Search

CN-122001662-A - Network attack detection method, device, computer equipment and storage medium

CN122001662ACN 122001662 ACN122001662 ACN 122001662ACN-122001662-A

Abstract

The application provides a network attack detection method, a device, computer equipment and a storage medium, wherein the network attack detection method comprises the steps of carrying out feature matching on session traffic based on a plurality of plaintext traffic features, and if the plaintext traffic features exist in the session traffic, determining a first attack behavior of the session traffic according to the plaintext traffic features existing in the session traffic; if the session flow does not have the plaintext flow characteristics, invoking an attack prediction model to perform semantic analysis on the session flow to determine a second attack behavior, if the prediction confidence of the attack prediction model on the session flow does not reach a confidence threshold, transmitting the session flow as a query request to a cloud knowledge base so that the cloud knowledge base screens out target non-plaintext flow characteristics from a plurality of non-plaintext flow characteristics, and invoking the attack prediction model to perform semantic analysis on the target non-plaintext flow characteristics and the session flow to determine a third attack behavior. The application can greatly improve the detection capability of unknown network attack.

Inventors

  • LI JIAN
  • LIANG LIWEN

Assignees

  • 新华三信息安全技术有限公司

Dates

Publication Date
20260508
Application Date
20260225

Claims (10)

  1. 1. A method for detecting a network attack, the method comprising: acquiring session flow; Performing feature matching on the session traffic based on a plurality of pre-defined plaintext traffic features, and if at least one plaintext traffic feature exists in the session traffic, determining a first attack behavior of the session traffic according to the plaintext traffic feature existing in the session traffic; If the plaintext traffic characteristics do not exist in the session traffic, invoking an attack prediction model to perform semantic analysis on the session traffic to determine a second attack behavior; If the prediction confidence of the attack prediction model on the session flow does not reach a confidence threshold, the session flow is sent to a cloud knowledge base as a query request, so that the cloud knowledge base screens target non-plaintext flow characteristics matched with the query request from a plurality of pre-defined non-plaintext flow characteristics; And calling the attack prediction model to carry out semantic analysis according to the target non-plaintext traffic characteristics and the session traffic so as to determine a third attack behavior.
  2. 2. The method of claim 1, wherein invoking an attack prediction model to semantically analyze the session traffic to determine a second attack behavior comprises: judging whether confusion field data exist in the session flow, wherein the confusion field data refers to plaintext field data after confusion processing, and the confusion processing refers to a data transformation processing mode for hiding attack behaviors; If the confusion field data does not exist in the session traffic, invoking an attack prediction model to perform semantic analysis on the session traffic to determine a second attack behavior; if the confusion field data exists in the session flow, performing confusion removing processing on the confusion field data to obtain target plaintext field data, and calling the attack prediction model to perform semantic analysis according to the target plaintext field data and the session flow to determine the second attack behavior.
  3. 3. The method of claim 1 or 2, wherein the session traffic comprises session request traffic and response traffic corresponding to the session request traffic, wherein invoking an attack prediction model to semantically analyze the session traffic to determine a second attack behavior comprises: Identifying attack attempts based on the attack plaintext instruction, the request parameters, the access path and the semantic features of the load content in the session request flow, and determining the second attack behavior according to the attack attempts; performing context correlation analysis on response traffic corresponding to the session request traffic, and identifying response content with causal relation with the second attack behavior in the response traffic; and determining a final judging result of the second attack behavior according to the second attack behavior and the response content, wherein the final judging result comprises the existence of the attack behavior, the existence of the attack behavior and the success of the attack, the existence of the attack behavior and the failure of the attack.
  4. 4. The method according to claim 1 or 2, wherein the target non-plaintext traffic features are screened from a predefined plurality of non-plaintext traffic features by the cloud knowledge base by: the cloud knowledge base receives the query request and analyzes the context semantic intention of the query request; Converting the query request into a corresponding vector for embedding according to the context semantic intent; embedding the vector into a plurality of non-plaintext flow characteristics in the cloud knowledge base to respectively perform similarity calculation; and determining the non-plaintext traffic characteristics with the similarity larger than a preset similarity threshold as the target non-plaintext traffic characteristics.
  5. 5. The method according to claim 1 or 2, characterized in that before if the predicted confidence of the attack prediction model for the session traffic does not reach a confidence threshold, the method further comprises: And under the condition that the randomness characteristic value of the session flow is larger than a preset encryption threshold, determining that the prediction confidence of the attack prediction model on the session flow does not reach a confidence threshold, wherein the randomness characteristic value is larger than the preset encryption threshold and is used for representing that the session flow is in a full-text confusion state.
  6. 6. The method according to claim 1 or 2, characterized in that after acquiring session traffic, the method further comprises: And preprocessing the session traffic, wherein the preprocessing comprises at least one of protocol identification, field segmentation, confusion elimination processing and normalization processing.
  7. 7. The method of claim 2, wherein the obfuscation process includes any one of an encoding process, an encryption process, a compression process, and a shell process.
  8. 8. A network attack detection device, the device comprising: The flow acquisition module is used for acquiring session flow; The first attack behavior determining module is used for carrying out feature matching on the conversation traffic based on a plurality of pre-defined plaintext traffic features, and if at least one plaintext traffic feature exists in the conversation traffic, the first attack behavior of the conversation traffic is determined according to the plaintext traffic feature existing in the conversation traffic; The second attack behavior determining module is used for calling an attack prediction model to perform semantic analysis on the session traffic to determine a second attack behavior if the plaintext traffic characteristics do not exist in the session traffic; The target non-plaintext traffic feature screening module is used for sending the session traffic as a query request to a cloud knowledge base if the prediction confidence of the attack prediction model on the session traffic does not reach a confidence threshold, so that the cloud knowledge base screens target non-plaintext traffic features matched with the query request from a plurality of predefined non-plaintext traffic features; And the third attack behavior determining module is used for calling the attack prediction model to perform semantic analysis according to the target non-plaintext traffic characteristics and the session traffic so as to determine a third attack behavior.
  9. 9. A computer device, comprising: A memory and a processor, the memory and the processor being communicatively connected to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the network attack detection method according to any of claims 1to 7.
  10. 10. A computer-readable storage medium having stored thereon computer instructions for causing a computer to perform the network attack detection method according to any of claims 1 to 7.

Description

Network attack detection method, device, computer equipment and storage medium Technical Field The present application relates to the field of network security technologies, and in particular, to a method and apparatus for detecting a network attack, a computer device, and a storage medium. Background The existing network attack detection is mainly realized based on feature rule matching, namely, a feature library is constructed by extracting attack features, and network traffic is matched with feature rules in the feature library to realize network attack detection. The mechanism has the technical defects of high omission ratio of the unknown network attack under the condition that the characteristic rule corresponding to the unknown network attack (such as 0day vulnerability) does not exist in the characteristic library, and limited visibility, namely network attack detection failure caused by the fact that the traditional detection mode cannot be subjected to confusion reduction under the condition that an attacker adopts confusion technologies such as encryption and coding to hide the attack characteristics. Disclosure of Invention In view of the above, the present application provides a network attack detection method, apparatus, computer device and storage medium, so as to solve the problem of dual limitation of coverage and visibility of feature detection in the related art. An embodiment of a first aspect of the present application provides a method for detecting a network attack, where the method includes: acquiring session flow; Performing feature matching on the session traffic based on a plurality of pre-defined plaintext traffic features, and if at least one plaintext traffic feature exists in the session traffic, determining a first attack behavior of the session traffic according to the plaintext traffic feature existing in the session traffic; If the plaintext traffic characteristics do not exist in the session traffic, invoking an attack prediction model to perform semantic analysis on the session traffic to determine a second attack behavior; If the prediction confidence of the attack prediction model on the session flow does not reach a confidence threshold, the session flow is sent to a cloud knowledge base as a query request, so that the cloud knowledge base screens target non-plaintext flow characteristics matched with the query request from a plurality of pre-defined non-plaintext flow characteristics; And calling the attack prediction model to carry out semantic analysis according to the target non-plaintext traffic characteristics and the session traffic so as to determine a third attack behavior. According to the embodiment of the application, the conversation flow is subjected to feature matching through the predefined plurality of plaintext flow features, if at least one plaintext flow feature exists in the conversation flow, the first attack behavior of the conversation flow is determined according to the plaintext flow feature, the plaintext feature matching can be preferentially used, the known attack mode is filtered at high speed, and only the flow which cannot be matched is called to attack the prediction model, so that the resource waste is avoided. Preferably, in the embodiment of the application, under the condition that the plaintext traffic characteristics do not exist in the session traffic, the attack prediction model is called to perform semantic analysis on the session traffic to determine the second attack behavior, so that when the plaintext characteristics are bypassed (such as code confusion and encryption), the hidden attack characteristics can be identified through the semantic analysis of the attack prediction model, thereby improving the capability of resisting confusion and encryption attacks. Preferably, in the embodiment of the application, under the condition that the prediction confidence of the attack prediction model on the session traffic does not reach the confidence threshold, the session traffic is sent to the cloud knowledge base as the query request, so that the cloud knowledge base screens out target non-plaintext traffic characteristics matched with the query request from a plurality of predefined non-plaintext traffic characteristics, and invokes the attack prediction model to perform semantic analysis according to the target non-plaintext traffic characteristics and the session traffic to determine a third attack behavior, so that the cloud knowledge base enhancement judgment can be introduced for the problematic cases with uncertain models, and the 'edge-cloud' cooperation is formed, thereby greatly improving the detection capability of unknown network attacks. In the embodiment of the application, invoking an attack prediction model to perform semantic analysis on the session traffic to determine a second attack behavior comprises the following steps: judging whether confusion field data exist in the session flow, wherein the confusion fi