CN116668063B - Network attack countering method and software system based on middleware process implantation - Google Patents
Network attack countering method and software system based on middleware process implantation Download PDFInfo
- Publication number
- CN116668063B CN116668063B CN202310383195.1A CN202310383195A CN116668063B CN 116668063 B CN116668063 B CN 116668063B CN 202310383195 A CN202310383195 A CN 202310383195A CN 116668063 B CN116668063 B CN 116668063B
- Authority
- CN
- China
- Prior art keywords
- countering
- request
- module
- response
- http
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 173
- 230000008569 process Effects 0.000 title claims abstract description 98
- 238000002513 implantation Methods 0.000 title claims abstract description 52
- 230000004044 response Effects 0.000 claims abstract description 73
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 11
- 230000006698 induction Effects 0.000 claims description 3
- 230000035515 penetration Effects 0.000 claims description 3
- 230000001360 synchronised effect Effects 0.000 claims description 3
- 230000009191 jumping Effects 0.000 claims description 2
- 230000001939 inductive effect Effects 0.000 claims 1
- 230000006870 function Effects 0.000 abstract description 46
- 230000007123 defense Effects 0.000 abstract description 8
- 230000006855 networking Effects 0.000 abstract description 6
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 230000000903 blocking effect Effects 0.000 abstract description 2
- 230000006399 behavior Effects 0.000 description 48
- 239000008186 active pharmaceutical agent Substances 0.000 description 21
- 238000006243 chemical reaction Methods 0.000 description 16
- 238000012544 monitoring process Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 239000003795 chemical substances by application Substances 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 238000005242 forging Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000002441 reversible effect Effects 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000001010 compromised effect Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 239000007943 implant Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000149 penetrating effect Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/563—Data redirection of data network streams
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a network attack countering method and a software system based on middleware process implantation, wherein the method comprises the following steps: receiving a client access request; judging whether the access request is an HTTP protocol or not, and analyzing the HTTP request; judging whether the client needs to be countered according to the analysis result; if yes, redirecting the system API; generating response information according to the analysis result of the HTTP request; and returning response information to the client. The software system is provided with the network attack countering method based on the middleware process implantation. The device is an electronic device, a server or a cloud service platform loaded with the software system and having networking functions. The beneficial effects of this application are: the system can solve the bottleneck of an attack trapping and countering system in a modern attack and defense environment, hide a self-perception system in real application, and avoid complex and dangerous operations such as 'tank raising'. By implementing the association rule, the sensitive behavior is responded in time, and blocking and countering are performed.
Description
Technical Field
The application relates to the technical field of computer network security, in particular to a network attack countering method and a software system based on middleware process implantation.
Background
The attack trapping and countering technology is a core component of a network security defense system, and advanced attacks penetrating the security defense system can be captured by deploying various baits and intrusion countering is given to the advanced attacks. The existing attack trapping and countering technology mainly comprises the following two steps: monitoring a common port in an operating system through an Agent and forging an application system Web page through special equipment. Finally, when the attack flow is triggered, traction is carried out, and a preset reaction tool is returned to carry out attack reaction.
The existing attack trapping and countering technology has a plurality of defects due to the problems of insufficient practicability, high danger and the like, and the main defects are as follows:
(1) Insufficient dynamic effect
Dynamic real-time updating is the core capability of attack trapping and countering, and various services simulated externally are required to be perfectly integrated with the existing service. However, due to a plurality of reasons such as technical routes, the simulation and the safe operation cost are difficult to balance, and the overall actual combat effect of the technology is poor.
The Agent can be used for deploying the monitoring common port in the operating system to simulate the corresponding disguised service in a self-defined mode, and meanwhile, the method has the advantage of being rapid to deploy. However, the service logic of the monitoring port is too simple, can not generate complex interaction with an attacker, is in a nearly pure static mode, is easy to find and bypass, and can not automatically respond when the attacker encounters an attack.
The Web page of the application system can be simulated to have a service trap with higher simulation degree theoretically by forging special equipment and can be updated in real time according to service change, but the problem is that each Web application needs to be carefully researched, special design of baits is carried out according to service logic and project codes, and service data interaction flows are created. Meanwhile, the technical route needs long-term tank raising, and the popularization and the use are extremely difficult due to high safe operation cost.
(2) High risk
Disguised services require exposure to the outside to produce a corresponding trapping effect, but direct exposure to the service means introducing more risk, and the prior art has the problem of unequal yields. Therefore, a study is required of both ways.
