CN116192527A

Movatterモバイル変換

Info

Publication number: CN116192527A
Application number: CN202310210967.1A
Authority: CN
Inventors: 顾钊铨; 杜磊; 方滨兴; 贾焰; 罗翠; 周可; 袁华平; 余涛; 陈元
Original assignee: Peng Cheng Laboratory
Current assignee: Peng Cheng Laboratory
Priority date: 2023-03-07
Filing date: 2023-03-07
Publication date: 2023-05-30
Anticipated expiration: 2043-03-07
Also published as: CN116192527B

Abstract

The application discloses a method, a device, equipment and a readable storage medium for generating attack flow detection rules, wherein the method comprises the following steps: acquiring a data packet carried by abnormal traffic, and determining a first byte sequence belonging to attack traffic from the data packet based on a preset classification model; extracting malicious features in the first byte sequence based on a preset labeling model; determining related malicious features adjacent to the malicious features according to the malicious features and a preset attack template, wherein the preset attack template is used for extracting the related malicious features; mapping the set formed by the malicious features and the related malicious features to corresponding rule keywords to generate detection rules. The method and the device can accurately identify the attack traffic and generate the detection rule for the attack traffic.

Description

Translated fromChinese

攻击流量检测规则生成方法、装置、设备及存储介质Attack traffic detection rule generation method, device, equipment and storage medium

技术领域technical field

本申请涉及互联网技术领域，尤其涉及一种攻击流量检测规则生成方法、装置、设备及存储介质。The present application relates to the technical field of the Internet, and in particular to a method, device, device and storage medium for generating an attack traffic detection rule.

背景技术Background technique

随着云上服务的增多，Web应用服务的比例急剧攀升。因此，针对Web应用服务的安全保护尤为重要，对这些应用服务的保护主要采用入侵检测系统，入侵检测系统通过监视网络流量或主机行为来发现恶意事件并产生告警，入侵检测系统产生的告警主要取决于系统内部的攻击流量检测规则集。With the increase of cloud services, the proportion of web application services has risen sharply. Therefore, the security protection for Web application services is particularly important. The protection of these application services mainly uses intrusion detection systems. The intrusion detection system detects malicious events and generates alarms by monitoring network traffic or host behavior. The alarms generated by the intrusion detection system mainly depend The attack traffic detection rule set inside the system.

相关技术中，为攻击流量生成检测规则的方案主要为终端侧程序分析和网络侧公共子串/子集，这两种方案在识别网络攻击流量时主要依靠蜜罐、蜜网和异常检测的方法，无法准确识别攻击流量，进而，无法为攻击流量生成规则；也即，在网络安全保护中，无法准确地识别攻击流量并为其生成检测规则。In related technologies, the schemes for generating detection rules for attack traffic are mainly terminal-side program analysis and network-side public substrings/subsets. These two schemes mainly rely on honeypots, honeynets, and anomaly detection methods when identifying network attack traffic. , cannot accurately identify the attack traffic, and then cannot generate rules for the attack traffic; that is, in network security protection, cannot accurately identify the attack traffic and generate detection rules for it.

发明内容Contents of the invention

本申请的主要目的在于提供一种攻击流量检测规则生成方法、装置、设备及存储介质，旨在解决相关技术中，无法准确地识别攻击流量并为其生成检测规则的技术问题。The main purpose of this application is to provide a method, device, device, and storage medium for generating attack traffic detection rules, aiming at solving the technical problem in related technologies that cannot accurately identify attack traffic and generate detection rules for it.

为实现上述目的，本申请实施例提供了一种攻击流量检测规则生成方法，所述方法包括：To achieve the above purpose, an embodiment of the present application provides a method for generating an attack traffic detection rule, the method comprising:

获取异常流量所携带的数据包，基于预设分类模型，从所述数据包中确定属于攻击流量的字符串序列；Obtaining the data packets carried by the abnormal traffic, and based on the preset classification model, determining the string sequence belonging to the attack traffic from the data packets;

基于预设标注模型，提取所述字符串序列中的恶意特征；Extracting malicious features in the character string sequence based on a preset labeling model;

根据所述恶意特征和预设攻击模板，确定与所述恶意特征相邻的相关恶意特征，其中，所述预设攻击模板用于提取所述相关恶意特征；Determine related malicious features adjacent to the malicious feature according to the malicious feature and a preset attack template, wherein the preset attack template is used to extract the related malicious feature;

将所述恶意特征和所述相关恶意特征组成的集合映射至入侵检测系统中的规则关键字，生成检测规则。Mapping the set composed of the malicious features and the related malicious features to the rule keywords in the intrusion detection system to generate detection rules.

在本申请的一种可能的实施方式中，所述基于预设标注模型，提取所述字符串序列中的恶意特征的步骤，包括：In a possible implementation manner of the present application, the step of extracting malicious features in the character string sequence based on a preset labeling model includes:

将所述字符串序列转化为字节序列，基于预设标注模型，对所述字节序列进行标注，输出标注字节序列；converting the character string sequence into a byte sequence, marking the byte sequence based on a preset labeling model, and outputting the marked byte sequence;

根据所述标注字节序列的多个标注类型，确定恶意字节的位置信息；Determine the position information of the malicious byte according to multiple label types of the label byte sequence;

根据所述位置信息，提取所述字符串序列中的恶意特征。According to the location information, malicious features in the string sequence are extracted.

在本申请的一种可能的实施方式中，所述根据所述标注字节序列的多个标注类型，确定恶意字节的位置信息的步骤，包括：In a possible implementation manner of the present application, the step of determining the location information of the malicious byte according to the multiple label types of the label byte sequence includes:

根据所述标注字节序列的多个标注类型，确定中间标注字节；According to multiple label types of the label byte sequence, determine the middle label byte;

基于所述中间标注字节在所述标注字节序列中所处的位置，确定恶意字节的位置信息，其中，所述中间标注字节与恶意字节相对应。The location information of the malicious byte is determined based on the position of the middle marked byte in the marked byte sequence, wherein the middle marked byte corresponds to the malicious byte.

在本申请的一种可能的实施方式中，所述根据所述恶意特征和预设攻击模板，确定与所述恶意特征相邻的相关恶意特征，其中，所述预设攻击模板用于提取所述相关恶意特征的步骤，包括：In a possible implementation manner of the present application, the malicious features adjacent to the malicious features are determined according to the malicious features and a preset attack template, wherein the preset attack template is used to extract the Steps to describe relevant malicious characteristics, including:

根据所述恶意特征和预设攻击模板，确定所述恶意特征的位置信息，并提取与恶意特征相邻的兄弟节点和父亲节点；According to the malicious feature and the preset attack template, determine the location information of the malicious feature, and extract sibling nodes and father nodes adjacent to the malicious feature;

根据所述兄弟节点和所述父亲节点，确定相关恶意特征。Determine relevant malicious features according to the sibling nodes and the parent nodes.

在本申请的一种可能的实施方式中，所述基于预设分类模型，所述数据包中确定属于攻击流量的字符串序列的步骤之前，包括：In a possible implementation manner of the present application, before the step of determining the string sequence belonging to the attack traffic in the data packet based on the preset classification model, it includes:

将所述数据包进行重组，得到流数据；Recombining the data packets to obtain stream data;

根据所述流数据处理后得到的应用层数据，将所述应用层数据划分为多个字符串列表项，并将所述字符串列表项转化为相应的字节序列；According to the application layer data obtained after the stream data is processed, the application layer data is divided into a plurality of string list items, and the string list items are converted into corresponding byte sequences;

所述基于预设分类模型，所述数据包中确定属于攻击流量的字符串序列的步骤，包括：Based on the preset classification model, the step of determining the string sequence belonging to the attack traffic in the data packet includes:

基于预设分类模型，对输入的每个所述字节序列进行识别，得到预测识别结果；Recognizing each of the input byte sequences based on a preset classification model to obtain a predicted recognition result;

根据所述预测识别结果，确定所述字节序列中属于攻击流量的第一字节序列，并将所述第一字节序列转化为属于攻击流量的字符串序列。According to the predicted identification result, determine the first byte sequence belonging to the attack traffic in the byte sequence, and convert the first byte sequence into a character string sequence belonging to the attack traffic.

在本申请的一种可能的实施方式中，所述根据所述预测识别结果，确定所述字节序列中属于攻击流量的第一字节序列，并将所述第一字节序列转化为属于攻击流量的字符串序列的步骤之后，包括：In a possible implementation manner of the present application, according to the predicted identification result, determine the first byte sequence belonging to the attack traffic in the byte sequence, and convert the first byte sequence into the After the steps of the string sequence of attack traffic, including:

根据所述字符串序列，确定输出的所述字符串序列的攻击类型；According to the character string sequence, determine the attack type of the output character string sequence;

可视化展示所述字符串序列的攻击类型。Visually display the attack type of the string sequence.

在本申请的一种可能的实施方式中，所述将所述恶意特征和所述相关恶意特征组成的集合映射至入侵检测系统中的规则关键字，生成检测规则的步骤，包括：In a possible implementation manner of the present application, the step of mapping the set of malicious features and the related malicious features to rule keywords in the intrusion detection system, and generating detection rules includes:

将所述恶意特征和所述相关恶意特征作为单个或多个攻击流量的恶意特征集合，并映射至相应的规则关键字；Using the malicious features and the related malicious features as a set of malicious features of single or multiple attack traffic, and mapping to corresponding rule keywords;

根据所述规则关键字，生成检测规则。Generate detection rules according to the rule keywords.

本申请还提供一种攻击流量检测规则生成装置，所述攻击流量检测规则生成装置还包括：The present application also provides an attack traffic detection rule generation device, and the attack traffic detection rule generation device further includes:

获取模块，用于获取异常流量所携带的数据包，基于预设分类模型，从所述数据包中确定属于攻击流量的字符串序列；An acquisition module, configured to acquire data packets carried by abnormal traffic, and determine a character string sequence belonging to attack traffic from the data packets based on a preset classification model;

提取模块，用于基于预设标注模型，提取所述字符串序列中的恶意特征；An extraction module, configured to extract malicious features in the character string sequence based on a preset labeling model;

确定模块，用于根据所述恶意特征和预设攻击模板，确定与所述恶意特征相邻的相关恶意特征，其中，所述预设攻击模板用于提取所述相关恶意特征；A determining module, configured to determine related malicious features adjacent to the malicious feature according to the malicious feature and a preset attack template, wherein the preset attack template is used to extract the related malicious feature;

生成模块，用于将所述恶意特征和所述相关恶意特征组成的集合映射至入侵检测系统中的规则关键字，生成检测规则。A generating module, configured to map the set of malicious features and related malicious features to rule keywords in the intrusion detection system to generate detection rules.

本申请还提供一种攻击流量检测规则生成设备，所述攻击流量检测规则生成设备为实体节点设备，所述攻击流量检测规则生成设备包括：存储器、处理器以及存储在所述存储器上并可在所述处理器上运行的所述攻击流量检测规则生成方法的程序，所述攻击流量检测规则生成方法的程序被处理器执行时可实现如上述所述攻击流量检测规则生成方法的步骤。The present application also provides an attack traffic detection rule generation device, the attack traffic detection rule generation device is a physical node device, and the attack traffic detection rule generation device includes: a memory, a processor, and stored in the memory and can be The program of the method for generating the attack traffic detection rule running on the processor, when the program of the method for generating the attack traffic detection rule is executed by the processor, can implement the steps of the method for generating the attack traffic detection rule described above.

为实现上述目的，还提供一种存储介质，所述存储介质上存储有攻击流量检测规则生成程序，所述攻击流量检测规则生成程序被处理器执行时实现上述任一所述的攻击流量检测规则生成方法的步骤。In order to achieve the above object, a storage medium is also provided, on which an attack traffic detection rule generation program is stored, and when the attack traffic detection rule generation program is executed by a processor, any of the attack traffic detection rules described above is implemented. The steps to generate the method.

本申请提供一种攻击流量检测规则生成方法、装置、设备及存储介质，与相关技术中依靠蜜罐、蜜网和异常检测的方法，无法准确识别攻击流量，从而无法生成相应的攻击流量检测规则相比，在本申请中，获取异常流量所携带的数据包，基于预设分类模型，从所述数据包中确定属于攻击流量的第一字节序列；基于预设标注模型，提取所述第一字节序列中的恶意特征；根据所述恶意特征和预设攻击模板，确定与所述恶意特征相邻的相关恶意特征，其中，所述预设攻击模板用于提取所述相关恶意特征；将所述恶意特征和所述相关恶意特征组成的集合映射至相应的规则关键字，生成检测规则。可以理解的是，在本申请中，通过获取的异常流量所携带的数据包，通过预设分类模型来确定异常流量中属于攻击流量的第一字节序列，进而，通过预设标注模型，提取第一字节序列中的恶意特征，确定第一字节序列中的属于恶意特征的字节，再根据预设攻击模板，确定与恶意特征相邻的相关恶意特征，将相关恶意特征和恶意特征作为一个恶意特征集合，仅仅使用攻击流量的恶意特征无法完整表示漏洞触发的条件，从而确定相应的相关恶意特征，并根据恶意特征集合来与入侵检测系统中的规则关键字进行映射，确保能够准确地识别攻击流量，从而生成检测规则。The present application provides a method, device, device and storage medium for generating attack traffic detection rules. Compared with methods in related technologies that rely on honeypots, honeynets, and anomaly detection, attack traffic cannot be accurately identified, and corresponding attack traffic detection rules cannot be generated. In contrast, in this application, the data packets carried by the abnormal traffic are obtained, and based on the preset classification model, the first byte sequence belonging to the attack traffic is determined from the data packets; based on the preset labeling model, the first byte sequence is extracted. A malicious feature in a byte sequence; according to the malicious feature and a preset attack template, determine a related malicious feature adjacent to the malicious feature, wherein the preset attack template is used to extract the related malicious feature; Mapping the set composed of the malicious features and the related malicious features to corresponding rule keywords to generate detection rules. It can be understood that in this application, the first byte sequence belonging to the attack traffic in the abnormal traffic is determined through the preset classification model through the obtained data packets carried by the abnormal traffic, and then, through the preset labeling model, extract Malicious features in the first byte sequence, determine the bytes belonging to the malicious features in the first byte sequence, and then determine the relevant malicious features adjacent to the malicious features according to the preset attack template, and combine the relevant malicious features and malicious features As a set of malicious features, only the malicious features of the attack traffic cannot fully represent the triggering conditions of the vulnerability, so as to determine the corresponding relevant malicious features, and map with the rule keywords in the intrusion detection system according to the set of malicious features to ensure accurate It can accurately identify attack traffic and generate detection rules.

附图说明Description of drawings

图1为本申请攻击流量检测规则生成方法的第一实施例的流程示意图；Fig. 1 is a schematic flow chart of the first embodiment of the method for generating attack traffic detection rules of the present application;

图2为本申请攻击流量检测规则生成方法整体执行流程示意图；FIG. 2 is a schematic diagram of the overall execution flow of the attack traffic detection rule generation method of the present application;

图3为本申请实施例方案涉及的硬件运行环境的设备结构示意图；FIG. 3 is a schematic diagram of the device structure of the hardware operating environment involved in the solution of the embodiment of the present application;

图4为本申请攻击流量检测规则生成方法中的预设分类模型和预设标注模型的工作流程示意图；4 is a schematic diagram of the workflow of the preset classification model and the preset labeling model in the attack traffic detection rule generation method of the present application;

图5为本申请攻击流量检测规则生成方法中的预设攻击模板示意图。FIG. 5 is a schematic diagram of a preset attack template in the attack traffic detection rule generation method of the present application.

具体实施方式Detailed ways

应当理解，此处所描述的具体实施例仅仅用以解释本申请，并不用于限定本申请。It should be understood that the specific embodiments described here are only used to explain the present application, and are not intended to limit the present application.

本申请实施例提供一种攻击流量检测规则生成方法，在本申请攻击流量检测规则生成方法的第一实施例中，参照图1，应用于核验组件，所述方法包括：An embodiment of the present application provides a method for generating an attack traffic detection rule. In the first embodiment of the method for generating an attack traffic detection rule in the present application, referring to FIG. 1 , it is applied to a verification component, and the method includes:

步骤S10，获取异常流量所携带的数据包，基于预设分类模型，从所述数据包中确定属于攻击流量的第一字节序列；Step S10, obtaining the data packets carried by the abnormal traffic, and determining the first byte sequence belonging to the attack traffic from the data packets based on a preset classification model;

步骤S20，基于预设标注模型，提取所述第一字节序列中的恶意特征；Step S20, extracting malicious features in the first byte sequence based on a preset annotation model;

步骤S30，根据所述恶意特征和预设攻击模板，确定与所述恶意特征相邻的相关恶意特征，其中，所述预设攻击模板用于提取所述相关恶意特征；Step S30, determining related malicious features adjacent to the malicious feature according to the malicious feature and a preset attack template, wherein the preset attack template is used to extract the related malicious feature;

步骤S40，将所述恶意特征和所述相关恶意特征组成的集合映射至相应的规则关键字，生成检测规则。Step S40, mapping the set composed of the malicious features and the related malicious features to corresponding rule keywords to generate detection rules.

本实施例旨在：准确地识别攻击流量并为其生成检测规则。The purpose of this embodiment is to accurately identify attack traffic and generate detection rules for it.

具体步骤如下：Specific steps are as follows:

作为一种示例，攻击流量检测规则生成方法可以应用于攻击流量检测规则生成装置，攻击流量检测规则生成装置从属于攻击流量检测规则生成系统，该攻击流量检测规则生成系统属于攻击流量检测规则生成设备。As an example, the attack traffic detection rule generation method can be applied to the attack traffic detection rule generation device, the attack traffic detection rule generation device is subordinate to the attack traffic detection rule generation system, and the attack traffic detection rule generation system belongs to the attack traffic detection rule generation device .

作为一种示例，攻击流量检测规则生成方法应用的场景可以是在外来流量入侵系统时，入侵检测系统监视网络流量并发现恶意事件并产生告警的过程中。As an example, the scenario where the attack traffic detection rule generation method is applied may be that when external traffic invades the system, the intrusion detection system monitors network traffic, finds malicious events, and generates an alarm.

作为一种示例，获取异常流量的方式可以是，接收外来入侵的异常流量，异常流量中包括有多个数据包。As an example, the manner of acquiring the abnormal traffic may be to receive the abnormal traffic of external intrusion, and the abnormal traffic includes multiple data packets.

作为一种示例，在数据包传输的过程中，由于传输的信息量的限制，在传输过程中需要将数据包进行拆分，在传输完成后再将数据包进行重组，在将数据包输入预设分类模型之前，需要对数据包进行重组，之后再进行下一步处理。As an example, in the process of data packet transmission, due to the limitation of the amount of transmitted information, it is necessary to split the data packet during the transmission process, and then reassemble the data packet after the transmission is completed. Before setting up the classification model, it is necessary to reorganize the data packets, and then proceed to the next step.

作为一种示例，预设分类模型具体为字节流分类模型，字节流分类模型采用token-free的方法进行对输入的字节进行分类，避免了把所有不在词汇表的单词(也可以称为token)都标记为（UNK）时，致使模型无法有效识别的问题，字节流分类模型使用字节作为输入，在将数据包输入字节流分类模型之前，需要将获取的数据包进行预处理，得到字节序列，之后，将转化后得到的字节序列输入至字节流分类模型。As an example, the preset classification model is specifically a byte stream classification model, and the byte stream classification model uses a token-free method to classify input bytes, avoiding all words that are not in the vocabulary (also called When all tokens are marked as (UNK), the model cannot effectively identify the problem. The byte stream classification model uses bytes as input. Before inputting the data packets into the byte stream classification model, the obtained data packets need to be pre- processing to obtain a byte sequence, and then input the converted byte sequence to the byte stream classification model.

作为一种示例，预设分类模型属于多分类模型，该模型在训练时使用SoftMax损失函数来计算损失，预设分类模型在使用时已经训练完成，对字节分类完成后，确定每个字节序列的结果标签，该结果标签可以是正常或者不同的攻击类别名称，并通过结果标签来确定数据包中属于攻击流量的字节序列。As an example, the preset classification model belongs to the multi-classification model. The model uses the SoftMax loss function to calculate the loss during training. The preset classification model has been trained when it is used. After the byte classification is completed, each byte is determined The result label of the sequence, the result label can be a normal or different attack category name, and the byte sequence belonging to the attack traffic in the data packet is determined through the result label.

作为一种示例，第一字节序列为输出的分类后的字节序列，第一字节序列中具体为判定为攻击流量的字节序列，在预设分类模型判定攻击流量得到第一字节序列的过程中，只能判定第一字节序列属于攻击流量，但是在第一字节序列中还包含了很多与攻击无关的内容，需要对第一字节序列进行下一步处理。As an example, the first byte sequence is the output classified byte sequence, the first byte sequence is specifically the byte sequence determined as the attack traffic, and the first byte is obtained by determining the attack traffic in the preset classification model During the sequence, it can only be determined that the first byte sequence belongs to the attack traffic, but the first byte sequence also contains a lot of content that is not related to the attack, and the first byte sequence needs to be processed in the next step.

作为一种示例，预设标注模型具体为字节流序列标注模型，预设标注模型用于提取第一字节序列中的恶意特征，该模型在训练时采用CER(Character Error Rate，字符错误率)作为损失函数，在使用预设标注模型提取恶意特征的过程中，预设标注模型已经被训练完成。As an example, the preset labeling model is specifically a byte stream sequence labeling model, and the preset labeling model is used to extract malicious features in the first byte sequence. The model uses CER (Character Error Rate, character error rate) during training. ) as a loss function, in the process of extracting malicious features using the preset tagging model, the preset tagging model has been trained.

作为一种示例，字节流分类模型和字节流序列标注模型的工作流程如图4所示。As an example, the workflow of the byte stream classification model and the byte stream sequence annotation model is shown in FIG. 4 .

作为一种示例，在预设标注模型对字节序列进行标注的过程中，将字节序列中的每个字节依次输入到序列标注的Encoder（编码器）模块中，Decoder（解码器）模块对每个字节的输入都会有一个对应的预测标注输出。As an example, in the process of marking the byte sequence by the preset labeling model, each byte in the byte sequence is sequentially input into the Encoder (encoder) module of the sequence labeling, and the Decoder (decoder) module For each byte of input there will be a corresponding predictive label output.

作为一种示例，预设标注模型采用标注字节的方式，来确定第一字节序列中的恶意特征的位置信息，并对输入的字节序列进行标注，从而确定第一字节序列中的恶意特征，并提取出第一字节序列中的恶意特征。As an example, the preset labeling model adopts the method of labeling bytes to determine the position information of malicious features in the first byte sequence, and labels the input byte sequence to determine the position information of the first byte sequence Malicious features, and extract the malicious features in the first byte sequence.

作为一种示例，预设标注模型会对输入的第一字节序列中的每个字节都有相应的标注输出，根据不同的标注输出来确定属于恶意特征的字节。As an example, the preset labeling model will have a corresponding labeling output for each byte in the input first byte sequence, and bytes belonging to malicious features are determined according to different labeling outputs.

作为一种示例，恶意特征可以是恶意字节，即是被标注的与攻击相关的一个或多个字节。As an example, the malicious feature may be malicious bytes, that is, one or more bytes marked related to the attack.

作为一种示例，当恶意特征确定后，即可排除所输入的字节序列中的与攻击无关的部分，只提取与攻击相关的字节序列。As an example, after the malicious feature is determined, the part of the input byte sequence that is not related to the attack can be excluded, and only the byte sequence related to the attack can be extracted.

作为一种示例，客户端发出的消息数据叫HTTP请求消息/HTTP请求报文，由请求行、请求头、空行、请求体组成。As an example, the message data sent by the client is called an HTTP request message/HTTP request message, which consists of a request line, a request header, a blank line, and a request body.

作为一种示例，服务器响应给客户端的消息内容叫HTTP响应消息/HTTP响应报文，由状态行、响应头、空行、响应体组成。As an example, the content of the message that the server responds to the client is called an HTTP response message/HTTP response message, which consists of a status line, a response header, a blank line, and a response body.

作为一种示例，预设攻击模板具体为可适用于多种攻击类别的攻击特征模板，预设攻击模板将数据包处理为应用层数据，通过对应用层数据的HTTP请求和响应进行分析，并将应用层数据构建为树结构，按照HTTP协议格式将应用层数据拆分为请求/响应行、请求/响应头以及请求/响应体，从而确定恶意特征相邻的相关恶意特征。As an example, the preset attack template is specifically an attack signature template applicable to various attack categories. The preset attack template processes data packets into application layer data, analyzes HTTP requests and responses of application layer data, and The application layer data is constructed into a tree structure, and the application layer data is split into request/response lines, request/response headers, and request/response bodies according to the HTTP protocol format, so as to determine the relevant malicious features adjacent to malicious features.

作为一种示例，由于请求/响应体的数据结构复杂包含json、xml等多种数据结构，需对其着重分析并将其构建为树结构，具体如图5所示。As an example, since the data structure of the request/response body is complex and includes multiple data structures such as json and xml, it needs to be analyzed and constructed into a tree structure, as shown in Figure 5.

作为一种示例，相关恶意特征包括与恶意特征所属根节点相邻兄弟节点和父亲节点，以及http_uri和http_method。As an example, the relevant malicious features include sibling nodes and parent nodes adjacent to the root node to which the malicious feature belongs, as well as http_uri and http_method.

作为一种示例，http_uri和http_method是依据深度包审查（DPI）技术划分后的对应属性和值（key-value），当攻击者发起攻击时，所发出的攻击流量必须要有其中一个或两个参数的组合，http_uri和http_method相当于攻击者实施攻击的必要条件。As an example, http_uri and http_method are the corresponding attributes and values (key-value) divided according to the deep packet inspection (DPI) technology. When an attacker launches an attack, the attack traffic sent must have one or both of them The combination of parameters, http_uri and http_method is equivalent to the necessary conditions for the attacker to carry out the attack.

其中，所述根据所述恶意特征和预设攻击模板，确定与所述恶意特征相邻的相关恶意特征，其中，所述预设攻击模板用于提取所述相关恶意特征的步骤，包括：Wherein, the determination of related malicious features adjacent to the malicious features according to the malicious features and the preset attack template, wherein the step of extracting the related malicious features by the preset attack template includes:

步骤S31，根据所述恶意特征和预设攻击模板，确定所述恶意特征的位置信息，并提取与恶意特征所属根节点相邻的兄弟节点和父亲节点；Step S31: Determine the location information of the malicious feature according to the malicious feature and the preset attack template, and extract sibling nodes and parent nodes adjacent to the root node to which the malicious feature belongs;

作为一种示例，确定恶意特征的位置信息之后，根据预设攻击模板按照HTTP协议格式构建的树结构，相应地，可以确定恶意特征所在的根节点。As an example, after determining the location information of the malicious feature, according to the tree structure constructed by the preset attack template according to the HTTP protocol format, correspondingly, the root node where the malicious feature is located may be determined.

作为一种示例，只使用与攻击相关的恶意特征无法完整地表示漏洞触发和利用的条件，会导致漏报错报的情况发生，进而，需要确定与恶意特征相近的相关恶意特征。As an example, using only malicious features related to the attack cannot fully represent the conditions for triggering and exploiting vulnerabilities, which will lead to false positives and false positives. Furthermore, it is necessary to determine related malicious features that are similar to the malicious features.

作为一种示例，兄弟节点为与恶意特征所属的根节点相邻的节点，兄弟节点与恶意特征所属的根节点同属与一个父亲节点。As an example, the sibling node is a node adjacent to the root node to which the malicious feature belongs, and the sibling node and the root node to which the malicious feature belong belong to the same parent node.

作为一种示例，父亲节点为与恶意特征所属的根节点相邻的上一个节点，恶意特征所属的根节点为下属于父亲节点的一个子节点。As an example, the parent node is the previous node adjacent to the root node to which the malicious feature belongs, and the root node to which the malicious feature belongs is a child node subordinate to the parent node.

步骤S32，根据所述兄弟节点和所述父亲节点，确定相关恶意特征。Step S32, determining relevant malicious features according to the sibling node and the parent node.

作为一种示例，确定兄弟节点和父亲节点后，将兄弟节点和父亲节点以及各个节点对应的树结构中的http_uri和http_method作为相关恶意特征。As an example, after the sibling node and the parent node are determined, http_uri and http_method in the tree structure corresponding to the sibling node and the parent node and each node are used as relevant malicious features.

作为一种示例，规则关键字为系统中预设的检测规则集中的关键字，一个规则关键字对应一个或多个恶意特征。As an example, the rule keywords are keywords in a preset detection rule set in the system, and one rule keyword corresponds to one or more malicious features.

作为一种示例，通过将恶意特征与相关恶意特征的集合与规则关键字一一对应，从而生成检测规则。As an example, a detection rule is generated by one-to-one correspondence between a malicious feature and a set of related malicious features and a rule keyword.

其中，所述将所述恶意特征和所述相关恶意特征组成的集合映射至入侵检测系统中的规则关键字，生成检测规则的步骤，包括：Wherein, the step of mapping the set of malicious features and related malicious features to rule keywords in the intrusion detection system to generate detection rules includes:

步骤S41，将所述恶意特征和所述相关恶意特征作为单个或多个攻击流量的恶意特征集合，并映射至相应的规则关键字；Step S41, taking the malicious features and the related malicious features as a set of malicious features of single or multiple attack traffic, and mapping them to corresponding rule keywords;

作为一种示例，在相关技术中，识别攻击流量并生成检测规则时，需要对多个攻击流量进行分析，才可以进行运行，并且生成的规则中包含了过多与攻击无关的特征，导致生成的检测规则在实际使用时，因为漏报过多而导致网络安全的保障差强人意。As an example, in related technologies, when identifying attack traffic and generating detection rules, it is necessary to analyze multiple attack traffic before it can be run, and the generated rules contain too many features that are not related to the attack, resulting in the generation of In the actual use of the detection rules, the protection of network security is not satisfactory due to too many false positives.

在本实施例中，恶意特征和相关恶意特征组成的恶意特征集合可以作为单个攻击流量的恶意特征，从而针对单个攻击流量也可以生成规则，并且排除了与攻击无关的相关特征，从而避免了告警漏报的情况发生。In this embodiment, the malicious feature set composed of malicious features and related malicious features can be used as the malicious features of a single attack traffic, so that rules can also be generated for a single attack traffic, and related features that are not related to the attack are excluded, thereby avoiding alarms Occurrence of underreporting.

步骤S42，根据所述规则关键字，生成检测规则。Step S42, generating detection rules according to the rule keywords.

作为一种示例，恶意特征对应的规则关键字可以是一个，也可以是多个规则关键字的集合，检测规则根据攻击流量的情况实时变化，从而准确地对网络流量实时监控。As an example, the rule keyword corresponding to the malicious feature may be one or a set of multiple rule keywords, and the detection rule changes in real time according to the attack traffic situation, so as to accurately monitor the network traffic in real time.

作为一种示例，检测规则即是映射完成的规则关键字的集合。As an example, a detection rule is a set of rule keywords that have been mapped.

在本实施例中，整体执行流程示意图如图2所示，通过接收数据包，判断接收的数据包是否需要进行重组，若需要，则将数据包进行重组处理，得到流数据，若不需要，则将接收到数据包直接处理为流数据，判断整体流数据遍历过程是否结束，若结束，则直接进入到最后一步，若未结束，则流数据按照HTTP协议进行处理，得到应用层数据；将得到的应用层数据的HTTP请求或者响应数据划分为多个字符串列表项，判断遍历列表的过程是否结束，若结束，则返回判断流数据的步骤，若未结束，则将字符串列表项转化为字节序列，并使用字节流分类模型判断字节序列为正常或是某种攻击序列，当判定为与攻击相关的字节序列时，根据字节流序列标注模型以及预设攻击模板来得到恶意特征以及相关恶意特征，并将恶意特征以及相关恶意特征组成的集合映射至规则关键字，从而生成检测规则。In this embodiment, the schematic diagram of the overall execution flow is shown in Figure 2. By receiving the data packets, it is judged whether the received data packets need to be reorganized. If necessary, the data packets are reorganized to obtain stream data. If not, The received data packets are directly processed as stream data, and it is judged whether the overall stream data traversal process is over. If it is over, it will directly enter the last step. If it is not over, the stream data will be processed according to the HTTP protocol to obtain application layer data; The obtained HTTP request or response data of the application layer data is divided into multiple string list items, and it is judged whether the process of traversing the list is completed. If it is finished, return to the step of judging the flow data. It is a byte sequence, and use the byte stream classification model to judge whether the byte sequence is normal or an attack sequence. When it is determined to be a byte sequence related to an attack, the Malicious features and related malicious features are obtained, and a set of malicious features and related malicious features is mapped to rule keywords, thereby generating detection rules.

本申请提供一种攻击流量检测规则生成方法、装置、设备及存储介质，与相关技术中依靠蜜罐、蜜网和异常检测的方法，无法准确识别攻击流量，从而无法生成相应的攻击流量检测规则相比，在本申请中，获取异常流量所携带的数据包，基于预设分类模型，从所述数据包中确定属于攻击流量的第一字节序列；基于预设标注模型，提取所述第一字节序列中的恶意特征；根据所述恶意特征和预设攻击模板，确定与所述恶意特征相邻的相关恶意特征，其中，所述预设攻击模板用于提取所述相关恶意特征；The present application provides a method, device, device and storage medium for generating attack traffic detection rules. Compared with methods in related technologies that rely on honeypots, honeynets, and anomaly detection, attack traffic cannot be accurately identified, and corresponding attack traffic detection rules cannot be generated. In contrast, in this application, the data packets carried by the abnormal traffic are obtained, and based on the preset classification model, the first byte sequence belonging to the attack traffic is determined from the data packets; based on the preset labeling model, the first byte sequence is extracted. A malicious feature in a byte sequence; according to the malicious feature and a preset attack template, determine a related malicious feature adjacent to the malicious feature, wherein the preset attack template is used to extract the related malicious feature;

将所述恶意特征和所述相关恶意特征组成的集合映射至相应的规则关键字，生成检测规则。可以理解的是，在本申请中，通过获取的异常流量所携带的数据包，通过预设分类模型来确定异常流量中属于攻击流量的第一字节序列，进而，通过预设标注模型，提取第一字节序列中的恶意特征，确定第一字节序列中的属于恶意特征的字节，再根据预设攻击模板，确定与恶意特征相邻的相关恶意特征，将相关恶意特征和恶意特征作为一个恶意特征集合，仅仅使用攻击流量的恶意特征无法完整表示漏洞触发的条件，从而确定相应的相关恶意特征，并根据恶意特征集合来与入侵检测系统中的规则关键字进行映射，确保能够准确地识别攻击流量，从而生成检测规则。Mapping the set composed of the malicious features and the related malicious features to corresponding rule keywords to generate detection rules. It can be understood that in this application, the first byte sequence belonging to the attack traffic in the abnormal traffic is determined through the preset classification model through the obtained data packets carried by the abnormal traffic, and then, through the preset labeling model, extract Malicious features in the first byte sequence, determine the bytes belonging to the malicious features in the first byte sequence, and then determine the relevant malicious features adjacent to the malicious features according to the preset attack template, and combine the relevant malicious features and malicious features As a set of malicious features, only the malicious features of the attack traffic cannot fully represent the triggering conditions of the vulnerability, so as to determine the corresponding relevant malicious features, and map with the rule keywords in the intrusion detection system according to the set of malicious features to ensure accurate It can accurately identify attack traffic and generate detection rules.

进一步地，基于本申请中第一实施例，提供本申请的另一实施例，在该实施例中，所述基于预设标注模型，提取所述第一字节序列中的恶意特征的步骤，包括：Further, based on the first embodiment of the present application, another embodiment of the present application is provided. In this embodiment, the step of extracting the malicious features in the first byte sequence based on the preset labeling model, include:

步骤A1，基于预设标注模型，对所述第一字节序列进行标注，输出标注字节序列；Step A1, based on a preset tagging model, tagging the first byte sequence, and outputting the tagged byte sequence;

作为一种示例，输入预设标注模型中的第一字节序列的每个字节都对应一个预测标注输出，确定预测标注输出后，输出标注字节序列。As an example, each byte of the first byte sequence input into the preset labeling model corresponds to a predicted labeling output, and after the predicted labeling output is determined, the labeling byte sequence is output.

作为一种示例，预测标注输出对应多个标注类型，每个标注类型以数值或是英文字母进行表示。As an example, the predicted label output corresponds to multiple label types, and each label type is represented by a numerical value or an English letter.

作为一种示例，预测标注输出的取值可以是0，B，I，E，0代表没有标注，B代表标注的开始，I代表中间标注，E代表标注的结束，在4种标注类型中，带有中间标注的字节即是与攻击相关的字节，B和E的标注用于限定中间标注的位置，0则表示没有标注，也即，没有标注的字节与攻击无关，具体如图4所示。As an example, the value of the predicted label output can be 0, B, I, E, 0 represents no label, B represents the beginning of the label, I represents the middle label, and E represents the end of the label. Among the four label types, The bytes with the middle mark are the bytes related to the attack, the marks of B and E are used to limit the position of the middle mark, and 0 means no mark, that is, the byte without mark has nothing to do with the attack, as shown in the figure 4.

步骤A2，根据所述标注字节序列的多个标注类型，确定恶意字节的位置信息；Step A2, determining the location information of the malicious byte according to the multiple annotation types of the annotation byte sequence;

作为一种示例，通过4种标注类型/预测标注输出，可以确定标注字节序列中恶意字节以及与攻击无关的字节的位置信息。As an example, through the four annotation types/predicted annotation output, the location information of malicious bytes and bytes irrelevant to the attack in the annotation byte sequence can be determined.

步骤A3，根据所述位置信息，提取所述第一字节序列中的恶意特征。Step A3, extracting malicious features in the first byte sequence according to the location information.

作为一种示例，根据相应恶意字节的位置信息，提取第一字节序列中的恶意特征，并作为输出结果，输出的字节序列按照与字符的对应关系，从而转化为字符序列。As an example, the malicious features in the first byte sequence are extracted according to the position information of the corresponding malicious bytes, and as an output result, the output byte sequence is converted into a character sequence according to the corresponding relationship with the characters.

其中，所述根据所述标注字节序列的多个标注类型，确定恶意字节的位置信息的步骤，包括：Wherein, the step of determining the location information of malicious bytes according to the multiple annotation types of the annotation byte sequence includes:

步骤B1，根据所述标注字节序列的多个标注类型，确定中间标注字节；Step B1, according to the multiple label types of the label byte sequence, determine the middle label byte;

作为一种示例，根据标注字节序列中的多个标注类型，选取中间标注的字节。As an example, according to multiple annotation types in the annotation byte sequence, the middle annotation byte is selected.

步骤B2，基于所述中间标注字节在所述标注字节序列中所处的位置，确定恶意字节的位置信息，其中，所述中间标注字节与恶意字节相对应。Step B2: Determine the location information of the malicious byte based on the position of the middle marked byte in the marked byte sequence, wherein the middle marked byte corresponds to the malicious byte.

作为一种示例，由于4种标注类型在字节中的位置，可以确定中间标注字节的位置，中间标注字节即是被标注的恶意字节。As an example, due to the positions of the four marking types in the byte, the position of the middle marking byte can be determined, and the middle marking byte is the marked malicious byte.

作为一种示例，使用标注字节的形式可以确定输入的字节序列中的每个字节，可以准确地识别出相应的恶意字节。As an example, each byte in the input byte sequence can be determined by using the form of the marked byte, and the corresponding malicious byte can be accurately identified.

在本实施例中，通过预设标注模型对输入的第一字节序列进行标注，从而确定恶意特征的位置信息，对每个字节都有相应的预测标注输出，从而增强了识别恶意特征的准确性。In this embodiment, the first input byte sequence is marked by a preset labeling model, thereby determining the location information of malicious features, and each byte has a corresponding predictive label output, thereby enhancing the ability to identify malicious features. accuracy.

进一步地，基于本申请中第一实施例和第二实施例，提供本申请的另一实施例，在该实施例中，所述基于预设分类模型，所述数据包中确定属于攻击流量的第一字节序列的步骤之前，所述方法包括：Further, based on the first embodiment and the second embodiment of the present application, another embodiment of the present application is provided. In this embodiment, based on the preset classification model, the data packets determined to belong to the attack traffic Before the step of the first sequence of bytes, the method includes:

步骤C1，将所述数据包进行重组，得到流数据；Step C1, recombining the data packets to obtain stream data;

作为一种示例，为应对IP分片和TCP分段以逃避攻击检测情况，实现对IP分片和TCP分段情况的流重组(五元组、双向流)，便于后续更准确的对通信双方的数据流进行分析。As an example, in order to deal with IP fragmentation and TCP fragmentation to evade attack detection, realize stream reassembly (quintuple, bidirectional flow) for IP fragmentation and TCP fragmentation, so as to facilitate subsequent and more accurate communication between both parties data flow for analysis.

作为一种示例，在数据包传输过程中，由于传输通道的限制，在传输数据之前，数据包需要先进行分片/分段，之后再进行传输，在传输完成之后，将再将拆分的数据包进行重组，从而得到流数据。As an example, in the process of data packet transmission, due to the limitation of the transmission channel, before the data is transmitted, the data packet needs to be fragmented/segmented, and then transmitted. After the transmission is completed, the split Packets are reassembled, resulting in flow data.

作为一种示例，流数据是按照五元组组合而成的，五元组包括源IP地址，源端口，目的IP地址，目的端口和传输层协议。As an example, the stream data is assembled according to 5-tuples, and the 5-tuples include source IP address, source port, destination IP address, destination port and transport layer protocol.

步骤C2，根据所述流数据处理后得到的应用层数据，将所述应用层数据划分为多个字符串列表项，并将所述字符串列表项转化为相应的字节序列；Step C2, dividing the application layer data into a plurality of string list items according to the application layer data obtained after processing the stream data, and converting the string list items into corresponding byte sequences;

作为一种示例，将流数据根据HTTP协议进行处理，把流数据的协议头去掉后，得到应用层数据。As an example, the stream data is processed according to the HTTP protocol, and the protocol header of the stream data is removed to obtain application layer data.

作为一种示例，按照HTTP协议将应用层数据划分为多个字符串列表项，使得对整个应用层协议内容进行检测变得可行，之后将字符串列表项转化为多个字节序列，将字节序列作为输入，使得预设分类模型可以对每个列表项进行检测，从而增加预设分类模型识别字节的准确率。As an example, according to the HTTP protocol, the application layer data is divided into multiple string list items, which makes it feasible to detect the entire application layer protocol content, and then the string list items are converted into multiple byte sequences, and the character string The section sequence is used as input, so that the preset classification model can detect each list item, thereby increasing the accuracy of the preset classification model to recognize bytes.

所述基于预设分类模型，所述数据包中确定属于攻击流量的第一字节序列的步骤，包括：Based on the preset classification model, the step of determining the first byte sequence belonging to the attack traffic in the data packet includes:

步骤C3，基于预设分类模型，对输入的每个所述字节序列进行识别，得到预测识别结果；Step C3, based on a preset classification model, identify each of the input byte sequences to obtain a predicted identification result;

作为一种示例，通过预设分类模型对输入的每个字节序列进行识别后，输出一个预测识别结果。As an example, after each input byte sequence is recognized by a preset classification model, a predicted recognition result is output.

作为一种示例，预测识别结果可以是正常或是某种攻击类别。As an example, the predicted identification result may be normal or a certain attack category.

步骤C4，根据所述预测识别结果，确定所述字节序列中属于攻击流量的第一字节序列。Step C4, according to the predicted identification result, determine the first byte sequence belonging to the attack traffic in the byte sequence.

作为一种示例，根据相应的预测识别结果。可以确定属于攻击流量的字节序列以及正常的字节序列。As an example, the results are identified according to the corresponding predictions. Byte sequences belonging to attack traffic as well as normal byte sequences can be determined.

作为一种示例，将确定为属于攻击流量的字节序列作为第一字节序列，并进行下一步处理。As an example, the byte sequence determined to belong to the attack traffic is used as the first byte sequence, and the next step is processed.

其中，所述根据所述预测识别结果，确定所述字节序列中属于攻击流量的第一字节序列的步骤，还包括：Wherein, the step of determining the first byte sequence belonging to the attack traffic in the byte sequence according to the predicted identification result further includes:

步骤D1，根据所述预测识别结果，确定输出的所述第一字节序列的攻击类型；Step D1, determining the attack type of the output first byte sequence according to the predicted identification result;

作为一种示例，攻击类型可以是SQL注入攻击、命令注入攻击等，具体不做限定。As an example, the attack type may be SQL injection attack, command injection attack, etc., which is not specifically limited.

步骤D2，可视化展示所述第一字节序列的攻击类型。Step D2, visually displaying the attack type of the first byte sequence.

作为一种示例，将第一字节序列的攻击类型可视化展示给用户查看，用户也可以根据相应的攻击类型做出手动操作。As an example, the attack type of the first byte sequence is visualized for the user to view, and the user can also perform manual operations according to the corresponding attack type.

在本实施例中，通过将获取的数据包进行处理，划分后得到多个字符串列表项，再把每个字符串列表项转化为字节序列，输入至预设分类模型进行处理，从而判断属于攻击流量的字节序列，提高了预设分类模型对攻击流量的识别准确率。In this embodiment, by processing the obtained data packets, multiple string list items are obtained after division, and then each string list item is converted into a byte sequence, which is input to the preset classification model for processing, thereby judging The byte sequence belonging to the attack traffic improves the recognition accuracy of the preset classification model for the attack traffic.

参照图3，图3是本申请实施例方案涉及的硬件运行环境的设备结构示意图。Referring to FIG. 3 , FIG. 3 is a schematic diagram of a device structure of a hardware operating environment involved in the solution of the embodiment of the present application.

如图3所示，该攻击流量检测规则生成设备可以包括：处理器1001，存储器1005，通信总线1002。通信总线1002用于实现处理器1001和存储器1005之间的连接通信。As shown in FIG. 3 , the device for generating attack traffic detection rules may include: aprocessor 1001 , amemory 1005 , and acommunication bus 1002 . Thecommunication bus 1002 is used to realize connection and communication between theprocessor 1001 and thememory 1005 .

可选地，该攻击流量检测规则生成设备还可以包括用户接口、网络接口、摄像头、RF（Radio Frequency，射频）电路，传感器、WiFi模块等等。用户接口可以包括显示屏（Display）、输入子模块比如键盘（Keyboard），可选用户接口还可以包括标准的有线接口、无线接口。网络接口可以包括标准的有线接口、无线接口（如WI-FI接口）。Optionally, the device for generating attack traffic detection rules may further include a user interface, a network interface, a camera, an RF (Radio Frequency, radio frequency) circuit, a sensor, a WiFi module, and the like. The user interface may include a display screen (Display), an input sub-module such as a keyboard (Keyboard), and an optional user interface may also include a standard wired interface and a wireless interface. The network interface may include a standard wired interface and a wireless interface (such as a WI-FI interface).

本领域技术人员可以理解，图3中示出的攻击流量检测规则生成设备结构并不构成对攻击流量检测规则生成设备的限定，可以包括比图示更多或更少的部件，或者组合某些部件，或者不同的部件布置。Those skilled in the art can understand that the structure of the device for generating attack traffic detection rules shown in FIG. 3 does not constitute a limitation on the device for generating attack traffic detection rules. components, or different component arrangements.

如图3所示，作为一种存储介质的存储器1005中可以包括操作系统、网络通信模块以及攻击流量检测规则生成程序。操作系统是管理和控制攻击流量检测规则生成设备硬件和软件资源的程序，支持攻击流量检测规则生成程序以及其它软件和/或程序的运行。网络通信模块用于实现存储器1005内部各组件之间的通信，以及与攻击流量检测规则生成系统中其它硬件和软件之间通信。As shown in FIG. 3 , thememory 1005 as a storage medium may include an operating system, a network communication module, and an attack traffic detection rule generation program. The operating system is a program that manages and controls the hardware and software resources of the device for generating attack traffic detection rules, and supports the operation of the attack traffic detection rule generation program and other software and/or programs. The network communication module is used to realize the communication among the various components inside thememory 1005, and communicate with other hardware and software in the attack flow detection rule generating system.

在图3所示的攻击流量检测规则生成设备中，处理器1001用于执行存储器1005中存储的攻击流量检测规则生成程序，实现上述任一项所述的攻击流量检测规则生成方法的步骤。In the attack traffic detection rule generation device shown in FIG. 3 , theprocessor 1001 is configured to execute the attack traffic detection rule generation program stored in thememory 1005 to implement the steps of the attack traffic detection rule generation method described in any one of the above.

本申请攻击流量检测规则生成设备具体实施方式与上述攻击流量检测规则生成方法各实施例基本相同，在此不再赘述。The specific implementation manners of the device for generating attack traffic detection rules of the present application are basically the same as the embodiments of the method for generating attack traffic detection rules described above, and will not be repeated here.

本申请还提供一种攻击流量检测规则生成装置，所述攻击流量检测规则生成装置包括：The present application also provides an attack traffic detection rule generation device, and the attack traffic detection rule generation device includes:

获取模块，用于获取异常流量所携带的数据包，基于预设分类模型，从所述数据包中确定属于攻击流量的第一字节序列；An acquisition module, configured to acquire the data packets carried by the abnormal traffic, and determine the first byte sequence belonging to the attack traffic from the data packets based on a preset classification model;

提取模块，用于基于预设标注模型，提取所述第一字节序列中的恶意特征；An extraction module, configured to extract malicious features in the first byte sequence based on a preset annotation model;

生成模块，用于将所述恶意特征和所述相关恶意特征组成的集合映射至相应的规则关键字，生成检测规则。A generating module, configured to map the set of malicious features and related malicious features to corresponding rule keywords to generate detection rules.

在本申请的一种可能的实施方式中，所述提取模块包括：In a possible implementation manner of the present application, the extraction module includes:

输出单元，用于基于预设标注模型，对所述第一字节序列进行标注，输出标注字节序列；An output unit, configured to label the first byte sequence based on a preset labeling model, and output the labeled byte sequence;

第一确定单元，用于根据所述标注字节序列的多个标注类型，确定恶意字节的位置信息；A first determination unit, configured to determine the location information of malicious bytes according to multiple annotation types of the annotation byte sequence;

第一提取单元，用于根据所述位置信息，提取所述第一字节序列中的恶意特征。A first extraction unit, configured to extract malicious features in the first byte sequence according to the location information.

在本申请的一种可能的实施方式中，所述第一确定单元包括：In a possible implementation manner of the present application, the first determination unit includes:

第一确定子单元，用于根据所述标注字节序列的多个标注类型，确定中间标注字节；The first determination subunit is configured to determine the intermediate annotation byte according to the multiple annotation types of the annotation byte sequence;

第二确定子单元，用于基于所述中间标注字节在所述标注字节序列中所处的位置，确定恶意字节的位置信息，其中，所述中间标注字节与恶意字节相对应。The second determining subunit is configured to determine the position information of the malicious byte based on the position of the intermediate marked byte in the marked byte sequence, wherein the middle marked byte corresponds to the malicious byte .

在本申请的一种可能的实施方式中，所述确定模块包括：In a possible implementation manner of the present application, the determination module includes:

第二确定单元，用于根据所述恶意特征和预设攻击模板，确定所述恶意特征的位置信息，并提取与恶意特征相邻的兄弟节点和父亲节点；The second determining unit is configured to determine the location information of the malicious feature according to the malicious feature and the preset attack template, and extract sibling nodes and parent nodes adjacent to the malicious feature;

第三确定单元，用于根据所述兄弟节点和所述父亲节点，确定相关恶意特征。The third determining unit is configured to determine relevant malicious features according to the sibling node and the parent node.

在本申请的一种可能的实施方式中，所述装置还包括：In a possible implementation manner of the present application, the device further includes:

重组模块，用于将所述数据包进行重组，得到流数据；A reassembly module, configured to reassemble the data packet to obtain flow data;

划分模块，用于根据所述流数据处理后得到的应用层数据，将所述应用层数据划分为多个字符串列表项，并将所述字符串列表项转化为相应的字节序列。The division module is used to divide the application layer data into a plurality of string list items according to the application layer data obtained after processing the stream data, and convert the string list items into corresponding byte sequences.

在本申请的一种可能的实施方式中，所述获取模块包括：In a possible implementation manner of the present application, the obtaining module includes:

识别单元，用于基于预设分类模型，对输入的每个所述字节序列进行识别，得到预测识别结果；A recognition unit, configured to recognize each of the input byte sequences based on a preset classification model, and obtain a predicted recognition result;

第四确定单元，用于根据所述预测识别结果，确定所述字节序列中属于攻击流量的第一字节序列。The fourth determination unit is configured to determine the first byte sequence belonging to the attack traffic in the byte sequence according to the predicted identification result.

在本申请的一种可能的实施方式中，所述第四确定单元包括：In a possible implementation manner of the present application, the fourth determination unit includes:

第三确定子单元，用于根据所述预测识别结果，确定输出的所述第一字节序列的攻击类型；A third determining subunit, configured to determine the attack type of the output first byte sequence according to the predicted identification result;

展示子单元，用于可视化展示所述第一字节序列的攻击类型。The display subunit is used to visually display the attack type of the first byte sequence.

在本申请的一种可能的实施方式中，所述生成模块包括：In a possible implementation manner of the present application, the generating module includes:

映射单元，用于将所述恶意特征和所述相关恶意特征作为单个或多个攻击流量的恶意特征集合，并映射至相应的规则关键字；A mapping unit, configured to use the malicious features and the related malicious features as a collection of malicious features of single or multiple attack traffic, and map them to corresponding rule keywords;

生成单元，用于根据所述规则关键字，生成检测规则。A generating unit, configured to generate detection rules according to the rule keywords.

需要说明的是，在本文中，术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含，从而使得包括一系列要素的过程、方法、物品或者系统不仅包括那些要素，而且还包括没有明确列出的其他要素，或者是还包括为这种过程、方法、物品或者系统所固有的要素。在没有更多限制的情况下，由语句“包括一个……”限定的要素，并不排除在包括该要素的过程、方法、物品或者系统中还存在另外的相同要素。It should be noted that, as used herein, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article or system comprising a set of elements includes not only those elements, It also includes other elements not expressly listed, or elements inherent in the process, method, article, or system. Without further limitations, an element defined by the phrase "comprising a..." does not preclude the presence of additional identical elements in the process, method, article or system comprising that element.

上述本申请实施例序号仅仅为了描述，不代表实施例的优劣。The serial numbers of the above embodiments of the present application are for description only, and do not represent the advantages and disadvantages of the embodiments.

通过以上的实施方式的描述，本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现，当然也可以通过硬件，但很多情况下前者是更佳的实施方式。基于这样的理解，本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来，该计算机软件产品存储在如上所述的一个存储介质(如ROM/RAM、磁碟、光盘)中，包括若干指令用以使得一台终端设备(可以是手机，计算机，服务器，空调器，或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is better implementation. Based on such an understanding, the technical solution of the present application can be embodied in the form of a software product in essence or the part that contributes to the prior art, and the computer software product is stored in a storage medium (such as ROM/RAM) as described above. , magnetic disk, optical disk), including several instructions to make a terminal device (which may be a mobile phone, computer, server, air conditioner, or network device, etc.) execute the methods described in various embodiments of the present application.

以上仅为本申请的优选实施例，并非因此限制本申请的专利范围，凡是利用本申请说明书及附图内容所作的等效结构或等效流程变换，或直接或间接运用在其他相关的技术领域，均同理包括在本申请的专利保护范围内。The above are only preferred embodiments of the present application, and are not intended to limit the patent scope of the present application. All equivalent structures or equivalent process transformations made by using the description of the application and the accompanying drawings are directly or indirectly used in other related technical fields. , are all included in the patent protection scope of the present application in the same way.