[go: up one dir, main page]

CN114650158B - HTTP detection method, system, equipment and computer storage medium - Google Patents

HTTP detection method, system, equipment and computer storage medium Download PDF

Info

Publication number
CN114650158B
CN114650158B CN202011519748.4A CN202011519748A CN114650158B CN 114650158 B CN114650158 B CN 114650158B CN 202011519748 A CN202011519748 A CN 202011519748A CN 114650158 B CN114650158 B CN 114650158B
Authority
CN
China
Prior art keywords
url
score
rule
preset
detected
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011519748.4A
Other languages
Chinese (zh)
Other versions
CN114650158A (en
Inventor
陈扬
雷昕
李晓燕
闫凡
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202011519748.4A priority Critical patent/CN114650158B/en
Publication of CN114650158A publication Critical patent/CN114650158A/en
Application granted granted Critical
Publication of CN114650158B publication Critical patent/CN114650158B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application discloses an HTTP detection method, an HTTP detection system, HTTP detection equipment and a computer storage medium, wherein URL to be detected in equipment to be detected is obtained; extracting a target rule from at least one URL to be detected, wherein the target rule meets a preset rule; calculating a target score of the target rule based on a preset score of each rule in the preset rules; determining a security detection result of the URL to be detected based on the target score; the types of the preset rules comprise: the downloading time is outside a preset time period, the downloading of an IP domain is directly requested, the destination IP is matched with a malicious IP library, the destination IP is matched with overseas IP, the downloading of a non-preset HTTP port is carried out, the downloaded data length is not in a preset length range, the domain name is random, the file name is random, the access period is changed according to multiple times, the access period is changed according to fixed minutes, the downloading of an HFS server is carried out, the downloaded file content is not matched with a suffix name, and the access period is changed according to an equal difference. The detection accuracy of HTTP is improved.

Description

HTTP detection method, system, equipment and computer storage medium
Technical Field
The present application relates to the field of information security technologies, and in particular, to an HTTP detection method, an HTTP detection system, an HTTP detection device, and a computer storage medium.
Background
HTTP (Hypertext Transfer Protocol ) is a simple request-response protocol, which typically runs on top of TCP (Transmission Control Protocol ), which specifies what messages a client might send to a server and what responses get. HTTP is widely used in communications because it can make development and deployment straightforward.
However, in the application process of HTTP, there may be a case where an attacker attacks other devices by means of HTTP, such as an attack client, an attack server, etc., which poses a threat to the secure use of HTTP. In order to protect the safety of HTTP, URL (Uniform Resource Locator ) corresponding to HTTP can be detected to determine whether the URL is safe or not, and then whether the HTTP is safe or not is determined.
However, in the process of detecting the URL, there may be a case where the detected security result does not match the real security of the URL, which affects the accuracy of HTTP detection.
In summary, how to improve the accuracy of HTTP detection is a problem to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide an HTTP detection method which can solve the technical problem of how to improve the accuracy of HTTP detection to a certain extent. The application also provides an HTTP detection system, equipment and a computer readable storage medium.
In order to achieve the above object, the present application provides the following technical solutions:
an HTTP detection method, comprising:
Acquiring at least one URL to be detected;
Extracting a target rule from the at least one URL to be detected, wherein the target rule meets a preset rule;
calculating a target score of the target rule based on the preset score of each rule in the preset rules;
determining a security detection result of the URL to be detected based on the target score;
The types of the preset rules comprise: the time for downloading the URL corresponding resource is outside a preset time period, the IP domain is directly requested to download the resource corresponding to the URL, the destination IP of the URL is matched with a malicious IP library, the destination IP of the URL is matched with overseas IP, the data length of the downloaded URL corresponding resource is not in a preset length range through a non-preset HTTP port of a URL corresponding resource server, the domain name of the URL is random, the file name of the URL corresponding resource is random, the period for accessing the URL corresponding resource is changed according to multiple, the period for accessing the URL corresponding resource is changed according to fixed minutes, the URL corresponding resource is downloaded through an HFS server, the file content of the downloaded URL corresponding resource is not matched with a suffix name, and the period for accessing the URL corresponding resource is changed according to equal difference.
Preferably, the preset rule includes a first type rule, a second type rule and a third type rule, where the first type rule includes that the time for downloading the resource corresponding to the URL is outside a preset time period, the resource corresponding to the URL is downloaded by the direct request IP domain, the destination IP of the URL matches with a malicious IP library, the destination IP of the URL matches with overseas IP, and the non-preset HTTP port of the resource server corresponding to the RUL downloads; the second type rule comprises that the data length of the downloaded URL corresponding resource is not in a preset length range, the domain name of the URL is random, the file name of the URL corresponding resource is random, the period of the access URL corresponding resource is changed according to multiple times, and the period of the access URL corresponding resource is changed according to fixed minutes; the third type rule comprises that the URL corresponding resource is downloaded through an HFS server, the file content of the downloaded URL corresponding resource is not matched with a suffix name, and the period of accessing the URL corresponding resource is changed according to an arithmetic difference;
the preset score of each rule in the preset rules comprises: the preset score of each rule in the first type of rule is a first score value; the preset score of each rule in the second class of rules is a second score value; the preset score of each rule in the third class of rules is a third score value; and the third fraction value is greater than the second fraction value, the second fraction value being greater than the first fraction value.
Preferably, the calculating the target score of the target rule based on the preset score of each rule in the preset rules includes:
Determining a first quantity value of the target rule belonging to the first type of rule;
determining a second quantity value of the target rule belonging to the second class of rules;
determining a third quantity value of the target rule belonging to the third class of rules;
and taking the sum of the product value of the first quantity value and the first fraction value, the product value of the second quantity value and the second fraction value and the product value of the third quantity value and the third fraction value as the target fraction.
Preferably, the determining the security detection result of the URL to be detected based on the target score includes:
if the target score is in the first score range, determining the security detection result representing that the danger level of the URL to be detected is the first danger level;
if the target score is in the second score range, determining the security detection result representing that the risk level of the URL to be detected is a second risk level;
if the target score is in the third score range, determining the security detection result representing that the danger level of the URL to be detected is a third danger level;
Wherein a minimum score value of the third score range is greater than a maximum score value of the second score range, which is greater than a maximum score value of the first score range; and the third hazard level is higher in hazard than the second hazard level, which is higher in hazard than the first hazard level.
Preferably, the third fraction value is 1, the second fraction value is 0.5, and the third fraction value is 0.25;
the first fraction range is (1, 1.5), the second fraction range is (1.5, 2), and the third fraction range is (2, ++).
Preferably, after the security detection result of the URL to be detected is determined based on the target score, the method further includes:
And if the security detection result is the third dangerous level, generating a security event.
Preferably, the URL to be detected is located in the device to be detected, and the method further includes:
counting the number of the URLs to be detected, of which the security detection results are the third dangerous level, in the equipment to be detected;
Judging whether the number value is larger than a preset number or not;
and if the number value is larger than the preset number, marking the equipment to be detected as the collapse equipment.
An HTTP detection system, comprising:
the acquisition module is used for acquiring the URL to be detected;
the extraction module is used for extracting the preset rule met by the URL to be detected in the preset rule to obtain a target rule;
The calculation module is used for calculating the target score of the target rule based on the preset score of each rule in the preset rules;
The determining module is used for determining a security detection result of the URL to be detected based on the target score;
The types of the preset rules comprise: the time for downloading the URL corresponding resource is outside a preset time period, the IP domain is directly requested to download the resource corresponding to the URL, the destination IP of the URL is matched with a malicious IP library, the destination IP of the URL is matched with overseas IP, the data length of the downloaded URL corresponding resource is not in a preset length range through a non-preset HTTP port of a URL corresponding resource server, the domain name of the URL is random, the file name of the URL corresponding resource is random, the period for accessing the URL corresponding resource is changed according to multiple, the period for accessing the URL corresponding resource is changed according to fixed minutes, the URL corresponding resource is downloaded through an HFS server, the file content of the downloaded URL corresponding resource is not matched with a suffix name, and the period for accessing the URL corresponding resource is changed according to equal difference.
An HTTP detection apparatus comprising:
a memory for storing a computer program;
A processor for implementing the steps of any one of the HTTP detection methods described above when executing the computer program.
A computer readable storage medium having stored therein a computer program which when executed by a processor implements the steps of any one of the HTTP detection methods described above.
According to the HTTP detection method provided by the application, in the preset rules, the preset rules which are met by the URL to be detected are extracted to obtain the target rules, so that the purposes of analyzing and screening the URL to be detected according to the preset rules are realized, and as the types of the preset rules are more and each rule can reflect a part of the safety of the URL, the target rules can comprehensively reflect the safety of the URL to be detected; because the security of the URL reflected by each rule is different in strength, the target score of the target rule is calculated based on the preset score of each rule in the preset rules, and the security detection result of the URL to be detected is determined based on the target score, so that the security of the URL to be detected can be accurately evaluated by means of the preset rules, the security of the HTTP is accurately evaluated, and the detection accuracy of the HTTP is improved. The HTTP detection system, the HTTP detection device and the computer readable storage medium provided by the application also solve the corresponding technical problems.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a first flowchart of an HTTP detection method according to an embodiment of the present application;
Fig. 2 is a schematic structural diagram of an HTTP detection system according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an HTTP detection apparatus according to an embodiment of the present application;
Fig. 4 is another schematic structural diagram of an HTTP detection apparatus according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Referring to fig. 1, fig. 1 is a first flowchart of an HTTP detection method according to an embodiment of the present application.
The HTTP detection method provided by the embodiment of the application can comprise the following steps:
Step S101: and obtaining the URL to be detected in the equipment to be detected.
In practical application, the URL to be detected in the device to be detected may be obtained first, where the device to be detected refers to a device with unknown security and needing to be detected, such as a server to be detected, a client to be detected, etc., and the URL to be detected refers to a URL with unknown security and needing to be detected on the device to be detected.
In a specific application scene, the execution main body of the HTTP detection method can be used for directly acquiring the URL to be detected and the like in the equipment to be detected in real time, or the HTTP log in the equipment to be detected can be acquired first, and then the URL to be detected and the like are analyzed in the HTTP log; and the obtained URLs to be detected may be multiple.
Step S102: extracting target rules from at least one URL to be detected, wherein the target rules meet preset rules.
In practical application, after obtaining the URL to be detected in the device to be detected, extracting a preset rule satisfied by at least one URL to be detected in the preset rule to obtain a target rule; the preset rules refer to rules reflecting the security of the URL, and each of the preset rules reflects a part of the security of the URL, and the target rule is a rule that the URL to be detected satisfies in the preset rules, so the target rule may reflect the security of the URL to be detected.
It should be noted that, in the preset rules, the process of extracting the preset rules met by the URL to be detected to obtain the target rules is equivalent to uniformly extracting the rules met by the URL to be detected and capable of reflecting the security of the URL, so that in the subsequent process of carrying out security detection on the ULR to be detected according to the target rules, the process of carrying out security analysis on the URL to be detected by synthesizing the rules met by the URL to be detected and capable of reflecting the security of the URL is equivalent to ensure the security analysis accuracy of the URL to be detected.
Step S103: and calculating the target score of the target rule based on the preset score of each rule in the preset rules.
Step S104: determining a security detection result of the URL to be detected based on the target score; the types of the preset rules comprise: the time for downloading the URL corresponding resource is outside a preset time period, the resource corresponding to the URL is directly requested to be downloaded in an IP (Internet Protocol ) domain, the destination IP of the URL is matched with a malicious IP library, the destination IP of the URL is matched with overseas IP, the data length of the downloaded URL corresponding resource is not in a preset length range through a non-preset HTTP port of a URL corresponding resource server, the domain name of the URL is random, the file name of the URL corresponding resource is random, the period for accessing the URL corresponding resource is changed according to multiple, the period for accessing the URL corresponding resource is changed according to fixed minutes, the URL corresponding resource is downloaded through a HFS (Hierarchical File System) server, the file content of the downloaded URL corresponding resource is not matched with a suffix name, and the period for accessing the URL corresponding resource is changed according to equal difference.
In practical application, since the security of the URL is reflected by each rule in the preset rules, if the security of the URL is reflected by some rules is lower, and if the security of the URL is reflected by some rules is higher, the security of the URL to be detected reflected by the target rule can be flexibly detected according to the security of the URL reflected by each rule, for example, the target score of the target rule can be calculated based on the preset score of each rule in the preset rules, and then the security detection result of the URL to be detected is determined based on the target score.
In a specific application scenario, in the process of calculating the target score of the target rule based on the preset score of each rule in the preset rules, the sum of the preset scores of all rules in the target rule may be used as the target score, or the average of the preset scores of all rules in the target rule may be used as the target score, or of course, other methods for calculating the target score of the target rule may be used.
It should be noted that, the preset score of each rule in the preset rules may be determined by the strength of the URL security reflected by the rule, for example, the preset score of the rule reflecting the higher URL security is lower, and the preset score of the rule reflecting the lower URL security is higher, then, when determining the security detection result of the URL to be detected based on the target score, if the higher the target score is, the lower the security of the URL to be detected may be determined, and if the lower the target score is, the higher the security of the URL to be detected may be determined; accordingly, if the preset score reflecting the rule with higher URL security is higher, and the preset score reflecting the rule with lower URL security is lower, when determining the security detection result of the URL to be detected based on the target score, if the target score is higher, the higher the security of the URL to be detected may be determined, and if the target score is lower, the lower the security of the URL to be detected may be determined.
In addition, it should be noted that when the URL satisfies the rules that the time for downloading the URL corresponding resource is outside the preset time period, the IP domain is directly requested to download the resource corresponding to the URL, the destination IP of the URL is matched with a malicious IP library, the destination IP of the URL is matched with overseas IP, the data length of the URL corresponding to the resource is downloaded through a non-preset HTTP port of a URL corresponding to a resource server, the data length of the downloaded URL corresponding to the resource is not within the preset length range, the domain name of the URL is random, the file name of the URL corresponding to the resource is random, the period of accessing the URL corresponding to the resource is changed by a multiple, the period of accessing the URL corresponding to the resource is changed by a fixed minute, the URL corresponding to the resource is downloaded through an HFS server, the file content of the downloaded URL corresponding to the resource is not matched with a suffix name, the period of accessing the URL corresponding to the resource is changed by an equal difference, and the like, the URL may be dangerous URL, the type of the preset rule is set to be that the time for downloading the URL corresponding resource is outside a preset time period, the IP domain is directly requested to download the URL corresponding resource, the destination IP of the URL is matched with a malicious IP library, the destination IP of the URL is matched with the overseas IP, the URL is downloaded through a non-preset HTTP port of a URL corresponding resource server, the data length of the downloaded URL corresponding resource is not in a preset length range, the domain name of the URL is random, the file name of the URL corresponding resource is random, the period of accessing the URL corresponding resource is changed according to multiple, the period of accessing the URL corresponding resource is changed according to fixed minutes, the URL corresponding resource is downloaded through an HFS server, the file content of the downloaded URL corresponding resource is not matched with a suffix name, the period of accessing the URL corresponding resource is changed according to the difference, and the like.
Furthermore, it should be noted that when judging whether the URL to be detected satisfies the requirement of downloading the resource corresponding to the URL outside the preset time period, the device to be detected needs to acquire the requirement of downloading the resource corresponding to the URL to be detected, judges whether the requirement of downloading the resource is outside the preset time period, if so, judges that the URL to be detected satisfies the rule, and if not, judges that the URL to be detected does not satisfy the rule; judging whether the URL to be detected meets the resources corresponding to the direct request IP domain download URL or not, if so, judging whether the download address of the URL to be detected is the IP address directly, if not, judging that the URL to be detected meets the rule, and if not, judging that the URL to be detected does not meet the rule; Judging whether the URL to be detected meets the target IP of the URL to be detected and matches with a malicious IP library, and determining whether the target IP of the URL to be detected, namely the IP of a resource server corresponding to the URL to be detected, is in a malicious IP library, if so, judging that the URL to be detected meets the rule, and if not, judging that the URL to be detected does not meet the rule; when judging whether the URL to be detected meets the target IP of the URL to be detected and matches with overseas IP, determining whether the target IP of the URL to be detected belongs to overseas IP, if so, judging that the URL to be detected meets the rule, and if not, judging that the URL to be detected does not meet the rule; judging whether the URL to be detected meets the requirement of downloading through a non-preset HTTP port of a resource server corresponding to the URL, acquiring an HTTP downloading port provided by the resource server corresponding to the URL to be detected, judging whether the HTTP downloading port is the non-preset HTTP downloading port, if so, judging that the URL to be detected meets the rule, if not, judging that the URL to be detected does not meet the rule, wherein the non-preset HTTP downloading port can be a very-used HTTP downloading port and the like; judging whether the URL to be detected meets the requirement that the data length of the downloaded URL corresponding to the resource is not in the preset length range, acquiring the data length of the corresponding resource downloaded in the URL corresponding to the resource server to be detected, judging whether the data length is in the preset length range, if so, judging that the URL to be detected meets the rule, and if not, judging that the URL to be detected does not meet the rule; Judging whether the URL to be detected meets the domain name random requirement of the URL, if so, judging that the URL to be detected meets the rule, otherwise, judging that the URL to be detected does not meet the rule, wherein the preset domain name random requirement can be determined according to actual needs, for example, the domain name can be formed by nonsensical letters randomly; when judging whether the URL to be detected meets the random file name of the resource corresponding to the URL, the corresponding resource of the URL to be detected can be determined, whether the corresponding resource of the URL to be detected meets the random file name requirement is judged, if yes, the URL to be detected is judged to meet the rule, if not, the URL to be detected is judged not to meet the rule, the random file name requirement can be determined according to actual requirements, for example, the random file name requirement can be that the file name is formed by nonsensical letters randomly; Judging whether the URL to be detected meets the requirement that the period of accessing the resource corresponding to the URL changes according to multiple, acquiring access time of the equipment to be detected for accessing the corresponding resource in the corresponding resource server through the URL to be detected within a preset time length, judging whether the access time changes according to multiple, if so, judging that the URL to be detected meets the rule, and if not, judging that the URL to be detected does not meet the rule; judging whether the URL to be detected meets the requirement that the period of accessing the resource corresponding to the URL changes according to fixed minutes, acquiring the access time of the equipment to be detected for accessing the corresponding resource in the corresponding resource server through the URL to be detected within a preset time length, judging whether the access time changes according to fixed minutes, if so, judging that the URL to be detected meets the rule, and if not, judging that the URL to be detected does not meet the rule; Judging whether the URL to be detected meets the requirement that the URL corresponding resource is downloaded through the HFS server, judging whether the URL to be detected carries an HFS download mark, if so, judging that the URL to be detected meets the rule, and if not, judging that the URL to be detected does not meet the rule; judging whether the URL to be detected meets the requirement that the file content of the downloaded URL corresponding to the resource is not matched with the suffix name, acquiring a resource file downloaded by equipment to be detected in a corresponding resource server through the URL to be detected, judging whether the content of the resource file is matched with the suffix name, if not, judging that the URL to be detected meets the rule, and if so, judging that the URL to be detected does not meet the rule; And when judging whether the URL to be detected meets the requirement that the period of accessing the resource corresponding to the URL changes according to the arithmetic difference, acquiring the access time of the equipment to be detected for accessing the corresponding resource on the corresponding resource server through the URL to be detected within a preset time length, judging whether the access time changes according to the arithmetic difference, if so, judging that the URL to be detected meets the rule, and if not, judging that the URL to be detected does not meet the rule.
According to the HTTP detection method provided by the application, in the preset rules, the preset rules which are met by the URL to be detected are extracted to obtain the target rules, so that the purposes of analyzing and screening the URL to be detected according to the preset rules are realized, and as the types of the preset rules are more and each rule can reflect a part of the safety of the URL, the target rules can comprehensively reflect the safety of the URL to be detected; because the security of the URL reflected by each rule is different in strength, the target score of the target rule is calculated based on the preset score of each rule in the preset rules, and the security detection result of the URL to be detected is determined based on the target score, so that the security of the URL to be detected can be accurately evaluated by means of the preset rules, the security of the HTTP is accurately evaluated, and the detection accuracy of the HTTP is improved.
In the HTTP detection method provided by the embodiment of the present application, since the strength of the URL security reflected by the rules in the preset rules may be the same, the rules in the preset rules may be classified according to the strength of the URL security reflected by the rules, the preset score of each rule may be determined according to the classified rules, and the URL to be detected is processed according to the classified rules, for example, the preset rules may include a first rule, a second rule and a third rule, where the first rule includes a time for downloading the URL corresponding to a resource outside a preset time period, directly requests the IP domain to download the URL corresponding to a resource, and the IP of the URL matches a malicious IP library, the IP of the URL matches an overseas IP, and downloads through a non-preset HTTP port of the URL corresponding to a resource server; the second type of rule comprises that the data length of the downloaded URL corresponding resource is not in the preset length range, the domain name of the URL is random, the file name of the URL corresponding resource is random, the period of accessing the URL corresponding resource is changed according to multiple, and the period of accessing the URL corresponding resource is changed according to fixed minutes; the third type of rule comprises that the URL corresponding resource is downloaded through the HFS server, the file content of the downloaded URL corresponding resource is not matched with the suffix name, and the period of accessing the URL corresponding resource is changed according to the equal difference;
Correspondingly, the preset score of each rule in the preset rules comprises: the preset score of each rule in the first class of rules is a first score value; the preset score of each rule in the second class of rules is a second score value; the preset score of each rule in the third class of rules is a third score value; and the third fraction value is greater than the second fraction value, which is greater than the first fraction value.
It should be noted that, because the technical scheme of the application divides the preset rules into the first type rules, the second type rules and the third type rules, the classification of the preset rules is realized, the organized management of the preset rules is convenient, the subsequent use of the preset rules is convenient, and the efficiency of detecting the URL to be detected based on the preset rules can be improved.
In the HTTP detection method provided by the embodiment of the present application, the process of calculating the target score of the target rule based on the preset score of each rule in the preset rules may specifically be: determining a first quantity value of a target rule belonging to a first type of rule; determining a second quantity value of the target rule belonging to the second class of rules; determining a third quantity value of the target rule belonging to the third class of rules; and taking the sum of the product value of the first quantity value and the first fraction value, the product value of the second quantity value and the second fraction value and the product value of the third quantity value and the third fraction value as a target fraction.
In the technical scheme of the application, the respective numbers of the target rules respectively belonging to the first type of rules, the second type of rules and the third type of rules can be determined, then the product of the number of each type of target rules and the preset fraction of the type of rules is directly used as the fraction of the target rules hit by the type of rules, for example, the product value of the first quantity value and the first fraction value represents the fraction of the target rules hit by the first type of rules, the product value of the second quantity value and the second fraction value represents the fraction of the target rules hit by the second type of rules, the product value of the third quantity value and the third fraction value represents the fraction of the target rules hit by the third type of rules, and finally, the three product values are added, so that the target fraction of the target rules can be obtained, the process of obtaining the target fraction is simple and convenient, and the obtaining of the target fraction can be speeded up.
In order to facilitate understanding of dangerous situations of URLs to be detected, in the HTTP detection method provided by the embodiment of the present application, the dangerous levels of URLs to be detected may be classified based on the target score, so that the dangerous levels of URLs to be detected may be obtained according to the security detection result, that is, a process of determining the security detection result of URLs to be detected based on the target score may specifically be: if the target score is in the first score range, determining a security detection result representing that the risk level of the URL to be detected is the first risk level; if the target score is in the second score range, determining a security detection result representing that the risk level of the URL to be detected is the second risk level; if the target score is in the third score range, determining a security detection result representing that the risk level of the URL to be detected is a third risk level; wherein the minimum score value of the third score range is greater than the maximum score value of the second score range, and the minimum score value of the second score range is greater than the maximum score value of the first score range; and the third hazard level is higher in hazard than the second hazard level, which is higher in hazard than the first hazard level.
In the technical scheme of the application, the score ranges corresponding to the dangerous grades of the URL to be detected are divided, so that the dangerous grade of the URL to be detected can be determined according to the relation between the target score and the score ranges corresponding to the dangerous grades of the grades, and the corresponding safety detection result is obtained, the division of the dangerous grade of the URL to be detected is realized, the detection accuracy of the URL to be detected is improved, the dangerous grade of the URL to be detected can be obtained directly according to the safety detection result, and the acquisition efficiency of the URL detection result to be detected is improved.
In the HTTP detection method provided by the embodiment of the present application, in order to improve accuracy of HTTP detection, the third score may be 1, the second score may be 0.5, and the third score may be 0.25;
The first fraction range may be (1, 1.5), the second fraction range may be (1.5, 2), and the third fraction range may be (2, ++).
In order to facilitate the description of the effects of the values of the respective parameters provided by the present application, the server and the like are detected according to the parameter values provided by the present application, and the detection results are shown in table 1.
TABLE 1 HTTP detection results
In table 1, the number of clients with false alarm refers to the number of clients with false alarm according to the HTTP detection method provided by the present application, and as can be known from table 1, each parameter value provided by the present application can make the false alarm rate lower, and the detection accuracy higher.
In the HTTP detection method provided by the embodiment of the present application, after determining the security detection result of the URL to be detected based on the target score, the URL to be detected corresponding to the security detection result representing the third risk level may be further marked as a risk URL; a security event is generated based on the hazard URL.
In the technical scheme provided by the application, the URL to be detected corresponding to the security detection result representing the third hazard level can be marked as the hazard URL, so that the hazard URL can be identified according to the mark, and the security event is generated based on the hazard URL, so that the hazard URL can be traced according to the security event. And generating a security event if the security detection result is the third dangerous level.
It should be noted that the type of information included in the security event may be determined according to actual needs, for example, the security event may include information of the dangerous URL itself, information of a target rule corresponding to the dangerous URL, and so on.
In the HTTP detection method provided by the embodiment of the present application, after marking the URL to be detected corresponding to the security detection result representing the third risk level as the risk URL, the number value of the URLs to be detected, whose security detection result is the third risk level, in the device to be detected may also be counted; judging whether the number value is larger than a preset number or not; if the number value is larger than the preset number, marking the equipment to be detected as the collapse equipment.
In the technical scheme provided by the application, whether the equipment to be detected is the collapse equipment can be judged by comparing the relation between the real-time quantity and the preset quantity of the dangerous URLs in the equipment to be detected, so that the safety judgment section of the equipment to be detected is realized, and the safety of the equipment to be detected is conveniently analyzed.
It should be noted that the preset number of values can be flexibly adjusted according to the actual needs.
Referring to fig. 2, fig. 2 is a schematic structural diagram of an HTTP detection system according to an embodiment of the present application.
The HTTP detection system provided by the embodiment of the present application may include:
an obtaining module 101, configured to obtain at least one URL to be detected;
The extracting module 102 is configured to extract a target rule from at least one URL to be detected, where the target rule meets a preset rule;
A calculating module 103, configured to calculate a target score of a target rule based on a preset score of each rule in the preset rules;
a determining module 104, configured to determine a security detection result of the URL to be detected based on the target score;
The types of the preset rules comprise: the time for downloading the URL corresponding resource is outside a preset time period, the IP domain is directly requested to download the resource corresponding to the URL, the destination IP of the URL is matched with a malicious IP library, the destination IP of the URL is matched with overseas IP, the data length of the downloaded URL corresponding resource is not in a preset length range through a non-preset HTTP port of a URL corresponding resource server, the domain name of the URL is random, the file name of the URL corresponding resource is random, the period for accessing the URL corresponding resource is changed according to multiple, the period for accessing the URL corresponding resource is changed according to fixed minutes, the URL corresponding resource is downloaded through an HFS server, the file content of the downloaded URL corresponding resource is not matched with a suffix name, and the period for accessing the URL corresponding resource is changed according to equal difference.
In the HTTP detection system provided by the embodiment of the present application, the preset rule may include a first type rule, a second type rule, and a third type rule, where the first type rule includes that a time for downloading a resource corresponding to a URL is outside a preset time period, directly requests the resource corresponding to the URL to be downloaded in an IP domain, matches a destination IP of the URL with a malicious IP library, matches a destination IP of the URL with an overseas IP, and downloads the URL through a non-preset HTTP port of a resource server corresponding to the URL; the second type of rule comprises that the data length of the downloaded URL corresponding resource is not in the preset length range, the domain name of the URL is random, the file name of the URL corresponding resource is random, the period of accessing the URL corresponding resource is changed according to multiple, and the period of accessing the URL corresponding resource is changed according to fixed minutes; the third type of rule comprises that the URL corresponding resource is downloaded through the HFS server, the file content of the downloaded URL corresponding resource is not matched with the suffix name, and the period of accessing the URL corresponding resource is changed according to the equal difference;
the preset score of each of the preset rules may include: the preset score of each rule in the first class of rules is a first score value; the preset score of each rule in the second class of rules is a second score value; the preset score of each rule in the third class of rules is a third score value; and the third fraction value is greater than the second fraction value, which is greater than the first fraction value.
The HTTP detection system provided by the embodiment of the present application, the computing module may be specifically configured to: determining a first quantity value of a target rule belonging to a first type of rule; determining a second quantity value of the target rule belonging to the second class of rules; determining a third quantity value of the target rule belonging to the third class of rules; and taking the sum of the product value of the first quantity value and the first fraction value, the product value of the second quantity value and the second fraction value and the product value of the third quantity value and the third fraction value as a target fraction.
The HTTP detection system provided by the embodiment of the present application, the determining module may be specifically configured to: if the target score is in the first score range, determining a security detection result representing that the risk level of the URL to be detected is the first risk level; if the target score is in the second score range, determining a security detection result representing that the risk level of the URL to be detected is the second risk level; if the target score is in the third score range, determining a security detection result representing that the risk level of the URL to be detected is a third risk level; wherein the minimum score value of the third score range is greater than the maximum score value of the second score range, and the minimum score value of the second score range is greater than the maximum score value of the first score range; and the third hazard level is higher in hazard than the second hazard level, which is higher in hazard than the first hazard level.
In the HTTP detection system provided by the embodiment of the present application, the third score may be 1, the second score may be 0.5, and the third score may be 0.25;
The first fraction range may be (1, 1.5), the second fraction range may be (1.5, 2), and the third fraction range may be (2, ++).
The HTTP detection system provided by the embodiment of the present application may further include:
And the generating unit is used for generating a security event if the security detection result is the third dangerous level.
The HTTP detection system provided by the embodiment of the present application, where the URL to be detected is located in the device to be detected, may further include:
The statistics unit is used for counting the number value of URLs to be detected, of which the security detection result is a third dangerous level, in the equipment to be detected;
the judging unit is used for judging whether the number value is larger than a preset number or not; if the number value is larger than the preset number, marking the equipment to be detected as the collapse equipment.
The application also provides HTTP detection equipment and a computer readable storage medium, which have the corresponding effects of the HTTP detection method provided by the embodiment of the application. Referring to fig. 3, fig. 3 is a schematic structural diagram of an HTTP detection apparatus according to an embodiment of the present application.
An HTTP detection apparatus provided by an embodiment of the present application includes a memory 201 and a processor 202, where the memory 201 stores a computer program, and the processor 202 implements the steps of the HTTP detection method described in any of the above embodiments when executing the computer program.
Referring to fig. 4, another HTTP detection apparatus provided in an embodiment of the present application may further include: an input port 203 connected to the processor 202 for transmitting an externally input command to the processor 202; a display unit 204 connected to the processor 202, for displaying the processing result of the processor 202 to the outside; and the communication module 205 is connected with the processor 202 and is used for realizing communication between the HTTP detection device and the outside. The display unit 204 may be a display panel, a laser scanning display, or the like; communication means employed by the communication module 205 include, but are not limited to, mobile high definition link technology (HML), universal Serial Bus (USB), high Definition Multimedia Interface (HDMI), wireless connection: wireless fidelity (WiFi), bluetooth communication, bluetooth low energy communication, ieee802.11s based communication.
The embodiment of the application provides a computer readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the steps of the HTTP detection method described in any of the above embodiments are implemented.
The computer readable storage medium to which the present application relates includes Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, a non-volatile readable storage medium, or any other form of storage medium known in the art.
The description of the relevant parts in the HTTP detection system, the device and the computer readable storage medium provided in the embodiments of the present application refers to the detailed description of the corresponding parts in the HTTP detection method provided in the embodiments of the present application, and will not be repeated here. In addition, the parts of the above technical solutions provided in the embodiments of the present application, which are consistent with the implementation principles of the corresponding technical solutions in the prior art, are not described in detail, so that redundant descriptions are avoided.
It is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (7)

1. An HTTP detection method, comprising:
Acquiring at least one URL to be detected;
Extracting a target rule from the at least one URL to be detected, wherein the target rule meets a preset rule;
calculating a target score of the target rule based on the preset score of each rule in the preset rules;
determining a security detection result of the URL to be detected based on the target score;
The preset rules comprise a first type rule, a second type rule and a third type rule, and the first type rule comprises: the time for downloading the resource corresponding to the URL is outside a preset time period, the resource corresponding to the URL is directly requested to be downloaded by the IP domain, the destination IP of the URL is matched with a malicious IP library, the destination IP of the URL is matched with overseas IP, and the resource is downloaded through a non-preset HTTP port of a resource server corresponding to the URL; the second type rule comprises that the data length of the downloaded URL corresponding resource is not in a preset length range, the domain name of the URL is random, the file name of the URL corresponding resource is random, the period of accessing the URL corresponding resource is changed according to multiple, and the period of accessing the URL corresponding resource is changed according to fixed minutes; the third type rule comprises that the URL corresponding resource is downloaded through the HFS server, the file content of the downloaded URL corresponding resource is not matched with the suffix name, and the period of accessing the URL corresponding resource is changed according to the equal difference;
the preset score of each rule in the preset rules comprises: the preset score of each rule in the first type of rule is a first score value; the preset score of each rule in the second class of rules is a second score value; the preset score of each rule in the third class of rules is a third score value; and the third fraction value is greater than the second fraction value, the second fraction value being greater than the first fraction value;
Wherein the determining the security detection result of the URL to be detected based on the target score includes:
if the target score is in the first score range, determining the security detection result representing that the danger level of the URL to be detected is the first danger level;
if the target score is in the second score range, determining the security detection result representing that the risk level of the URL to be detected is a second risk level;
if the target score is in the third score range, determining the security detection result representing that the danger level of the URL to be detected is a third danger level;
Wherein a minimum score value of the third score range is greater than a maximum score value of the second score range, which is greater than a maximum score value of the first score range; and the third hazard level is higher in risk than the second hazard level, which is higher in risk than the first hazard level;
wherein the URL to be detected is located in a device to be detected, the method further includes:
counting the number of the URLs to be detected, of which the security detection results are the third dangerous level, in the equipment to be detected;
Judging whether the number value is larger than a preset number or not;
and if the number value is larger than the preset number, marking the equipment to be detected as the collapse equipment.
2. The method of claim 1, wherein calculating the target score for the target rule based on the preset score for each of the preset rules comprises:
Determining a first quantity value of the target rule belonging to the first type of rule;
determining a second quantity value of the target rule belonging to the second class of rules;
determining a third quantity value of the target rule belonging to the third class of rules;
and taking the sum of the product value of the first quantity value and the first fraction value, the product value of the second quantity value and the second fraction value and the product value of the third quantity value and the third fraction value as the target fraction.
3. The method of claim 2, wherein the third score value is 1, the second score value is 0.5, and the third score value is 0.25;
the first fraction range is (1, 1.5), the second fraction range is (1.5, 2), and the third fraction range is (2, ++).
4. A method according to claim 3, wherein after determining the security detection result of the URL to be detected based on the target score, further comprising:
And if the security detection result is the third dangerous level, generating a security event.
5. An HTTP detection system, comprising:
The acquisition module is used for acquiring at least one URL to be detected;
The extraction module is used for extracting a target rule from the at least one URL to be detected, wherein the target rule meets a preset rule;
The calculation module is used for calculating the target score of the target rule based on the preset score of each rule in the preset rules;
The determining module is used for determining a security detection result of the URL to be detected based on the target score;
The preset rules comprise a first type rule, a second type rule and a third type rule, and the first type rule comprises: the time for downloading the resource corresponding to the URL is outside a preset time period, the resource corresponding to the URL is directly requested to be downloaded by the IP domain, the destination IP of the URL is matched with a malicious IP library, the destination IP of the URL is matched with overseas IP, and the resource is downloaded through a non-preset HTTP port of a resource server corresponding to the URL; the second type rule comprises that the data length of the downloaded URL corresponding resource is not in a preset length range, the domain name of the URL is random, the file name of the URL corresponding resource is random, the period of accessing the URL corresponding resource is changed according to multiple, and the period of accessing the URL corresponding resource is changed according to fixed minutes; the third type rule comprises that the URL corresponding resource is downloaded through the HFS server, the file content of the downloaded URL corresponding resource is not matched with the suffix name, and the period of accessing the URL corresponding resource is changed according to the equal difference;
the preset score of each rule in the preset rules comprises: the preset score of each rule in the first type of rule is a first score value; the preset score of each rule in the second class of rules is a second score value; the preset score of each rule in the third class of rules is a third score value; and the third fraction value is greater than the second fraction value, the second fraction value being greater than the first fraction value;
Wherein, the determining module is used for: if the target score is in the first score range, determining the security detection result representing that the danger level of the URL to be detected is the first danger level; if the target score is in the second score range, determining the security detection result representing that the risk level of the URL to be detected is a second risk level; if the target score is in the third score range, determining the security detection result representing that the danger level of the URL to be detected is a third danger level; wherein a minimum score value of the third score range is greater than a maximum score value of the second score range, which is greater than a maximum score value of the first score range; and the third hazard level is higher in risk than the second hazard level, which is higher in risk than the first hazard level;
Wherein, wait to detect the URL and be located waiting to detect equipment, still include:
the statistics unit is used for counting the number value of the URLs to be detected, of which the security detection results are the third dangerous level, in the equipment to be detected;
The judging unit is used for judging whether the number value is larger than a preset number or not; and if the number value is larger than the preset number, marking the equipment to be detected as the collapse equipment.
6. An HTTP detection apparatus, characterized by comprising:
a memory for storing a computer program;
Processor for implementing the steps of the HTTP detection method as claimed in any one of claims 1 to 4 when executing said computer program.
7. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program which, when executed by a processor, implements the steps of the HTTP detection method according to any of claims 1 to 4.
CN202011519748.4A 2020-12-21 2020-12-21 HTTP detection method, system, equipment and computer storage medium Active CN114650158B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011519748.4A CN114650158B (en) 2020-12-21 2020-12-21 HTTP detection method, system, equipment and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011519748.4A CN114650158B (en) 2020-12-21 2020-12-21 HTTP detection method, system, equipment and computer storage medium

Publications (2)

Publication Number Publication Date
CN114650158A CN114650158A (en) 2022-06-21
CN114650158B true CN114650158B (en) 2024-10-22

Family

ID=81990067

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011519748.4A Active CN114650158B (en) 2020-12-21 2020-12-21 HTTP detection method, system, equipment and computer storage medium

Country Status (1)

Country Link
CN (1) CN114650158B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103327029A (en) * 2013-07-09 2013-09-25 腾讯科技(深圳)有限公司 Malicious URL (Uniform Resource Locator) detection method and malicious URL detection device
CN110336835A (en) * 2019-08-05 2019-10-15 深信服科技股份有限公司 Detection method, user equipment, storage medium and the device of malicious act

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8020206B2 (en) * 2006-07-10 2011-09-13 Websense, Inc. System and method of analyzing web content
US8826426B1 (en) * 2011-05-05 2014-09-02 Symantec Corporation Systems and methods for generating reputation-based ratings for uniform resource locators
CN104766014B (en) * 2015-04-30 2017-12-01 安一恒通(北京)科技有限公司 Method and system for detecting malicious website
CN105141598B (en) * 2015-08-14 2018-11-20 中国传媒大学 APT attack detection method and device based on the detection of malice domain name

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103327029A (en) * 2013-07-09 2013-09-25 腾讯科技(深圳)有限公司 Malicious URL (Uniform Resource Locator) detection method and malicious URL detection device
CN110336835A (en) * 2019-08-05 2019-10-15 深信服科技股份有限公司 Detection method, user equipment, storage medium and the device of malicious act

Also Published As

Publication number Publication date
CN114650158A (en) 2022-06-21

Similar Documents

Publication Publication Date Title
US12348561B1 (en) Detection of phishing attacks using similarity analysis
CN111401416B (en) Abnormal website identification method and device and abnormal countermeasure identification method
CN107888571B (en) Multi-dimensional webshell intrusion detection method and system based on HTTP log
CN109862003B (en) Method, device, system and storage medium for generating local threat intelligence library
CN111756724A (en) Detection method, device and equipment for phishing website and computer readable storage medium
CN105635064B (en) CSRF attack detection method and device
CN107995179B (en) Unknown threat sensing method, device, equipment and system
CN113518077A (en) Malicious web crawler detection method, device, equipment and storage medium
CN112532624B (en) Black chain detection method and device, electronic equipment and readable storage medium
CN113190838A (en) Web attack behavior detection method and system based on expression
CN107766224B (en) Test method and test device
CN112668005A (en) Webshell file detection method and device
CN107786529B (en) Website detection method, device and system
CN111131166B (en) User behavior prejudging method and related equipment
CN112765502A (en) Malicious access detection method and device, electronic equipment and storage medium
CN117040779A (en) Network abnormal access information acquisition method and device
CN114650158B (en) HTTP detection method, system, equipment and computer storage medium
CN111683089B (en) Method, server, medium and computer equipment for identifying phishing website
CN110457900B (en) A kind of website monitoring method, device, equipment and readable storage medium
CN114079576A (en) Security defense method, device, electronic device and medium
CN107995167B (en) Equipment identification method and server
CN114640492B (en) URL detection method, system, equipment and computer readable storage medium
KR20210076455A (en) Method and apparatus for automated verifying of xss attack
CN111104618A (en) Webpage skipping method and device
CN118101251A (en) Access control method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant