Search

CN-122027175-A - Attack detection method and device based on template matching

CN122027175ACN 122027175 ACN122027175 ACN 122027175ACN-122027175-A

Abstract

The embodiment of the invention discloses an attack detection method and device based on template matching, and relates to the technical field of internet data analysis. The method comprises the steps of constructing a data set according to network traffic with failed attacks, extracting a response body in the data set, screening out response bodies in an HTML format, generating at least one detection template, extracting the response body in test traffic, matching the response body in the test traffic with the at least one detection template, judging that the test traffic fails in attack when the matching is successful, or judging that the test traffic succeeds in attack when the matching is failed. The invention can improve the accuracy of attack detection and judgment of the real network traffic and is suitable for attack detection in the real Internet backbone network environment.

Inventors

  • WEI JIADONG
  • WEI JINXIA
  • LONG CHUN
  • HUANG PAN
  • SUN DEGANG

Assignees

  • 中国科学院计算机网络信息中心

Dates

Publication Date
20260512
Application Date
20241111

Claims (10)

  1. 1. An attack detection method based on template matching is characterized by comprising the following steps: Constructing a data set according to the network traffic of a plurality of attack failures; Extracting a response body in the data set, screening out a response body in an HTML format, and generating at least one detection template, wherein the response body is an http response body sent to a user by a server; Extracting a response body in the test flow, and matching the response body in the test flow with the at least one detection template; And judging that the test flow attack fails when the response body in the test flow is successfully matched with any one of the at least one detection template, or judging that the test flow attack is successful when the response body in the test flow is successfully matched with the at least one detection template.
  2. 2. The template matching-based attack detection method according to claim 1, wherein constructing a data set from a plurality of failed network traffic includes: acquiring a plurality of network flows and corresponding marks in a real network environment, wherein the marks comprise network attack success marks or network attack failure marks; and removing the successful network traffic of each attack, and constructing the data set according to the failed network traffic of each attack.
  3. 3. The method for detecting attack based on template matching according to claim 1, wherein the steps of extracting the response body in the dataset, screening out the response body in HTML format, and generating the detection template include: Constructing each page of each website as a Document Object Model (DOM) tree based on BeautifulSoup libraries, wherein the BeautifulSoup libraries are used for extracting http response bodies; And merging DOM trees of a plurality of different pages corresponding to each website to obtain a detection template corresponding to the website.
  4. 4. The template matching-based attack detection method according to claim 1, wherein the extracting the response body in the test traffic and matching the response body in the test traffic with the at least one detection template includes: Extracting http response bodies in test traffic and screening response bodies in an HTML format, wherein the test traffic comprises Webshell network attack success test traffic or Webshell network attack failure test traffic, the response bodies of the Webshell network attack success test traffic comprise server directory pages or website console pages, and the response bodies of the Webshell network attack failure test traffic comprise website normal pages or error prompt pages; and matching the response body in the test flow with the at least one detection template.
  5. 5. The template matching-based attack detection method according to claim 1, wherein the method further comprises: Manually judging the matching result of the response body in the test flow and the at least one detection template; and when the matching result is that the test flow attack is successful and the manual research judgment result is that the test flow attack is failed, adding the test flow into the data set, and carrying out iterative updating on the data set.
  6. 6. An attack detection device based on template matching, comprising: the construction module is used for constructing a data set according to the network traffic of a plurality of attack failures; The extraction module is used for extracting a response body in the data set, screening out a response body in an HTML format and generating at least one detection template, wherein the response body is an http response body sent to a user by a server; The matching module is used for extracting a response body in the test flow and matching the response body in the test flow with the at least one detection template; and the judging module is used for judging that the test flow attack fails when the response body in the test flow is successfully matched with any one of the at least one detection template, or judging that the test flow attack is successful when the response body in the test flow is failed to be matched with the at least one detection template.
  7. 7. The template matching-based attack detection device according to claim 6, wherein the constructing module comprises: The acquisition sub-module is used for acquiring a plurality of network flows and corresponding marks in a real network environment, wherein the marks comprise network attack success marks or network attack failure marks; and the construction submodule is used for removing the successful network traffic of each attack and constructing the data set according to the failed network traffic of each attack.
  8. 8. The template matching-based attack detection device according to claim 6, wherein the extraction module comprises: the construction submodule is used for constructing each page of each website into a Document Object Model (DOM) tree based on BeautifulSoup libraries, and the BeautifulSoup libraries are used for extracting http response bodies; And the generation submodule is used for merging DOM trees of a plurality of different pages corresponding to each website to obtain a detection template corresponding to the website.
  9. 9. The template matching-based attack detection device according to claim 6, wherein the matching module comprises: The system comprises an extraction submodule, a network attack success test flow and a network attack failure test flow, wherein the extraction submodule is used for extracting an http response body in the test flow and screening out a response body in an HTML format, the test flow comprises a network attack success test flow or a network attack failure test flow, the response body of the network attack success test flow comprises a server directory page or a website console page, and the response body of the network attack failure test flow comprises a website normal page or an error prompt page; and the matching sub-module is used for matching the response body in the test flow with the at least one detection template.
  10. 10. The template matching-based attack detection device according to claim 6, wherein, The construction module is further used for manually studying and judging the matching result of the response body in the test flow and the at least one detection template, and when the matching result is that the test flow attack is successful and the manual studying and judging result is that the test flow attack fails, the test flow is added into the data set, and the data set is subjected to iterative updating.

Description

Attack detection method and device based on template matching Technical Field The invention relates to the technical field of internet data analysis, in particular to an attack detection method and device based on template matching. Background With the continuous development of internet technology, network attack is frequently generated, and the security problem of the network environment is increasingly emphasized. In various network attacks, the Webshell attack is uploaded in the form of a code file in a code execution environment accessed by an attacker, and once the Webshell network attack is successful, the attacker can achieve the purpose of controlling a website server and can completely obtain the control of the website, so that the successful Webshell attack has extremely high hazard. The existing Webshell attack detection method is based on file detection, and a detection program needs to be run on a server by searching whether suspicious Webshell files exist on a website server. Disclosure of Invention The invention aims to solve the problems in the prior art and provides an attack detection method and device based on template matching. The method for detecting the attack based on the template matching is realized by the following technical scheme that a data set is constructed according to network traffic with a plurality of failed attacks, a response body is extracted in the data set, the response body in an HTML format is screened out, at least one detection template is generated, wherein the response body is an http response body sent to a user by a server, the response body in test traffic is extracted, the response body in the test traffic is matched with the at least one detection template, when the response body in the test traffic is successfully matched with any one of the at least one detection template, the failure of the attack of the test traffic is judged, or when the response body in the test traffic is failed to be matched with the at least one detection template, the success of the attack of the test traffic is judged. Further, the constructing the data set according to the network traffic with the failed attacks includes obtaining the network traffic in the real network environment and the corresponding marks, wherein the marks include network attack success marks or network attack failure marks, removing the network traffic with the successful attacks, and constructing the data set according to the network traffic with the failed attacks. Further, the steps of extracting response bodies in the data set, screening response bodies in an HTML format and generating a detection template include constructing each page of each website as a Document Object Model (DOM) tree based on BeautifulSoup libraries, wherein BeautifulSoup libraries are used for extracting http response bodies, and combining the DOM trees of a plurality of different pages corresponding to each website to obtain the detection template corresponding to the website. Further, the steps of extracting a response body in the test flow and matching the response body in the test flow with the at least one detection template comprise the steps of extracting an http response body in the test flow and screening out a response body in an HTML format, wherein the test flow comprises a Webshell network attack success test flow or a Webshell network attack failure test flow, the response body of the Webshell network attack success test flow comprises a server catalog page or a website console page, the response body of the Webshell network attack failure test flow comprises a website normal page or an error prompt page, and the response body in the test flow is matched with the at least one detection template. Further, the method further comprises the steps of manually judging the matching result of the response body in the test flow and the at least one detection template, and adding the test flow into the data set to perform iterative updating on the data set when the matching result is that the test flow attack is successful and the manual judging result is that the test flow attack fails. The template matching-based attack detection device is realized by a construction module, an extraction module and a judgment module, wherein the construction module is used for constructing a data set according to network traffic with a plurality of failed attacks, the extraction module is used for extracting a response body in the data set and screening out a response body in an HTML format to generate at least one detection template, the response body is an http response body sent to a user by a server, the matching module is used for extracting the response body in test traffic and matching the response body in the test traffic with the at least one detection template, and the judgment module is used for judging that the attack of the test traffic fails when the response body in the test traffic is successfully matched with any one of t