The Agent deploys the monitoring common port in the operating system, and as the Agent only has a monitoring program, other service analysis logic does not exist, but the server service is required to be mapped outwards, so that the overall risk is increased.
The risk is greatly improved by forging the Web page of the application system through special equipment, more problem codes with business logic are built in for high interaction, and the risk of cracking the whole special equipment after being cracked by an attacker is directly exposed, so that larger threat is caused.
Disclosure of Invention
The application aims to solve the technical problems and designs a network attack countering method based on middleware process implantation and a software system and a device using the method. The novel network attack trapping and countering technology is developed to find out the latent attack, and the countering is aimed, so that the problems of insufficient practicability and high danger in the original environment are overcome, and the high-efficiency supporting capability is provided for the network security system construction of the modern hybrid data center.
The technical scheme adopted for solving the technical problems is as follows:
a method for countering network attacks based on middleware process implantation, which is executed by a network server, wherein the method comprises the following steps:
s100: receiving a client access request;
s200: judging whether the access request is an HTTP protocol or not, if so, analyzing the HTTP request;
s300: judging whether the client needs to be countered according to the analysis result of the HTTP request;
s400: if yes, redirecting the system API;
s500: generating response information according to the analysis result of the HTTP request;
s600: and returning response information to the client.
The method for countering network attack based on middleware process implantation, wherein the parsing the HTTP request in step S200 includes:
and analyzing the request type, the request URL, the request header and the request body in the HTTP request.
The method for countering the network attack based on the middleware process implantation, wherein the method for judging whether the client needs countering in the step S300 comprises the following steps:
judging whether the accessed server process is a target process according to the analysis result of the HTTP request; types of the target process include, but are not limited to, tomcat, nmginx processes;
finding out an objective function from an objective process; the objective functions include, but are not limited to, send, recv functions.
The middleware process implantation-based network attack countering method, wherein the redirecting system API in S400 includes:
locating to the objective function;
rewriting an objective function instruction, and modifying the first N byte instructions of the objective function into Jmp jump instructions, wherein N is more than or equal to 5 and less than or equal to 9;
jump to the behavior pattern step of identifying the client associated with the access request.
The method for countering network attack based on middleware process implantation, wherein in the step S500, generating response information according to the analysis result of the HTTP request comprises the following steps:
identifying a behavior pattern of a client related to the access request; namely: comparing the analysis result of the HTTP request in the step S200 with a countering behavior recognition library to determine which class of behavior mode needs countering;
generating a countering strategy for the client related to the access request; namely: comparing the behavior mode of the counter-generation rule base with the counter-generation rule base according to the behavior mode of the counter-generation rule base, and judging whether the counter-generation rule base accords with any rule in the counter-generation rule base or not;
if yes, generating countercheck strategy response information of the client related to the access request by the countercheck rule base.
The middleware process implantation-based network attack countering method, wherein the countering behavior recognition library is a database capable of dynamically expanding countering behavior recognition, including but not limited to: high-risk URL identification, sensitive information malicious downloading identification, middleware exploit identification and remote control Trojan horse exploit identification.
The middleware process implantation-based network attack countering method, wherein the countering rule base is a database capable of dynamically expanding treatment rules, including but not limited to:
high-risk URL rules, rewriting HTTP response, generating script with countering content;
and the sensitive file downloading rule rewrites the HTTP response and generates an executable program with a countering function.
The middleware process implantation-based network attack countering method, wherein the script with countered content comprises but is not limited to: the confusing information provides false induction type information to induce a hacker to perform subsequent penetration work;
the executable program with the countering function includes, but is not limited to: and the remote control Trojan horse enables a hacker to download and execute the Trojan horse program by returning the remote control Trojan horse.
According to the network attack countering method based on the middleware process implantation, response information is returned to the client, namely, countering strategy response information is returned in an HTTP response mode through rewriting response flow.
The network attack countering method based on middleware process implantation comprises the following steps of deploying a server:
deploying a unified management module and configuring a monitored process on the server;
configuring a behavior recognition module and a countering behavior recognition library in the server;
configuring a disposal decision module and a countercheck rule base in the server;
configuring an overwrite response flow module at the server;
the unified management module comprises:
lifecycle management: turning on or off the counter function;
configuration file updating: the latest configuration is synchronized into the countering behavior recognition library and the countering rule library.
A software system based on a network attack countering method of middleware process implantation, wherein the system is a software system with any network attack countering method based on middleware process implantation; the system comprises a unified management module, a redirection system API module, a behavior recognition module, a disposition decision module and a rewriting response flow module; the unified management module is used for managing the whole life cycle of other modules, the redirection system API module is used for carrying out flow hijacking in the operating system, the behavior recognition module is used for recognizing sensitive operations in the flow, the treatment decision module is used for making treatment and response decisions according to different sensitive operations, the rewriting response flow module is used for rewriting the response body, and the required deception pages or the countercheck programs are written into the response body.
The device of the network attack countering method based on middleware process implantation is an electronic device, a server or a cloud service platform with networking function;
the electronic equipment is loaded with a software system with the network attack countering method based on middleware process implantation;
the server is loaded with a software system with the network attack countering method based on the middleware process implantation;
the cloud service platform is loaded with a software system with the network attack countering method based on middleware process implantation.
The key point of the method is to enable HTTP attack to be counteracted and enable passive to be active for a real application system. The conventional HTTP attack is mainly subjected to attack filtering and honeypot collecting, even if attack countering is performed in an independent honeypot system, because the honeypot system has obvious honeypot characteristics, an attacker is difficult to enter a 'snare' in advance, and the 'implanted network attack countering method' can implant a countering module for a real service system, so that the attacker can be confused to the greatest extent, the attacker is attracted to use countering content returned to the attacker, and the countering effect is improved to the greatest extent.
The implementation of the application can directly promote the innovation of the national network security system, and truly and thoroughly enter the times of active defense and dynamic defense.
The above-mentioned at least one technical scheme that this application embodiment adopted can reach following beneficial effect: the bottleneck of an attack trapping and countering system in a modern attack and defense environment can be thoroughly solved, the self-perception system is hidden in the real application, and complex and dangerous operations such as 'can raising' are avoided. By implementing the association rule, the sensitive behavior is responded in time, and blocking and countering are performed.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 is a functional block diagram of a network attack countering method based on middleware process implantation according to an embodiment of the present application;
FIG. 2 is a diagram illustrating a network attack countering method based on middleware process implantation according to an embodiment of the present application;
fig. 3 is a flowchart of an overall network attack countering method based on middleware process implantation according to an embodiment of the present application.
Detailed Description
For the purposes, technical solutions and advantages of the present application, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments of the present application and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only.
While the present application makes various references to certain modules in a system according to embodiments of the present application, any number of different modules may be used and run on a user terminal and/or server, the modules are merely illustrative, and different aspects of the system and method may use different modules.
A flowchart is used in this application to describe the operations performed by a system according to embodiments of the present application. It should be understood that the preceding or following operations are not necessarily performed in order precisely. Rather, the various steps may be processed in reverse order or simultaneously, as desired. Also, other operations may be added to or removed from these processes. The following describes in detail the technical solutions provided by the embodiments of the present application with reference to the accompanying drawings.
In order to facilitate understanding of the embodiments of the present application, as shown in fig. 3, a method for countering a network attack based on middleware process implantation is executed by a network server, where the method includes:
s100: receiving a client access request;
specifically, as a platform for providing internet services, the server side server will receive access requests of all users.
S200: judging whether the access request is an HTTP protocol or not, if so, analyzing the HTTP request;
specifically, the client accesses any server of the server based on different protocols according to different services, and after receiving a service request, the server judges whether the access request is based on the HTTP protocol or not; if yes, resolving the HTTP request through an HTTP resolving server; otherwise, normal network services are provided as requested by the client.
S300: judging whether the client needs to be countered according to the analysis result of the HTTP request;
specifically, the analysis result of the HTTP request is analyzed, if the source address of the request is suspicious, or if the content of the request may be harmful to the server, whether to perform reverse control processing on the HTTP access is determined, and the method is active by actively striking, grasping the initiative and facing attack.
S400: if yes, redirecting the system API;
specifically, if it is determined that the access is potentially compromised, the access is redirected to an application module that is pre-deployed on the server and that has the function of identifying and determining compromised access. Otherwise, normal network services are provided as requested by the client. Before the server provides service, the redirection system API is to implant redirection codes in the target process in the system API related to the server and the network in advance, judge the type of the target process including but not limited to Tomcat and Nginx process, search the address of function including but not limited to Send and Recv, redirect the address to the countering device, and take over the network communication right of the process.
S500: generating response information according to the analysis result of the HTTP request;
s600: and returning response information to the client.
Specifically, when the type and the content of the access request are identified and judged, response information with the countering strategy is generated through a preset countering strategy, and the countering strategy is sent back to the client initiating the HTTP access through an HTTP protocol.
In internet networking application, protocols for realizing communication service between a client and a server based on an application layer mainly comprise an HTTP protocol, a Telnet protocol, an SMTP protocol and the like. The network attack countering method based on middleware process implantation aims at a client accessing a server based on an HTTP protocol. The network attacker initiates an attack from the client to the server, and in order to protect the server from the attack, only passive defense is obviously insufficient. Although active defense techniques, such as attack trapping and countering techniques, have emerged through countermeasures, their dynamic effects are poor and sometimes introduce more risk due to direct exposure to the service. Therefore, by secretly putting the countering device in the server, the visitor based on the HTTP protocol analyzes and analyzes the HTTP request, identifies the specific visitor with possible attack (namely the target visitor), counteres the visitor with the attack, invalidates the attack, counteres the attack, and reduces the risk of exposing and attacking the service.
The method for countering network attack based on middleware process implantation, wherein the parsing the HTTP request in step S200 includes:
and analyzing the request type, the request URL, the request header and the request body in the HTTP request.
Specifically, the HTTP message is requested from the client to the server, and the format of the request message is as follows:
request line-generic header-request header-entity header-message body
And acquiring the request type from the message, extracting the URL field, the request header and the content of the request body, and storing the URL field, the request header and the content of the request body for use by a subsequent program.
The method for countering the network attack based on the middleware process implantation, wherein the method for judging whether the client needs countering in the step S300 comprises the following steps:
judging whether the accessed server process is a target process according to the analysis result of the HTTP request; types of the target process include, but are not limited to, tomcat, nmginx processes;
finding out an objective function from an objective process; the objective functions include, but are not limited to, send, recv functions.
Specifically, the server side takes processes such as Tomcat and nmginx as target processes, performs reinforcement processing on the API where the target processes are located, and searches for Http related functions, such as functions of Send and Recv, from the API where the target processes are located according to the type of the target processes. When the HTTP request of the client contains access to the target process and the access request also contains target functions such as call Send and Recv, the HTTP request is required to be countered; otherwise, normal network services are provided as requested by the client.
The middleware process implantation-based network attack countering method, wherein the redirecting system API in S400 includes:
locating to the objective function;
rewriting an objective function instruction, and modifying the first N byte instructions of the objective function into Jmp jump instructions, wherein N is more than or equal to 5 and less than or equal to 9;
jump to the behavior pattern step of identifying the client associated with the access request.
Specifically, when the HTTP request of the client includes access to the target process and the access request includes invoking target functions such as Send and Recv, a Jmp jump instruction is implanted before the code position of the target function on the server to be accessed, and the HTTP request access is guided to a behavior recognition module which is implanted in advance on the server.
The redirection system API module includes: searching an objective function, rewriting the objective function and calling back the objective function, wherein the calling back the objective function is to identify and decide to process according to the behavior of the counteraction process, and if the counteraction is not needed, then the Jmp (assembly jump instruction) needs to be returned to the original processing instruction of the process.
The method for countering network attack based on middleware process implantation, wherein in the step S500, generating response information according to the analysis result of the HTTP request comprises the following steps:
identifying a behavior pattern of a client related to the access request; namely: comparing the analysis result of the HTTP request in the step S200 with a countering behavior recognition library to determine which class of behavior mode needs countering;
generating a countering strategy for the client related to the access request; namely: comparing the behavior mode of the counter-generation rule base with the counter-generation rule base according to the behavior mode of the counter-generation rule base, and judging whether the counter-generation rule base accords with any rule in the counter-generation rule base or not;
if yes, generating countercheck strategy response information of the client related to the access request by the countercheck rule base.
As shown in fig. 2, the target visitor is jumped to a behavior recognition module through a redirection system API module to recognize the behavior thereof; if the behavior of the visitor is aggressive or the behavior of the visitor is harmful to the server, making a corresponding disposal decision by a disposal decision module; and then, starting the rewriting response flow module, and sending back to the visitor in the mode of HTTP response according to the treatment decision to counter the visitor.
The middleware process implantation-based network attack countering method, wherein the countering behavior recognition library is a database capable of dynamically expanding countering behavior recognition, including but not limited to: high-risk URL identification, sensitive information malicious downloading identification, middleware exploit identification and remote control Trojan horse exploit identification.
The middleware process implantation-based network attack countering method, wherein the countering rule base is a database capable of dynamically expanding treatment rules, including but not limited to:
high-risk URL rules, rewriting HTTP response, generating script with countering content; such as: the method is an http request, a GET mode and a certain high-risk address (the address is fixed), so that a detection rule of the high-risk uri is hit, and the countermeasures are configured in an http response library.
And the sensitive file downloading rule rewrites the HTTP response and generates an executable program with a countering function. Sensitive file downloading: the GET request, the detection of sensitive information (such as a certain large data center emergency plan) in the file name is the downloading of the sensitive information, and then the http is responded to the preset countercheck content in the rule base.
The middleware process implantation-based network attack countering method, wherein the script with countered content comprises but is not limited to: the confusing information provides false induction type information to induce a hacker to perform subsequent penetration work;
the executable program with the countering function includes, but is not limited to: and the remote control Trojan horse enables a hacker to download and execute the Trojan horse program by returning the remote control Trojan horse.
According to the network attack countering method based on the middleware process implantation, response information is returned to the client, namely, countering strategy response information is returned in an HTTP response mode through rewriting response flow.
Specifically, the response flow module is used for rewriting the response flow module to send the reverse strategy response information to the client in an HTTP response mode. After the client performs the HTTP response, it may obtain confusing information, and it may be embedded in a remote trojan.
The network attack countering method based on middleware process implantation comprises the following steps of deploying a server:
deploying a unified management module and configuring a monitored process on the server;
configuring a behavior recognition module and a countering behavior recognition library in the server;
configuring a disposal decision module and a countercheck rule base in the server;
configuring an overwrite response flow module at the server;
the unified management module comprises:
lifecycle management: turning on or off the counter function;
configuration file updating: the latest configuration is synchronized into the countering behavior recognition library and the countering rule library.
Specifically, a unified management module is deployed on the server and a monitoring process is configured; the monitoring process is arranged on key nodes that are difficult for the visitor to bypass.
The behavior recognition and countercheck behavior recognition library, the treatment decision condition, the countercheck rule library and the rewriting response flow content are deployed at the rear end of the server, are optimally deployed in a safe and hidden mode, and can be opened or closed through lifecycle control; and synchronizing the latest configuration to the countering process through the configuration file, and dynamically updating the countering behavior recognition library and the countering rule library.
Example two
Specifically, as shown in fig. 1, a software system based on a network attack countering method of middleware process implantation is provided, wherein the system is a software system with any network attack countering method based on middleware process implantation; the system comprises a unified management module, a redirection system API module, a behavior recognition module, a disposition decision module and a rewriting response flow module; the unified management module is used for managing the whole life cycle of other modules, the redirection system API module is used for carrying out flow hijacking in the operating system, the behavior recognition module is used for recognizing sensitive operations in the flow, the treatment decision module is used for making treatment and response decisions according to different sensitive operations, the rewriting response flow module is used for rewriting the response body, and the required deception pages or the countercheck programs are written into the response body.
(1) Software system overall design
The method is completed by a unified management module, a redirection system API module, a behavior identification module, a disposition decision module and a rewriting response flow module; the unified management module is used for managing the whole life cycle of other modules, the redirection system API module is used for carrying out traffic hijacking in the operating system, the behavior recognition module is used for recognizing sensitive operations in the traffic, the treatment decision module is used for making treatment and response decisions according to different sensitive operations, the rewriting response traffic module is used for rewriting the HTTP response body, and the required deception pages or the countercheck programs are written into the HTTP response body.
The network attack countering method for process implantation comprises the following steps:
step1, configuration; the method comprises the steps that a unified management module and a redirection system API module are deployed at a key node of a server, a behavior recognition and countercheck behavior recognition library, a treatment decision condition, a countercheck rule library and rewriting response flow content are deployed at the rear end of the server, and finally the server is deployed in a safe and hidden mode and can be opened or closed through lifecycle management and control; and synchronizing the latest configuration to the countering process through the configuration file, and dynamically updating the countering behavior recognition library and the countering rule library.
Step2, judging whether the access of the client is HTTP protocol, if so, entering into the operation of analyzing HTTP; otherwise, the reaction response is ended;
step3, after the analysis of the HTTP work is finished, analyzing according to the URL or the request content, judging whether the HTTP work needs to be counteracted, if the HTTP work needs to be counteracted, entering a rewritten HTTP response, and implementing the counteraction treatment; otherwise, the reaction response ends.
(2) Sub-item design-unified management module
The network attack countering method for process implantation, the unified management module is responsible for overall scheduling work of countering devices, and comprises the following steps:
(1) lifecycle management:
according to the instruction of the user for opening and closing the reaction device, the reaction function is opened or closed, and the user can freely open and close the reaction;
(2) configuration file updating:
according to the latest configuration issued by the user, synchronizing to the processes of the existing countering devices, so that the processes of all countering devices use the latest configuration;
(3) and (3) injecting a reaction device:
after the counter device is started, web middleware operated in the current system is automatically identified, and the counter device is injected into the process, so that the process has counter capability; the Web middleware includes, but is not limited to, tomcat, nginx, golden butterfly, springBoot and Weblogic middleware.
(3) Item design-redirection system API module
The redirection system API module is the subsequent step of 'unified management module-reaction device injection', takes charge of the redirection work of the injected API, and realizes the function of the redirection system API in the method; the main operations of the module include:
(1) searching an objective function:
after being injected into the target process, searching for an Http related target function according to the type of the current process, and entering the step (2) if the target function is found; the types of the current process include, but are not limited to, tomcat and nmginx processes; the Http related objective functions include, but are not limited to, send, recv functions;
(2) overwriting an objective function instruction:
after finding the target function related to Http, modifying the top N byte instructions of the function into Jmp jump instructions (wherein N is more than or equal to 5 and less than or equal to 9), jumping to the counteraction device, taking over HTTP by the counteraction device, and taking over all HTTP operations in the HTTP period to enter the counteraction device;
(3) tuning back the objective function:
(4) Sub-design-behavior recognition module
After the reaction device takes over the HTTP, according to the behavior identification of the reaction device, if the reaction is not needed, the reaction needs to be returned to the original processing instruction of the process again through the Jmp jump instruction, and the reaction response is finished; the module realizes the function of identifying the behavior mode of the client related to the access request in the method.
(5) Item design-disposition decision module
According to the network attack countering method for process implantation, the behavior recognition module carries out behavior recognition on HTTP, the request type, the request URL, the request header and the request body in the HTTP are all resolved through an HTTP protocol analyzer, and countering behaviors are determined through comparison with a countering behavior recognition library; then, giving the decision to a treatment decision module for decision making; the module implements the method of generating countermeasures to clients associated with access requests.
(6) Split design-overwrite response flow module
The processing decision module is responsible for deciding whether to perform countering or not, the main basis of the decision is to analyze the identified HTTP behavior, and the countering rule library which can be dynamically expanded is called, and the countering is performed by the rewriting response flow module once the countering rule is hit; the countercheck rule base includes, but is not limited to: high-risk URL rules, sensitive file downloading rules and sensitive information acquisition rules.
Example III
The device is an electronic device, a server or a cloud service platform with networking function;
the electronic equipment is loaded with a software system with the network attack countering method based on middleware process implantation;
the server is loaded with a software system with the network attack countering method based on the middleware process implantation;
the cloud service platform is loaded with a software system with the network attack countering method based on middleware process implantation.
Specifically, any electronic device with networking function realizes the protection of the device and/or the reaction of the client through the network attack reaction method based on the middleware process implantation, which falls into the protection scope of the protection application. Any electronic equipment with networking function is loaded with the software system based on the middleware process implantation network attack countering method, and the software system falls into the protection scope of the protection application.
Those skilled in the art will appreciate that embodiments of the present application may be provided as a method, system, or apparatus. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.
Claims (5)
1. A network attack countering method based on middleware process implantation is executed by a network server and is characterized in that: the method comprises the following steps:
s100: receiving a client access request;
s200: judging whether the access request is an HTTP protocol or not, if so, analyzing the HTTP request;
s300: judging whether the client needs to be countered according to the analysis result of the HTTP request;
s400: if yes, redirecting the system API;
s500: generating response information according to the analysis result of the HTTP request;
s600: returning response information to the client;
the method for judging whether the client needs to be countered in step S300 includes:
judging whether the accessed server process is a target process according to the analysis result of the HTTP request; the type of the target process comprises a Tomcat process and an Nginx process;
finding out an objective function from an objective process; the objective function comprises a Send function and a Recv function;
the redirecting system API in S400 includes:
locating to the objective function;
rewriting an objective function instruction, and modifying the first N byte instructions of the objective function into Jmp jump instructions, wherein N is more than or equal to 5 and less than or equal to 9;
jumping to behavior recognition;
in S500, according to the analysis result of the HTTP request, generating the response information includes the following steps:
identifying a behavior pattern of a client related to the access request; namely: comparing the analysis result of the HTTP request in the step S200 with a countering behavior recognition library to determine which class of behavior mode needs countering;
generating a countering strategy for the client related to the access request; namely: comparing the behavior mode of the counter-generation rule base with the counter-generation rule base according to the behavior mode of the counter-generation rule base, and judging whether the counter-generation rule base accords with any rule in the counter-generation rule base or not;
if yes, generating countercheck strategy response information of the client related to the access request by a countercheck rule base;
the countering behavior recognition library is a database capable of dynamically expanding countering behavior recognition, and comprises: high-risk URL identification, sensitive information malicious downloading identification, middleware vulnerability utilization identification and remote control Trojan utilization identification;
the countercheck rule base is a database capable of dynamically expanding the handling rule, and comprises high-risk URL rules and sensitive file downloading rules;
rewriting HTTP response according to the high-risk URL rule to generate script with the countering content;
generating false induction type information according to the script with the countering content, and inducing a hacker to perform subsequent penetration work;
rewriting HTTP response according to the download rule of the sensitive file to generate executable program with the countering function;
the executable program with the counter function realizes the function of enabling a hacker to download and execute the Trojan program by returning the remote control Trojan;
the countering behavior recognition and countering behavior recognition library, the treatment decision condition, the countering rule library and the rewriting response flow content are deployed at the rear end of the server, are deployed in a safe and hidden mode, and can be opened or closed through life cycle control; and synchronizing the latest configuration to the countering process through the configuration file, and dynamically updating the countering behavior recognition library and the countering rule library.
2. The method for countering network attacks based on middleware process implantation according to claim 1, wherein: the parsing the HTTP request in step S200 includes:
and analyzing the request type, the request URL, the request header and the request body in the HTTP request.
3. The method for countering network attacks based on middleware process implantation according to claim 1, wherein: and returning response information to the client, namely, returning the countering strategy response information in an HTTP response mode through rewriting response flow.
4. The method for countering network attacks based on middleware process implantation according to claim 1, wherein: the method comprises the following steps of deploying a network server:
deploying a unified management module and configuring a monitored process on the server;
configuring a behavior recognition module and a countering behavior recognition library in the server;
configuring a disposal decision module and a countercheck rule base in the server;
configuring an overwrite response flow module at the server;
the unified management module comprises:
lifecycle management: turning on or off the counter function;
configuration file updating: the latest configuration is synchronized into the countering behavior recognition library and the countering rule library.
5. The software system of the network attack countering method based on middleware process implantation is characterized in that: the system is used for realizing the network attack countering method based on the implantation of the middleware process according to any one of claims 1-4; the system comprises a unified management module, a redirection system API module, a behavior recognition module, a disposition decision module and a rewriting response flow module; the unified management module is used for managing the whole life cycle of other modules, the redirection system API module is used for carrying out flow hijacking in the operating system, the behavior recognition module is used for recognizing sensitive operations in the flow, the treatment decision module is used for making treatment and response decisions according to different sensitive operations, the rewriting response flow module is used for rewriting the response body, and the required deception pages or the countercheck programs are written into the response body.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310383195.1A CN116668063B (en) | 2023-04-11 | 2023-04-11 | Network attack countering method and software system based on middleware process implantation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310383195.1A CN116668063B (en) | 2023-04-11 | 2023-04-11 | Network attack countering method and software system based on middleware process implantation |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116668063A CN116668063A (en) | 2023-08-29 |
| CN116668063B true CN116668063B (en) | 2024-01-30 |
Family
ID=87714201
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310383195.1A Active CN116668063B (en) | 2023-04-11 | 2023-04-11 | Network attack countering method and software system based on middleware process implantation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116668063B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109474569A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | A kind of method and system of detection web caching deception |
| CN110839039A (en) * | 2019-11-20 | 2020-02-25 | 成都知道创宇信息技术有限公司 | Intruder countercheck method and device |
| CN111343176A (en) * | 2020-01-16 | 2020-06-26 | 郑州昂视信息科技有限公司 | Network attack countering device, method, storage medium and computer equipment |
| CN112270011A (en) * | 2020-11-19 | 2021-01-26 | 北京炼石网络技术有限公司 | Method, device and system for protecting service and data security of existing application system |
| CN112751864A (en) * | 2020-12-30 | 2021-05-04 | 招联消费金融有限公司 | Network attack countercheck system, method, device and computer equipment |
| CN114006715A (en) * | 2020-12-31 | 2022-02-01 | 广州非凡信息安全技术有限公司 | Method for setting attack counterscript based on transparent proxy |
| CN114006772A (en) * | 2021-12-30 | 2022-02-01 | 北京微步在线科技有限公司 | Method and device for resisting hacker attack, electronic equipment and storage medium |
| CN114079576A (en) * | 2020-08-18 | 2022-02-22 | 奇安信科技集团股份有限公司 | Security defense method, security defense device, electronic apparatus, and medium |
| CN114157454A (en) * | 2021-11-16 | 2022-03-08 | 中国工商银行股份有限公司 | Attack countercheck method, device, computer equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10498763B2 (en) * | 2017-08-31 | 2019-12-03 | International Business Machines Corporation | On-demand injection of software booby traps in live processes |
-
2023
- 2023-04-11 CN CN202310383195.1A patent/CN116668063B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109474569A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | A kind of method and system of detection web caching deception |
| CN110839039A (en) * | 2019-11-20 | 2020-02-25 | 成都知道创宇信息技术有限公司 | Intruder countercheck method and device |
| CN111343176A (en) * | 2020-01-16 | 2020-06-26 | 郑州昂视信息科技有限公司 | Network attack countering device, method, storage medium and computer equipment |
| CN114079576A (en) * | 2020-08-18 | 2022-02-22 | 奇安信科技集团股份有限公司 | Security defense method, security defense device, electronic apparatus, and medium |
| CN112270011A (en) * | 2020-11-19 | 2021-01-26 | 北京炼石网络技术有限公司 | Method, device and system for protecting service and data security of existing application system |
| CN112751864A (en) * | 2020-12-30 | 2021-05-04 | 招联消费金融有限公司 | Network attack countercheck system, method, device and computer equipment |
| CN114006715A (en) * | 2020-12-31 | 2022-02-01 | 广州非凡信息安全技术有限公司 | Method for setting attack counterscript based on transparent proxy |
| CN114157454A (en) * | 2021-11-16 | 2022-03-08 | 中国工商银行股份有限公司 | Attack countercheck method, device, computer equipment and storage medium |
| CN114006772A (en) * | 2021-12-30 | 2022-02-01 | 北京微步在线科技有限公司 | Method and device for resisting hacker attack, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116668063A (en) | 2023-08-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110730175B (en) | Botnet detection method and detection system based on threat information | |
| US8812652B2 (en) | Honey monkey network exploration | |
| CN104426906A (en) | Identifying malicious devices within a computer network | |
| CN110677438A (en) | Attack chain construction method, device, equipment and medium | |
| CN114531258B (en) | Network attack behavior processing method and device, storage medium and electronic equipment | |
| Grégio et al. | Ontology for malware behavior: A core model proposal | |
| CN114826663B (en) | Honeypot identification method, device, equipment and storage medium | |
| CN110880983A (en) | Penetration testing method and device based on scene, storage medium and electronic device | |
| CN115001789B (en) | Method, device, equipment and medium for detecting collapse equipment | |
| CN110768949A (en) | Vulnerability detection method and device, storage medium and electronic device | |
| Djap et al. | Xb-pot: Revealing honeypot-based attacker’s behaviors | |
| CN107231364B (en) | Website vulnerability detection method and device, computer device and storage medium | |
| Rana et al. | Offensive security: Cyber threat intelligence enrichment with counterintelligence and counterattack | |
| CN114285626A (en) | Honeypot attack chain construction method and honeypot system | |
| CN114500026A (en) | Network traffic processing method, device and storage medium | |
| CN109474567B (en) | DDOS attack tracing method and device, storage medium and electronic equipment | |
| CN116668063B (en) | Network attack countering method and software system based on middleware process implantation | |
| CN117201184A (en) | Active defense method and system | |
| CN115102785B (en) | Automatic tracing system and method for network attack | |
| Zhao et al. | Network security model based on active defense and passive defense hybrid strategy | |
| CN116049822A (en) | Application program supervision method, system, electronic device and storage medium | |
| Alserhani et al. | Detection of coordinated attacks using alert correlation model | |
| Javadianasl et al. | A practical procedure for collecting more volatile information in live investigation of botnet attack | |
| CN113553584A (en) | Method, system and storage medium for detecting unknown threats of industrial internet security | |
| CN115801292A (en) | Access request authentication method and device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |