to function effectively. Enterprise networks are often faced with the threat of network attackers stealing valuable and sensitive data, with an increasing use of DNS channels by attackers to reveal data. Typically, an attacker uses DNS to register domain names, so that the attacker uses vulnerabilities of services in the container to steal valuable data information on the container and the host, such as account passwords or kernel versions, by means of a domain name system log. The traditional detection mode of the application attack cannot find the attack behaviors and the like through the API call, and the application attack cannot be detected due to the continuous updating and the endless APT attack means, so that the attack detection accuracy is low.
Disclosure of Invention
The invention mainly aims to provide a service attack detection method, a device, equipment and a computer readable storage medium, which aim to solve the problem of how to improve the attack detection accuracy.
In order to achieve the above object, the present invention provides a service attack detection method, which is applied to a management platform, wherein the management platform is respectively in communication connection with an acquisition node and a service node, the acquisition node cannot access an external network and other nodes, and the service attack detection method includes the following steps:
acquiring an abnormal domain name acquired by an acquisition node, and generating a blacklist according to the abnormal domain name, wherein a service containing loopholes is deployed on the acquisition node, and the service containing loopholes does not actively request to resolve the domain name;
acquiring a real-time access log of a service acquired by a service node, wherein the service node is provided with a normal service;
and if the domain name corresponding to the real-time access log is matched with the domain name in the blacklist, determining that the access operation corresponding to the real-time access log is abnormal attack operation.
Optionally, after the step of determining that the access operation corresponding to the real-time access log is the abnormal attack operation if the domain name corresponding to the real-time access log matches the domain name in the blacklist, the method further includes:
determining association information of the real-time access log matched with the domain name in the blacklist, wherein the association information comprises at least one of a process, a network, a domain name and an Internet protocol address;
and generating alarm information according to the association information.
Optionally, after the step of determining that the access operation corresponding to the real-time access log is the abnormal attack operation if the domain name corresponding to the real-time access log matches the domain name in the blacklist, the method further includes:
determining the service types containing loopholes associated with the domain names in the blacklist matched with the real-time access log;
and determining the loopholes of the service in the service node according to the associated service types containing the loopholes.
Optionally, before the step of determining that the access operation corresponding to the real-time access log is the abnormal attack operation if the domain name corresponding to the real-time access log matches the domain name in the blacklist, the method further includes:
determining the matching priority of the domain names in the blacklist;
and matching the domain name corresponding to the real-time access log with the domain name in the blacklist according to the priority.
Optionally, after the step of determining that the access operation corresponding to the real-time access log is the abnormal attack operation if the domain name corresponding to the real-time access log matches the domain name in the blacklist, the method further includes:
determining the successful times of matching of the domain names in the blacklist;
and if the successful times of the matching are greater than a preset times threshold, increasing the matching priority of the domain names in the blacklist.
Optionally, after the step of determining that the access operation corresponding to the real-time access log is the abnormal attack operation if the domain name corresponding to the real-time access log matches the domain name in the blacklist, the method further includes:
determining the number of times of attack of each vulnerability-containing service;
and if the number of times of attack is greater than a preset threshold, increasing the matching priority of the domain name corresponding to the vulnerability-containing service in the blacklist.
In order to achieve the above object, the present invention further provides a service attack detection device applied to a management platform, where the management platform is respectively connected with an acquisition node and a service node in a communication manner, the acquisition node cannot access an external network and other nodes, and the service attack detection device includes:
the collecting module is used for obtaining the abnormal domain name obtained by collecting the collecting node, generating a blacklist according to the abnormal domain name, and disposing a service containing loopholes on the collecting node, wherein the service containing loopholes does not actively request to analyze the domain name;
the system comprises an acquisition module, a service node and a service node, wherein the acquisition module is used for acquiring a real-time access log of a service acquired by the service node, and the service node is provided with a normal service;
and the matching module is used for determining that the access operation corresponding to the real-time access log is abnormal attack operation if the domain name corresponding to the real-time access log is matched with the domain name in the blacklist.
In order to achieve the above object, the present invention further provides a service attack detection method applied to an acquisition node, where the acquisition node cannot access an external network and other nodes, and a vulnerability-containing service is deployed on the acquisition node, and the vulnerability-containing service does not actively request to resolve a domain name, and the method includes:
when the connection behavior of the service containing the loopholes is detected, determining that the domain name corresponding to the connection behavior is an abnormal domain name;
and sending the abnormal domain name to a management platform.
In order to achieve the above object, the present invention further provides a service attack detection device applied to an acquisition node, where the acquisition node cannot access an external network and other nodes, and a vulnerability-containing service is deployed on the acquisition node, and the vulnerability-containing service does not actively request to resolve a domain name, and the device includes:
the determining module is used for determining that the domain name corresponding to the connection behavior is an abnormal domain name when the connection behavior of the service containing the loopholes is detected;
and the sending module is used for sending the abnormal domain name to a management platform.
In order to achieve the above object, the present invention also provides a service attack detection apparatus including a memory, a processor, and a service attack detection program stored in the memory and executable on the processor, which when executed by the processor, implements the respective steps of the service attack detection method as described above.
To achieve the above object, the present invention also provides a computer-readable storage medium storing a service attack detection program which, when executed by a processor, implements the respective steps of the service attack detection method described above.
The invention provides a service attack detection method, a device, equipment and a computer readable storage medium, which are used for acquiring an abnormal domain name acquired by an acquisition node and generating a blacklist according to the abnormal domain name; acquiring a real-time access log of a service acquired by a service node, wherein the service node is provided with a normal service; and if the domain name corresponding to the real-time access log is matched with the domain name in the blacklist, determining that the access operation corresponding to the real-time access log is abnormal attack operation. By deploying various vulnerability-containing services at the acquisition nodes, the attack behavior detection is more comprehensive, and by monitoring the external connection behavior of the domain name system at the service nodes in real time, the illegal external connection behavior can be timely found, so that the comprehensiveness and timeliness of the attack detection are improved.
Drawings
Fig. 1 is a schematic hardware structure diagram of a service attack detection device according to an embodiment of the present invention;
FIG. 2 is a flowchart of a first embodiment of a service attack detection method according to the present invention;
FIG. 3 is a schematic structural diagram of a management platform, an acquisition node and a service node of the service attack detection method of the present invention;
FIG. 4 is a flowchart of a second embodiment of a service attack detection method according to the present invention;
FIG. 5 is a flowchart illustrating a third embodiment of a service attack detection method according to the present invention;
FIG. 6 is a schematic diagram of a logic structure of a service attack detection device according to the present invention;
fig. 7 is a schematic logic structure diagram of the service attack detection device of the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The main solutions of the embodiments of the present invention are: acquiring an abnormal domain name acquired by an acquisition node, and generating a blacklist according to the abnormal domain name; acquiring a real-time access log of a service acquired by a service node, wherein the service node is provided with a normal service; and if the domain name corresponding to the real-time access log is matched with the domain name in the blacklist, determining that the access operation corresponding to the real-time access log is abnormal attack operation. By deploying various vulnerability-containing services at the acquisition nodes, the attack behavior detection is more comprehensive, and by monitoring the external connection behavior of the domain name system at the service nodes in real time, the illegal external connection behavior can be timely found, so that the comprehensiveness and timeliness of the attack detection are improved.
As an implementation, the service attack detection device may be as shown in fig. 1.
The embodiment of the invention relates to service attack detection equipment, which comprises: a processor 101, such as a CPU, a memory 102, and a communication bus 103. Wherein the communication bus 103 is used to enable connected communication among the components.
The memory 102 may be a high-speed RAM memory or a stable memory (non-volatile memory), such as a disk memory. As shown in fig. 1, a service attack detection program may be included in a memory 102 as a computer-readable storage medium; and the processor 101 may be configured to invoke the service attack detection program stored in the memory 102 and perform the following operations:
acquiring an abnormal domain name acquired by an acquisition node, and generating a blacklist according to the abnormal domain name, wherein a service containing loopholes is deployed on the acquisition node, and the service containing loopholes does not actively request to resolve the domain name;
acquiring a real-time access log of a service acquired by a service node, wherein the service node is provided with a normal service;
and if the domain name corresponding to the real-time access log is matched with the domain name in the blacklist, determining that the access operation corresponding to the real-time access log is abnormal attack operation.
Alternatively, the processor 101 may be configured to call a service attack detection program stored in the memory 102 and perform the following operations:
determining association information of the real-time access log matched with the domain name in the blacklist, wherein the association information comprises at least one of a process, a network, a domain name and an Internet protocol address;
and generating alarm information according to the association information.
Alternatively, the processor 101 may be configured to call a service attack detection program stored in the memory 102 and perform the following operations:
determining the service types containing loopholes associated with the domain names in the blacklist matched with the real-time access log;
and determining the loopholes of the service in the service node according to the associated service types containing the loopholes.
Alternatively, the processor 101 may be configured to call a service attack detection program stored in the memory 102 and perform the following operations:
determining the matching priority of the domain names in the blacklist;
and matching the domain name corresponding to the real-time access log with the domain name in the blacklist according to the priority.
Alternatively, the processor 101 may be configured to call a service attack detection program stored in the memory 102 and perform the following operations:
determining the successful times of matching of the domain names in the blacklist;
and if the successful times of the matching are greater than a preset times threshold, increasing the matching priority of the domain names in the blacklist.
Alternatively, the processor 101 may be configured to call a service attack detection program stored in the memory 102 and perform the following operations:
determining the number of times of attack of each vulnerability-containing service;
and if the number of times of attack is greater than a preset threshold, increasing the matching priority of the domain name corresponding to the vulnerability-containing service in the blacklist.
Based on the hardware architecture of the service attack detection device, the embodiment of the service attack detection method is provided.
Referring to fig. 2, fig. 2 is a first embodiment of the service attack detection method according to the present invention, the service attack detection method includes the following steps:
step S10, acquiring an abnormal domain name acquired by an acquisition node, and generating a blacklist according to the abnormal domain name, wherein a service containing loopholes is deployed on the acquisition node, and the service containing loopholes does not actively request to resolve the domain name.
Optionally, as shown in fig. 3, the management platform is communicatively connected to the collection node and the service node, respectively. The collection nodes cannot access the external network and other nodes, namely the collection nodes are independently deployed and are in a completely isolated environment, and the other nodes of the collection nodes can be service nodes. The collecting node is deployed with the service containing the loopholes, the service containing the loopholes does not actively request to resolve the domain name, and the service containing the loopholes is easy to attack by an attacker. Optionally, the vulnerability categories include a plurality of, e.g., domain transfer vulnerabilities, etc.
Optionally, the collection node is mainly used for containerizing and deploying various vulnerability-based services for discovering real attack behaviors. The collection node is in a complete isolation environment, other external connection behaviors are limited except the dns service, and the vulnerability-containing service needs to be ensured not to actively request dns. Optionally, the collection node is isolated by a micro-isolation means, and the collection node is completely isolated from the networks of other nodes, so that the external network and other nodes IP can not be accessed; the vulnerability-containing service deployed by the collection node does not actively request resolution of any dns domain name.
Optionally, a dnsylog collector, namely a domain name system log collector, is arranged on the collection node, and the dnsylog collector is used for collecting abnormal dns access logs of the host and container processes. When an attacker utilizes various deployed services with holes, and information is displayed back in a dnsylog mode, a dnsylog collector acquires the domain name requested by the attacker and transmits the domain name back to the management platform. When the dnsylog collector detects that the dns service connection behavior exists, the domain name is judged to be abnormal, and abnormal domain name information is reported to the management platform.
Optionally, the service containing the vulnerability on the collection node is open to the outside, so that an attacker can easily scan the service vulnerability, and the collection node cannot access the outside network and can not actively request to analyze dns at the same time, so that 100% of the collected dnslog black sample information is the attack behavior of the attacker after the vulnerability information is displayed back in a dnslog mode.
Step S20, obtaining a real-time access log of the service acquired by the service node, wherein the service node is provided with normal service.
Optionally, the service node is deployed with various service types, and these service types may have vulnerabilities utilized by various attackers and may be subject to attack by the attackers. After an attacker attacks the application by using the dnsylog information, the detection program uploads all collected dns domain name resolution records to the management platform.
Optionally, a dnsolg detection program is deployed on each service node, where the dnsolg detection program is configured to collect all dns access logs of the host and container processes, monitor domain name resolution events of all processes in the container, and transmit back to the management platform when all dns domain name resolution records are monitored.
Optionally, as shown in fig. 3, the service deployed by the collection node and the service deployed by the service node are the same, and the collection node includes a vulnerability-containing service a, a vulnerability-containing service B and a vulnerability-containing service C, and the service node includes a service a, a service B and a service C.
And step S30, if the domain name corresponding to the real-time access log is matched with the domain name in the blacklist, determining that the access operation corresponding to the real-time access log is abnormal attack operation.
Optionally, if the domain name corresponding to the real-time access log matches the domain name in the blacklist, that is, if the domain name corresponding to the real-time access log is the same as a domain name in the blacklist, determining that the access operation corresponding to the real-time access log is an abnormal attack operation.
Optionally, after step S30, the method further includes: determining a vulnerability-containing service associated with a domain name in a blacklist matched with the real-time access log; and determining the vulnerability types of the services in the service node according to the vulnerability types of the associated vulnerability-containing services. The vulnerability-containing service a associated with the domain name in the blacklist matched with the real-time access log is exemplified, wherein the vulnerability type corresponding to the vulnerability-containing service a is d1, and the vulnerability type existing in the service node is also d1.
Optionally, the attack detection method is applied to a management platform, and the management platform mainly comprises modules such as dnsylog blacklist, audit, alarm and the like. When the management platform receives the dns information sent by the acquisition node, the dns black list is recorded. When the management platform receives the domain name information sent by the service node, the domain name information is recorded to the audit log module, and meanwhile, the domain name information is compared with the dnsylog blacklist, and if the domain name information is matched with the dnsylog blacklist, the alarm is given according to the information of a container, a process and the like associated with the domain name, and the information is displayed through the management platform. In the whole detection process, an administrator can conduct manual examination on a management platform, can input management operation to conduct data processing and query, such as dnsylog blacklist checking, domain name audit information checking and dnsylog attack alarm information processing, and can complete tracing of an attacker through IP type information in the domain name audit information.
Optionally, the dnstog blacklist is used to determine whether the domain name is a blacklist of dnstog services. Optionally, the dnrelog audit is accomplished by a dns access audit log module that records business services. Optionally, the dnsolg alarms are accomplished by a module that provides dns access log analysis, comparison of dnsolg blacklists, association containers, processes, domain names, and IP, etc. information alarm presentation and traceability capabilities.
Optionally, after receiving domain name information reported by an acquisition process of an acquisition node, the management platform enters a dnsylog blacklist. And recording the dns access log reported by the service node into a dns audit module for subsequent tracing. Aiming at the dns access log of each service, firstly matching a dns log blacklist, skipping if the dns access log is not matched, and recording an alarm item if the dns access log is matched. On the basis of hitting the dnsylog blacklist, information such as a process, a network, a domain name, an IP and the like is associated, alarm information with higher accuracy is generated, and an administrator is notified.
Optionally, after step S30, the method further includes: determining association information of the real-time access log matched with the domain name in the blacklist, wherein the association information comprises at least one of a process, a network, a domain name and an Internet protocol address; and generating alarm information according to the association information. Optionally, the alarm information is displayed on the management platform or sent to the mobile terminal of the administrator.
In the technical scheme of the embodiment, an abnormal domain name acquired by an acquisition node is acquired, and a blacklist is generated according to the abnormal domain name; acquiring a real-time access log of a service acquired by a service node, wherein the service node is provided with a normal service; and if the domain name corresponding to the real-time access log is matched with the domain name in the blacklist, determining that the access operation corresponding to the real-time access log is abnormal attack operation. By deploying various vulnerability-containing services at the acquisition nodes, the attack behavior detection is more comprehensive, and by monitoring the external connection behavior of the domain name system at the service nodes in real time, the illegal external connection behavior can be timely found, so that the comprehensiveness and timeliness of the attack detection are improved.
Referring to fig. 4, fig. 4 is a second embodiment of the service attack detection method according to the present invention, based on the first embodiment, before the step S30, further includes:
step S40, determining the matching priority of the domain names in the blacklist;
and step S50, matching the domain name corresponding to the real-time access log with the domain name in the blacklist according to the priority.
Optionally, the domain name with the previous matching priority in the black list is preferentially matched with the domain name in the real-time access log; and matching the domain names with the matching priority in the black list with the domain names in the real-time access log to improve the matching efficiency.
Optionally, after step S30, the method further includes: determining the successful times of matching of the domain names in the blacklist; if the successful times of the matching is greater than a preset times threshold, increasing the matching priority of the domain names in the blacklist; and if the matching success times are smaller than or equal to a preset matching threshold, reducing the matching priority of the domain names in the blacklist, wherein the preset matching threshold is smaller than a preset times threshold.
Optionally, after step S30, the method further includes: determining the number of times of attack of each vulnerability-containing service; and if the number of times of attack is greater than a preset threshold, increasing the matching priority of the domain name corresponding to the vulnerability-containing service in the blacklist.
In the technical scheme of the embodiment, the matching priority of the domain names in the blacklist is determined; and matching the domain name corresponding to the real-time access log with the domain name in the blacklist according to the priority, and improving the matching efficiency of the real-time access log.
Referring to fig. 5, fig. 5 is a third embodiment of the service attack detection method according to the present invention, the method includes the following steps:
step S60, when the connection behavior of the service containing the loopholes is detected, determining that the domain name corresponding to the connection behavior is an abnormal domain name;
and step S70, the abnormal domain name is sent to a management platform.
Optionally, as shown in fig. 3, the management platform is communicatively connected to the collection node and the service node, respectively. The management platform mainly comprises a dnsylog blacklist module, an audit module, an alarm module and the like. When the management platform receives the dns information sent by the acquisition node, the dns black list is recorded. When the management platform receives the domain name information sent by the service node, the domain name information is recorded to the audit log module, and meanwhile, the domain name information is compared with the dnsylog blacklist, and if the domain name information is matched with the dnsylog blacklist, the alarm is given according to the information of a container, a process and the like associated with the domain name, and the information is displayed through the management platform. In the whole detection process, an administrator can conduct manual examination on a management platform, can input management operation to conduct data processing and query, such as dnsylog blacklist checking, domain name audit information checking and dnsylog attack alarm information processing, and can completely trace an attacker through IP type information in the domain name audit information.
Optionally, the dnstog blacklist is used to determine whether the domain name is a blacklist of dnstog services. Optionally, the dnrelog audit is accomplished by a dns access audit log module that records business services. Optionally, the dnsolg alarms are accomplished by a module that provides dns access log analysis, comparison of dnsolg blacklists, association containers, processes, domain names, and IP, etc. information alarm presentation and traceability capabilities.
Optionally, after receiving domain name information reported by an acquisition process of an acquisition node, the management platform enters a dnsylog blacklist. And recording the dns access log reported by the service node into a dns audit module for subsequent tracing. Aiming at the dns access log of each service, firstly matching a dns log blacklist, skipping if the dns access log is not matched, and recording an alarm item if the dns access log is matched. On the basis of hitting the dnsylog blacklist, information such as a process, a network, a domain name, an IP and the like is associated, alarm information with higher accuracy is generated, and an administrator is notified.
Optionally, the collection node cannot access the external network and other nodes, i.e., the collection node is independently deployed in a completely isolated environment. The collecting node is deployed with the service containing the loopholes, the service containing the loopholes does not actively request to resolve the domain name, and the service containing the loopholes is easy to attack by an attacker.
Optionally, the collection node is mainly used for containerizing and deploying various vulnerability-based services for discovering real attack behaviors. The collection node is in a complete isolation environment, other external connection behaviors are limited except the dns service, and the vulnerability-containing service needs to be ensured not to actively request dns. Optionally, the collection node is isolated by a micro-isolation means, and the collection node is completely isolated from the networks of other nodes, so that the external network and other nodes IP can not be accessed; the vulnerability-containing service deployed by the collection node does not actively request resolution of any dns domain name.
Optionally, a dnsylog collector, namely a domain name system log collector, is arranged on the collection node, and the dnsylog collector is used for collecting abnormal dns access logs of the host and container processes. When an attacker utilizes various deployed services with holes, and information is displayed back in a dnsylog mode, a dnsylog collector acquires the domain name requested by the attacker and transmits the domain name back to the management platform. When the dnsylog collector detects that the dns service connection behavior exists, the domain name is judged to be abnormal, and abnormal domain name information is reported to the management platform.
Optionally, the service containing the vulnerability on the collection node is open to the outside, so that an attacker can easily scan the service vulnerability, and the collection node cannot access the outside network and can not actively request to analyze dns at the same time, so that 100% of the collected dnslog black sample information is the attack behavior of the attacker after the vulnerability information is displayed back in a dnslog mode.
Optionally, when detecting the connection behavior of the service containing the loopholes, determining that the domain name corresponding to the connection behavior is an abnormal domain name; the abnormal domain name is sent to a management platform, the management platform obtains the abnormal domain name acquired by the acquisition node, a blacklist is generated according to the abnormal domain name, a real-time access log of service acquired by a service node is obtained, and the service node is provided with normal service; and if the domain name corresponding to the real-time access log is matched with the domain name in the blacklist, determining that the access operation corresponding to the real-time access log is abnormal attack operation. Optionally, the service node is deployed with various service types, and these service types may have vulnerabilities utilized by various attackers and may be subject to attack by the attackers. After an attacker attacks the application by using the dnsylog information, the detection program uploads all collected dns domain name resolution records to the management platform.
Alternatively, unlike the method of intentionally constructing security holes through honeypot technology to attract attackers, the method is to limit external connection behavior by setting completely isolated acquisition nodes, and when connection behavior with domain name system service is detected, the connection behavior can be determined as an abnormal domain name, recorded as black sample data and sent to a management platform. The collecting nodes of the method are completely isolated, the collecting nodes cannot access an external network and other nodes IP, the deployed vulnerability-containing service does not actively request to analyze domain names of any domain name system, the other normal working nodes cannot be affected, the honeypot technology attracts attackers, the attracted attackers are directly tracked and traced, and black samples of domain name system logs do not need to be collected.
In the technical scheme of the embodiment, when the connection behavior of the service containing the loopholes is detected, determining that the domain name corresponding to the connection behavior is an abnormal domain name; and sending the abnormal domain name to a management platform, and deploying various vulnerability-containing services at the acquisition node to enable the attack behavior detection to be more comprehensive.
Referring to fig. 6, the present invention further provides a service attack detection apparatus applied to a management platform, where the management platform is respectively in communication connection with an acquisition node and a service node, and the acquisition node cannot access an external network and other nodes, and the service attack detection apparatus includes:
the collecting module 100 is configured to obtain an abnormal domain name obtained by collecting a collecting node, and generate a blacklist according to the abnormal domain name, wherein a service containing a vulnerability is deployed on the collecting node, and the service containing the vulnerability does not actively request to resolve the domain name;
the acquiring module 200 is configured to acquire a real-time access log of a service acquired by a service node, where a normal service is deployed on the service node;
and the matching module 300 is configured to determine that the access operation corresponding to the real-time access log is an abnormal attack operation if the domain name corresponding to the real-time access log matches the domain name in the blacklist.
Optionally, after the step of determining that the access operation corresponding to the real-time access log is the abnormal attack operation if the domain name corresponding to the real-time access log matches the domain name in the blacklist, the method further includes:
determining association information of the real-time access log matched with the domain name in the blacklist, wherein the association information comprises at least one of a process, a network, a domain name and an Internet protocol address;
and generating alarm information according to the association information.
Optionally, after the step of determining that the access operation corresponding to the real-time access log is the abnormal attack operation if the domain name corresponding to the real-time access log matches the domain name in the blacklist, the method further includes:
determining the service types containing loopholes associated with the domain names in the blacklist matched with the real-time access log;
and determining the loopholes of the service in the service node according to the associated service types containing the loopholes.
Optionally, before the step of determining that the access operation corresponding to the real-time access log is the abnormal attack operation if the domain name corresponding to the real-time access log matches the domain name in the blacklist, the method further includes:
determining the matching priority of the domain names in the blacklist;
and matching the domain name corresponding to the real-time access log with the domain name in the blacklist according to the priority.
Optionally, after the step of determining that the access operation corresponding to the real-time access log is the abnormal attack operation if the domain name corresponding to the real-time access log matches the domain name in the blacklist, the method further includes:
determining the successful times of matching of the domain names in the blacklist;
and if the successful times of the matching are greater than a preset times threshold, increasing the matching priority of the domain names in the blacklist.
Optionally, after the step of determining that the access operation corresponding to the real-time access log is the abnormal attack operation if the domain name corresponding to the real-time access log matches the domain name in the blacklist, the method further includes:
determining the number of times of attack of each vulnerability-containing service;
and if the number of times of attack is greater than a preset threshold, increasing the matching priority of the domain name corresponding to the vulnerability-containing service in the blacklist.
Referring to fig. 7, the present invention further provides a service attack detection device, which is applied to an acquisition node, where the acquisition node cannot access an external network and other nodes, and a vulnerability-containing service is deployed on the acquisition node, and the vulnerability-containing service does not actively request to resolve a domain name, and the device includes:
a determining module 400, configured to determine, when a connection behavior of a service including a vulnerability is detected, that a domain name corresponding to the connection behavior is an abnormal domain name;
and the sending module 500 is used for sending the abnormal domain name to a management platform.
The present invention also provides a service attack detection device, which includes a memory, a processor, and a service attack detection program stored in the memory and executable on the processor, the service attack detection program implementing the steps of the service attack detection method according to the above embodiment when executed by the processor.
The present invention also provides a computer-readable storage medium storing a service attack detection program which, when executed by a processor, implements the steps of the service attack detection method described in the above embodiments.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, system, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, system, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, system, article, or apparatus that comprises the element.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment system may be implemented by means of software plus necessary general purpose hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a computer readable storage medium (e.g. ROM/RAM, magnetic disk, optical disk) as described above, comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a parking management device, an air conditioner, or a network device, etc.) to execute the system according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (10)
1. The service attack detection method is characterized by being applied to a management platform, wherein the management platform is respectively in communication connection with an acquisition node and a service node, the acquisition node cannot access an external network and other nodes, and the service attack detection method comprises the following steps:
acquiring an abnormal domain name acquired by an acquisition node, and generating a blacklist according to the abnormal domain name, wherein a service containing loopholes is deployed on the acquisition node, and the service containing loopholes does not actively request to resolve the domain name;
acquiring a real-time access log of a service acquired by a service node, wherein the service node is provided with a normal service;
and if the domain name corresponding to the real-time access log is matched with the domain name in the blacklist, determining that the access operation corresponding to the real-time access log is abnormal attack operation.
2. The service attack detection method according to claim 1, wherein after the step of determining that the access operation corresponding to the real-time access log is the abnormal attack operation if the domain name corresponding to the real-time access log matches the domain name in the blacklist, further comprises:
determining association information of the real-time access log matched with the domain name in the blacklist, wherein the association information comprises at least one of a process, a network, a domain name and an Internet protocol address;
and generating alarm information according to the association information.
3. The service attack detection method according to claim 1, wherein after the step of determining that the access operation corresponding to the real-time access log is the abnormal attack operation if the domain name corresponding to the real-time access log matches the domain name in the blacklist, further comprises:
determining a vulnerability-containing service associated with a domain name in a blacklist matched with the real-time access log;
and determining the vulnerability types of the services in the service node according to the vulnerability types of the associated vulnerability-containing services.
4. The service attack detection method according to claim 1, wherein before the step of determining that the access operation corresponding to the real-time access log is the abnormal attack operation if the domain name corresponding to the real-time access log matches the domain name in the blacklist, the method further comprises:
determining the matching priority of the domain names in the blacklist;
and matching the domain name corresponding to the real-time access log with the domain name in the blacklist according to the priority.
5. The service attack detection method according to claim 4, wherein after the step of determining that the access operation corresponding to the real-time access log is the abnormal attack operation if the domain name corresponding to the real-time access log matches the domain name in the blacklist, further comprising:
determining the successful times of matching of the domain names in the blacklist;
and if the successful times of the matching are greater than a preset times threshold, increasing the matching priority of the domain names in the blacklist.
6. The service attack detection method according to claim 4, wherein after the step of determining that the access operation corresponding to the real-time access log is the abnormal attack operation if the domain name corresponding to the real-time access log matches the domain name in the blacklist, further comprising:
determining the number of times of attack of each vulnerability-containing service;
and if the number of times of attack is greater than a preset threshold, increasing the matching priority of the domain name corresponding to the vulnerability-containing service in the blacklist.
7. The utility model provides a service attack detection method which is characterized in that the method is applied to collection nodes, the collection nodes can not access external networks and other nodes, the collection nodes are provided with vulnerability-containing services, the vulnerability-containing services do not actively request to resolve domain names, and the method comprises the following steps:
when the connection behavior of the service containing the loopholes is detected, determining that the domain name corresponding to the connection behavior is an abnormal domain name;
and sending the abnormal domain name to a management platform.
8. The utility model provides a service attack detection device which characterized in that is applied to management platform, the management platform respectively with gather node and service node communication connection, gather node unable access external network and other nodes, service attack detection device includes:
the collecting module is used for obtaining the abnormal domain name obtained by collecting the collecting node, generating a blacklist according to the abnormal domain name, and disposing a service containing loopholes on the collecting node, wherein the service containing loopholes does not actively request to analyze the domain name;
the system comprises an acquisition module, a service node and a service node, wherein the acquisition module is used for acquiring a real-time access log of a service acquired by the service node, and the service node is provided with a normal service;
and the matching module is used for determining that the access operation corresponding to the real-time access log is abnormal attack operation if the domain name corresponding to the real-time access log is matched with the domain name in the blacklist.
9. A service attack detection device comprising a memory, a processor and a service attack detection program stored in the memory and executable on the processor, the service attack detection program when executed by the processor implementing the steps of the service attack detection method according to any of claims 1-7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a service attack detection program which, when executed by a processor, implements the respective steps of the service attack detection method according to any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310988454.3A CN117040833A (en) | 2023-08-07 | 2023-08-07 | Service attack detection method, device, equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310988454.3A CN117040833A (en) | 2023-08-07 | 2023-08-07 | Service attack detection method, device, equipment and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117040833A true CN117040833A (en) | 2023-11-10 |
Family
ID=88601639
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310988454.3A Pending CN117040833A (en) | 2023-08-07 | 2023-08-07 | Service attack detection method, device, equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117040833A (en) |
-
2023
- 2023-08-07 CN CN202310988454.3A patent/CN117040833A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106411578B (en) | A kind of web publishing system and method being adapted to power industry | |
| EP1618725B1 (en) | Attack database structure | |
| CN101176331B (en) | Computer network intrusion detection system and method | |
| US7574740B1 (en) | Method and system for intrusion detection in a computer network | |
| US7882542B2 (en) | Detecting compromised computers by correlating reputation data with web access logs | |
| CN110881043B (en) | Method and device for detecting web server vulnerability | |
| CN105376245A (en) | Rule-based detection method of ATP attack behavior | |
| US20130081065A1 (en) | Dynamic Multidimensional Schemas for Event Monitoring | |
| CN113691566B (en) | Mail server secret stealing detection method based on space mapping and network flow statistics | |
| CN114598525A (en) | IP automatic blocking method and device for network attack | |
| CN103746992B (en) | Based on reverse intruding detection system and method thereof | |
| CN107733699B (en) | Internet asset security management method, system, device and readable storage medium | |
| US20040030931A1 (en) | System and method for providing enhanced network security | |
| Giacinto et al. | Alarm clustering for intrusion detection systems in computer networks | |
| KR100772177B1 (en) | Method and apparatus for generating intrusion detection event to test security function | |
| CN117040833A (en) | Service attack detection method, device, equipment and computer readable storage medium | |
| CN112738068B (en) | Network vulnerability scanning method and device | |
| CN115001724B (en) | Network threat intelligence management method, device, computing equipment and computer readable storage medium | |
| Lin et al. | Correlation of cyber threat intelligence with sightings for intelligence assessment and augmentation | |
| CN117527354B (en) | Attack detection method and device, electronic equipment and storage medium | |
| CN115296891B (en) | Data detection system and data detection method | |
| CN115296888B (en) | Data Radar Monitoring System | |
| CN116318740A (en) | Method and device for determining malicious domain name | |
| Sqalli et al. | Classifying malicious activities in Honeynets using entropy and volume‐based thresholds | |
| CN117527354A (en) | Attack detection method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |