Al technical title is built by PatSnap Al team. It summarizes the technical point description of the patent document.
A technology of attack detection and anomaly detection, which is applied in the field of network security to achieve the effect of ensuring security
Inactive Publication Date: 2016-04-20
CHINA ELECTRONICS STANDARDIZATION INST
View PDF5 Cites 17 Cited by
Summary
Abstract
Description
Claims
Application Information
AI Technical Summary
This helps you quickly interpret patents by identifying the three key elements:
Problems solved by technology
Method used
Benefits of technology
Problems solved by technology
[0006] The technical problem to be solved by the present invention is how to overcome the shortcomings of misuse detection and anomaly detection, and how to perform post-event attack detection and evidence collection for Web attacks that cannot be found by Web application firewalls
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more
Image
Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
Click on the blue label to locate the original text in one second.
Reading with bidirectional positioning of images and text.
Smart Image
Examples
Experimental program
Comparison scheme
Effect test
Embodiment 1
[0041] Embodiment 1. A method for detecting web attacks, such as figure 1 As shown, including steps S110-S130:
[0042]S110. For multiple Web logs to be processed, divide them according to URLs (UniformResourceLocator, uniform resource locator) in the Web logs, and obtain Web log subsets corresponding to different URLs.
[0043] This step may include: for multiple web logs to be processed, first extract URLs in each web log respectively, then divide the multiple web logs to be processed according to the URLs, and divide web logs containing the same URL into In the same Web log subset, the Web log subsets corresponding to different URLs are obtained; wherein, each of the Web log subsets may include one or more Web logs.
[0044] After this step, it may also include: pre-excluding the Web log subset whose number of Web log entries is less than the first predetermined threshold value, or only performing subsequent steps on the Web log subset whose Web log entry number reaches th...
Embodiment 2
[0092] Embodiment 2, a kind of Web attack detection device based on Web log analysis, such as figure 2 shown, including:
[0093] The log classification module 21 is used for dividing a plurality of Web logs to be processed according to the Uniform Resource Locator URL in the Web logs, so as to obtain the corresponding Web log subsets of different URLs;
[0094] The normal behavior model learning module 22 is used to perform the following processing on the corresponding Web log subsets of each URL: select some Web logs in the Web log subset, and the selected Web logs account for the proportion of the selected Web log subsets. The proportion of is less than or equal to the predetermined upper limit of the proportion; according to the selected web log, the normal behavior model corresponding to the URL is constructed;
[0095] The anomaly detection module 23 is configured to perform anomaly detection on unselected web logs in the web log subset corresponding to each URL based ...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more
PUM
Login to view more
Abstract
The invention discloses a detecting method and device of a Web attack. The detecting method of the Web attack comprises the steps of dividing multiple to-be-processed Web logs according to a URL (Uniform Resource Locator) in each Web log to obtain Web log subsets which correspond to different URLs; carrying out the following processing respectively for the Web log subset which corresponds to each URL, including, selecting partial Web logs in each Web log subset, wherein the proportion of the selected Web logs in each Web log subset is less than or equal to a preset proportion upper limit, and establishing a normal behavior model corresponding to the URL based on the selected Web logs; and, for the Web log subset corresponding to each URL, carrying out abnormality detection for the unselected Web logs in the Web log subset which corresponds to the URL respectively based on the normal behavior model corresponding to the URL. According to the detecting method and device of the Web attack, attack detection and evidence collection after the attack can be carried out for the Web attack which is not discovered by applying a firewall.
Description
technical field [0001] The invention relates to the field of network security, in particular to a method and device for detecting web attacks. Background technique [0002] Currently, 80% of common applications are web applications, including financial applications that require high security. The Web has become the standard application interaction interface. While Web applications bring convenience to people, they have also become the most concerned object of hackers. Common attacks against Web applications include SQL (StructuredQueryLanguage, Structured Query Language) injection attacks, XSS (CrossSiteScripting, cross-site scripting attacks), CSRF (Cross-siterequestforgery, cross-site request forgery), and various possible causes of web server denial of service Web attack methods. [0003] In order to defend against various Web attacks, the processing method in related technologies is usually to deploy a Web application firewall in front of the Web application, which ca...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more
Application Information
Patent Timeline
Application Date:The date an application was filed.
Publication Date:The date a patent or application was officially published.
First Publication Date:The earliest publication date of a patent with the same application number.
Issue Date:Publication date of the patent grant document.
PCT Entry Date:The Entry date of PCT National Phase.
Estimated Expiry Date:The statutory expiry date of a patent right according to the Patent Law, and it is the longest term of protection that the patent right can achieve without the termination of the patent right due to other reasons(Term extension factor has been taken into account ).
Invalid Date:Actual expiry date is based on effective date or publication date of legal transaction data of invalid patent.