CN109255243B - Method, system, device and storage medium for repairing potential threats in terminal - Google Patents
Method, system, device and storage medium for repairing potential threats in terminal Download PDFInfo
- Publication number
- CN109255243B CN109255243B CN201811141055.9A CN201811141055A CN109255243B CN 109255243 B CN109255243 B CN 109255243B CN 201811141055 A CN201811141055 A CN 201811141055A CN 109255243 B CN109255243 B CN 109255243B
- Authority
- CN
- China
- Prior art keywords
- target
- repair
- potential threat
- terminal
- service terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a method for repairing potential threats in a terminal, which is different from a service terminal which does not allow malicious intrusion flow to be randomly damaged and invaded, wherein the malicious flow in a honey pot terminal specially set for the malicious intrusion flow can be randomly exerted to collect malicious data as complete as possible, and the true intrusion intention of an intruder can be more accurately judged based on the malicious data, so that the potential threats existing in the terminal are more completely exposed, and then a target repairing strategy is issued to the service terminal with the target potential threats according to a preset repairing strategy issuing mode, so that the service terminal completes repairing in the whole network range according to the received target repairing strategy, and the possibility of damage to the service terminal is further reduced due to the properties of the honey pot terminal, the network security is higher, and the potential threats are more comprehensively discovered and repaired. The application also discloses a system and a device for repairing the potential threat in the terminal and a computer readable storage medium, which have the beneficial effects.
Description
Technical Field
The present application relates to the field of terminal security technologies, and in particular, to a method, a system, an apparatus, and a computer-readable storage medium for repairing a potential threat in a terminal.
Background
With the advent of the information-oriented era, people can complete various kinds of work and tasks based on networks, the efficiency is high, convenience is realized, the information stored in a binary system mode is more convenient to store, and meanwhile, the information is convenient for people who are not happy to steal, so that the network safety equipment is produced in order to ensure the network safety of enterprises.
The conventional network security devices mainly include firewalls and IPS (Intrusion Prevention System), and these conventional network security devices identify potential network threats based on fixed threat detection rules or behavior patterns, and after an attacker breaks through the detection means, the security detection of the conventional network security devices is easily bypassed by using a variant malicious file or other means in a targeted manner. And the conventional network security device usually makes a hard cut before or when the threat occurs (to prevent further damage expansion), so that the real intention of the malicious intruder cannot be well captured (trial intrusion to view the reaction), therefore, sufficient effective information may be lacked when the vulnerability or potential threat is made up, and the vulnerability or threat repair may not be in place, and the improper vulnerability repair is buried for the subsequent intrusion of the same malicious intruder.
Therefore, how to overcome various technical defects of the existing potential threat discovery mechanism and provide a potential threat repair mechanism which makes the true intention of a malicious intruder more clear and realizes more comprehensive repair of the potential threat is a problem to be solved by those skilled in the art.
Disclosure of Invention
The purpose of the present application is to provide a method for repairing potential threats in a terminal, which is distinguished from a service terminal that does not allow malicious intrusion traffic to be freely destroyed and intruded, the malicious traffic in the honeypot terminal specially set for the malicious intrusion traffic can be played at will, so that the malicious data as complete as possible can be collected, the real intrusion intention of an intruder can be more accurately judged based on the malicious data, the potential threats existing in the terminal are more completely exposed, and then the target repair strategy is issued to the service terminal with the target potential threats according to the preset repair strategy issuing mode, so that the service terminal completes the repair in the whole network range according to the received target repair strategy, and because the honeypot terminal characteristic still further reduces the possibility of causing the damage to the business terminal, the network security is higher, and the potential threat is found and is repaired more comprehensively.
It is another object of the present application to provide a system, apparatus and computer-readable storage medium for repairing a potential threat in a terminal.
In order to achieve the above object, the present application provides a method for repairing a potential threat in a terminal, including:
acquiring malicious traffic invading a honeypot terminal in a network; the network comprises upper management terminals, a first preset number of honeypot terminals and a second preset number of service terminals, wherein the honeypot terminals are the same type of the service terminals;
determining a target potential threat existing on a corresponding honeypot terminal according to the malicious flow, and obtaining a target repairing strategy corresponding to the target potential threat;
and sending the target repairing strategy to a service terminal with the target potential threat so as to repair the target potential threat according to the target repairing strategy.
Optionally, obtaining a target repair policy corresponding to the target potential threat includes:
inquiring a preset repair strategy library to obtain a target repair strategy corresponding to the target potential threat; the repair strategy library comprises corresponding relations between the potential threats and the repair strategies.
Optionally, the repairing method further includes:
when the target repair strategy corresponding to the target potential threat cannot be found in the repair strategy library, reporting a new repair strategy request packet carrying the target potential threat through a preset path, and supplementing the fed back new repair strategy into the repair strategy library.
Optionally, issuing the target repair policy to the service terminal with the target potential threat includes:
and issuing the target repair strategy to each service terminal in the network.
Optionally, the issuing the target repair policy to the service terminal with the target potential threat includes:
determining a target service terminal with the target potential threat in the network;
and issuing the target repair strategy to the target service terminal.
Optionally, determining a target service terminal with the target potential threat in the network includes:
each service terminal in the network issues a target potential threat test packet; wherein the target potential threat test packet is used for harmless testing whether the target potential threat exists on the terminal;
and receiving a threat test result returned by a probe preset on each service terminal, and determining a target service terminal with the target potential threat according to the threat test result.
Optionally, the repairing method further includes:
receiving a repair strategy execution result sent by an executed service terminal; the executed service terminal is a service terminal which carries out potential threat repair according to the received target repair strategy;
when the target potential threat on the corresponding executed service terminal is determined to be repaired according to the repair strategy execution result, setting the repair state of the target potential threat corresponding to the executed service terminal as repaired;
and when the target potential threat on the corresponding executed service terminal is determined not to be repaired according to the repair strategy execution result, issuing the target repair strategy to the corresponding executed service terminal again.
To achieve the above object, the present application further provides a system for repairing a potential threat in a terminal, including:
the malicious intrusion flow receiving unit is used for acquiring malicious flow intruding into a honeypot terminal in a network; the network comprises upper management terminals, a first preset number of honeypot terminals and a second preset number of service terminals, wherein the honeypot terminals are the same type of terminals as the service terminals;
the potential threat and repair strategy determining unit is used for determining a target potential threat existing on the corresponding honeypot terminal according to the malicious flow and obtaining a target repair strategy corresponding to the target potential threat;
and the repair strategy issuing unit is used for issuing the target repair strategy to the service terminal with the target potential threat so as to repair the target potential threat according to the target repair strategy.
Optionally, the potential threat and repair policy determining unit includes:
the target repair strategy query subunit is used for querying a preset repair strategy library to obtain a target repair strategy corresponding to the target potential threat; wherein, the repair strategy library comprises the corresponding relation between each potential threat and each repair strategy.
Optionally, the repair system further includes:
and the new repair strategy request and supplement unit is used for reporting a new repair strategy request packet carrying the target potential threat through a preset path when the target repair strategy corresponding to the target potential threat cannot be found in the repair strategy library so as to supplement the fed back new repair strategy into the repair strategy library.
Optionally, the repair policy issuing unit includes:
and all the issuing subunits are used for issuing the target repair strategy to each service terminal in the network.
Optionally, the repair policy issuing unit includes:
a target service terminal determining subunit, configured to determine a target service terminal with the target potential threat in the network;
and the accurate issuing subunit is used for issuing the target repair strategy to the target service terminal.
Optionally, the target service terminal determining subunit includes:
the threat test packet issuing module is used for issuing a target potential threat test packet to each service terminal in the network; wherein the target potential threat test packet is used for harmless testing whether the target potential threat exists on a terminal;
and the result receiving and target service terminal determining module is used for receiving a threat test result returned by a probe preset on each service terminal and determining a target service terminal with the target potential threat according to the threat test result.
Optionally, the repair system further includes:
an execution result receiving unit, configured to receive a repair policy execution result sent by an executed service terminal; the executed service terminal is a service terminal which carries out potential threat repair according to the received target repair strategy;
the repair success processing unit is used for setting the repair state of the target potential threat corresponding to the executed service terminal as repaired when the repair strategy execution result confirms that the target potential threat corresponding to the executed service terminal is repaired;
and the repair unsuccessful processing unit is used for issuing the target repair strategy to the corresponding executed service terminal again when the target potential threat on the corresponding executed service terminal is determined not to be repaired according to the repair strategy execution result.
To achieve the above object, the present application further provides a device for repairing a potential threat in a terminal, the device comprising:
a memory for storing a computer program;
a processor for implementing the steps of the method for remedying a potential threat in a terminal as described in the above when executing the computer program.
To achieve the above object, the present application also provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the method for repairing a potential threat in a terminal as described in the above.
Obviously, the method for repairing the potential threat in the terminal provided by the application is different from the service terminal which does not allow the malicious intrusion traffic to be damaged and invaded at will, the malicious traffic in the honeypot terminal specially set for the malicious intrusion traffic can be played at will, so that the malicious data as complete as possible can be collected, the real intrusion intention of an intruder can be more accurately judged based on the malicious data, the potential threats existing in the terminal are more completely exposed, and then the target repair strategy is issued to the service terminal with the target potential threats according to the preset repair strategy issuing mode, so that the service terminal completes the repair in the whole network range according to the received target repair strategy, and because the honeypot terminal characteristic still further reduces the possibility of causing the damage to the business terminal, the network security is higher, and the potential threat is found and is repaired more comprehensively. The application also provides a system and a device for repairing the potential threat in the terminal and a computer readable storage medium, which have the beneficial effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a method for repairing a potential threat in a terminal according to an embodiment of the present application;
fig. 2 is a flowchart of another method for repairing a potential threat in a terminal according to an embodiment of the present application;
fig. 3 is a flowchart of a method for repairing a potential threat in a terminal according to an embodiment of the present application
Fig. 4 is a flowchart of a subsequent process performed according to a repair policy execution result in the method for repairing a potential threat in a terminal according to the embodiment of the present application;
fig. 5 is a logic diagram of execution entities in a system for repairing a potential threat in a terminal according to an embodiment of the present application;
fig. 6 is a schematic diagram illustrating a method for collecting and reporting malicious intrusion traffic by using a honeypot terminal according to an embodiment of the present application;
fig. 7 is a schematic diagram illustrating a method for analyzing malicious intrusion traffic and formulating a corresponding repair policy and issuing the repair policy by using an upper management terminal according to an embodiment of the present application;
fig. 8 is a schematic view illustrating an operation flow of a terminal probe according to an embodiment of the present disclosure;
fig. 9 is a block diagram illustrating a system for repairing a potential threat in a terminal according to an embodiment of the present disclosure.
Detailed Description
The core of the application is to provide a method, a system, a device and a computer readable storage medium for repairing potential threats in a terminal, which are different from a service terminal which does not allow malicious intrusion flow to be randomly damaged and invaded, the malicious flow in a honey pot terminal specially set for the malicious intrusion flow can be randomly exerted to collect malicious data as complete as possible, the true intrusion intention of an intruder can be more accurately judged based on the malicious data, the potential threats existing in the terminal are more completely exposed, a target repairing strategy is issued to the service terminal with the target potential threats according to a preset repairing strategy issuing mode, the service terminal completes the repairing in the whole network range according to the received target repairing strategy, and the probability of damaging the service terminal is further reduced due to the properties of the honey pot terminal, the network security is higher, the discovery and repair of potential threats is more comprehensive.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Example one
With reference to fig. 1, fig. 1 is a flowchart of a method for repairing a potential threat in a terminal according to an embodiment of the present application, which specifically includes the following steps:
s101: acquiring malicious traffic invading a honeypot terminal in a network;
the scheme provided by the application is established under a network consisting of an upper management terminal, a first preset number of honeypot terminals and a second preset number of service terminals, wherein the honeypot terminals are the same type of terminals as the service terminals, and the same type means that the honeypot terminals and the service terminals have the same or very similar configuration parameters, such as an operating system, an IP section, a vulnerability library version and the like, but are different from the service terminals, and also have special settings to make the honeypot terminals look more easily invaded, so that more valuable malicious invasion data can be found. The honeypot terminal is a black box specially set by a network administrator through careful arrangement, seems that a leak is in a hundred but is well mastered, and intrusion data collected by the honeypot terminal is very valuable; the business terminal is the gift sent to the invader, even if the invader is invaded, the trace is not necessarily found, thus the business terminal also accords with the definition of the honeypot: honeypots are a secure resource that is valuable for detection, attack, and compromise. "
The original goal in designing honeypots was to allow hackers to intrude, thereby collecting evidence, while hiding true server addresses, so a qualified honeypot would normally have these functions: discovery of attacks, generation of warnings, powerful recording capabilities, spoofing, assistance in investigations. Another function is performed by the administrator who calls for the intruder if necessary based on evidence collected from the honeypot.
Therefore, a certain number of honey pot terminals are arranged in a network which originally only comprises common service terminals and are specially used for luring malicious invasion of malicious attackers, and through elaborate design, the malicious traffic can arbitrarily make fist feet in the honey pot terminals, so that complete malicious invasion traffic can be obtained, and potential threats existing in the service terminals of the same type as the honey pot terminals can be obtained through analysis. In order to further promote the honeypot terminals to attract invasion of malicious traffic, a honeypot network can be obtained by networking a plurality of honeypot terminals, and the characteristics of a real terminal in a larger range are obtained.
S102: determining a target potential threat existing on a corresponding honeypot terminal according to the malicious flow, and obtaining a target repairing strategy corresponding to the target potential threat;
on the basis of S101, this step is intended to analyze the collected complete malicious traffic, and determine, according to the analysis result, the potential threats existing on the honeypot terminal, in other words, it is determined that the malicious traffic that should be intercepted is not connected because of which potential threats exist on the honeypot terminal, the potential threats are represented in various forms, may be bugs, bugs that may occur when a program runs, may be new problems caused by a certain patch, and the like, and any place that may cause a security risk to the terminal is included in the potential threats, and is therefore potential because the threats have not been found before.
The purpose of this step is to analyze and obtain the corresponding existing potential threat through the malicious traffic collected by the honeypot terminal as complete as possible, and obtain a repair strategy which can repair, make up, disable and fail the potential threat and cannot cause the security risk, so that the potential threat can be eliminated after being repaired according to the repair strategy. The repair strategy has various expression forms, can be a step of adjusting some software parameters for solving a potential threat, can be a bug repairer, and can be any means capable of solving the potential threat, and how to express the repair strategy is not important, and the repair strategy aims to obtain a repair mode capable of solving the determined potential threat.
Specifically, how to obtain the repair strategy corresponding to the determined potential threat is various, the repair strategy can be specially written by a special and experienced security repair engineer according to the characteristics and the working mechanism of the potential threat, a bug repair tool capable of repairing the bug can be found in a bug repair library, and the repair strategy of the previous original version can be adjusted when a certain found security risk variation comes; even the repair strategy library can be obtained by summarizing potential threat repair strategy means issued by other public credibility and authorities, and the method of selecting which repair strategy should be selected is determined according to the corresponding relation between each determined potential threat and the corresponding repair strategy, and the method is not specifically limited, and the repair strategy corresponding to the determined potential threat can be obtained by flexibly selecting a proper mode according to the actual situation.
Certainly, because of a potential threat, there is a possibility that a corresponding repair policy cannot be generated in advance and summarized into the repair policy library with a high probability, and when the situation occurs, a manager specially handling the problem at the upper layer can be reported through a preset path, and a new repair policy fed back by the manager can be timely added into the repair policy library.
S103: and sending the target repairing strategy to the service terminal with the target potential threat so as to repair the target potential threat according to the target repairing strategy.
On the basis of S102, this step is intended to issue the target repair policy to the service terminals with the same potential threat, so that the service terminals can complete their repair according to the received target repair policy, thereby improving the security of each service terminal in the whole network.
When a network is just constructed, the parameter configuration type (such as an operating system version, a patch library version, and the like) of each service terminal should be the same as that of a honeypot terminal, that is, if a potential threat discovered by the honeypot terminal certainly exists in each service terminal, but each service terminal may be used by different users in different ways in the use process as time goes by, some service terminals have repaired the same potential threat, so that the service terminal should not be used as an issuing object of a target repair policy, and if it can be determined to which service terminals to issue and which not to issue, the load and the effective bandwidth occupancy rate of the network can be effectively reduced.
Specifically, how to determine whether a potential threat exists in a service terminal is various, and generally, a harmless potential threat test packet is generated according to the characteristics of the potential threat to test whether the potential threat can be acted on the tested terminal, if the potential threat exists, and if the potential threat does not exist, the potential threat is repaired or a corresponding protection means exists; the threat repair log of each service terminal can also be read to determine whether some potential threats have been repaired in the service terminal but not in the honeypot terminal (because of the special purpose of the honeypot terminal, the threat repair frequency is not high, and in order to prevent the interference to malicious traffic and the like as much as possible), and the like.
Of course, the target repair policy may also be simply issued to all service terminals in the network, so as to ensure that no omission phenomenon occurs in this way, and for a service terminal which does not need to be repaired, at most, the repair is repeated, or the repair is finished when no potential threat exists during the repair process.
Further, unexpected factors may cause unsuccessful repair, possibly for the following reasons: data errors in the strategy issuing process, terminal system abnormity in the executing process and the like, so in order to further guarantee the security of the terminals, the method can also receive the execution results of the repair strategies generated and returned by each terminal after the repair strategies are executed, and judge whether to perform repair again or not based on the execution results, so that the target potential threats on the terminals are repaired as much as possible.
Based on the technical scheme, the method for repairing the potential threat in the terminal provided by the embodiment of the application is different from a service terminal which does not allow malicious intrusion flow to be randomly damaged and invaded, the malicious traffic in the honeypot terminal specially set for the malicious intrusion traffic can be played at will, so that the malicious data as complete as possible can be collected, the real intrusion intention of an intruder can be more accurately judged based on the malicious data, the potential threats existing in the terminal are more completely exposed, and then the target repair strategy is issued to the service terminal with the target potential threats according to the preset repair strategy issuing mode, so that the service terminal completes the repair in the whole network range according to the received target repair strategy, and because the honeypot terminal characteristic still further reduces the possibility of causing the damage to the business terminal, the network security is higher, and the potential threat is found and is repaired more comprehensively.
Example two
With reference to fig. 2, fig. 2 is a flowchart of another method for repairing a potential threat in a terminal according to an embodiment of the present application, and this step provides a method for issuing a target repair policy of a service terminal that does not exclude a need to repair a target potential threat in a network on the basis of the first embodiment, where the method is simple and easy to implement, and does not omit or need secondary verification, and the specific implementation steps are as follows:
the method can reduce the load and bandwidth occupancy rate in the network as much as possible, and reduce the idle work, and comprises the following specific implementation steps:
s201: acquiring malicious traffic invading a honeypot terminal in a network;
s202: determining a target potential threat existing on a corresponding honeypot terminal according to the malicious flow, and inquiring in a preset repair strategy library to obtain a target repair strategy corresponding to the target potential threat;
s203: and issuing a target repair strategy to each service terminal in the network so that each service terminal can repair the potential threat of the service terminal according to the received target repair strategy.
EXAMPLE III
With reference to fig. 3, fig. 3 is a flowchart of another method for repairing a potential threat in a terminal according to an embodiment of the present application, where this step provides a method for issuing a target repair policy to a service terminal that does not need to repair the target potential threat in a network on the basis of the first embodiment, and only issues the target repair policy to a target service terminal that still has the target potential threat, so that the pertinence is strong, the load and bandwidth occupancy in the network can be reduced as much as possible, and the idle work performed is reduced, and the specific implementation steps are as follows:
s301: acquiring malicious traffic invading a honeypot terminal in a network;
s302: determining a target potential threat existing on a corresponding honeypot terminal according to the malicious flow, and inquiring in a preset repair strategy library to obtain a target repair strategy corresponding to the target potential threat;
s303: issuing a target potential threat test packet to each service terminal in the network;
s304: receiving a threat test result returned by a probe preset on each service terminal, and determining a target service terminal with a target potential threat according to the threat test result;
in order to feed back the test result of the threat test packet to the upper management terminal, a probe is also arranged in each service terminal in advance, the probe is used for receiving data issued by the upper management terminal through data transmission established with the upper management terminal, and the executed execution result is fed back to the upper management terminal, so that the upper management terminal can determine subsequent execution operation according to the returned information.
Specifically, on the basis of being able to implement the operation that the probe is required to implement, no matter what representation form the probe specifically exists, the probe may be an information acquisition plug-in, a data forwarding rule under a fixed path, a functional script, an applet, and the like, that is, the probe described in this application does not refer to only a probe in the conventional sense, but includes any means that can implement the above operation, and is not limited specifically here, and an appropriate form may be flexibly selected according to different actual situations to implement the purpose of the probe.
S305: and issuing a target repair strategy to the target service terminals so that each target service terminal repairs the potential threat of the target service terminal according to the target repair strategy.
It should be further noted that S303 and S304 in this embodiment are only a feasible method for eliminating a common terminal that does not need to receive a target repair policy issued by an upper management terminal, and other feasible manners flexibly exist according to actual situations, and a person skilled in the art may provide a variety of methods according to the foregoing contents, and these parts are not the inventive points of the present application, and are not described herein again.
Example four
With reference to fig. 4, fig. 4 is a flowchart of performing subsequent processing according to a repair policy execution result in the method for repairing a potential threat in a terminal provided in the embodiment of the present application, and this embodiment further adds a scheme of performing identification of a repair state and performing subsequent processing according to a repair policy execution result sent by an executed service terminal on the basis of the foregoing embodiments, and the specific implementation steps are as follows:
s401: receiving a repair strategy execution result sent by an executed service terminal;
the executed service terminal is a service terminal which carries out potential threat repair according to the received target repair strategy.
S402: when the target potential threat on the corresponding executed service terminal is determined to be repaired according to the repair strategy execution result, setting the repair state of the target potential threat corresponding to the executed service terminal as repaired;
s403: and when the target potential threat on the corresponding executed service terminal is determined not to be repaired according to the repair strategy execution result, issuing the target repair strategy to the corresponding executed service terminal again.
The objective of issuing the target repair policy to the corresponding executed service terminal again is to check whether the execution process of the target repair policy is interfered by some unexpected factors or whether the target potential threat repair failure caused by factors such as damage of a data file when the executed service terminal receives the target repair policy is caused, so as to solve the problems in a mode of issuing for multiple times and repeatedly executing.
Of course, there may be other problems that may cause unsuccessful repair, and the corresponding solution needs to be analyzed according to specific situations.
EXAMPLE five
Referring to fig. 5 to 8, on the basis of the foregoing embodiments, in this embodiment, a specific usage scenario is combined, and in this scenario, because the existence of the honeypot terminal makes the service terminal not be substantially invaded by malicious traffic, the malicious traffic only needs to be collected from the honeypot terminal, so that the purpose of how to jointly match the multiple execution subjects involved in this scheme to complete the potential threat repair is clearly described, in this embodiment, the execution subjects respectively stand on and are described, specifically, the execution subjects include the honeypot terminal, the upper management terminal, and each terminal probe, and a specific structural schematic diagram may be shown in fig. 5.
The flow of honeypot is (see fig. 6):
1. for honeypots, normal traffic is not incoming, so once network traffic accesses services (such as ssh services, ftp services, etc.) in honeypots, it can be basically confirmed that the services are hacked;
2. when a hacker attacks the honeypot, various operations are performed in the honeypot, such as uploading files, installing programs, adding accounts, modifying passwords, changing database records, and the like. All these operations are not rejected, but only the honeypots are recorded and collected;
3. the honeypot reports the information collected in the step 2 to a Manager (upper management terminal);
4. and (5) continuing the step 2 and the step 3 until the hacker exits the honeypot.
The flow of Manager (upper management terminal) is (see fig. 7):
1. carrying out potential threat analysis on malicious intrusion flow reported by the honeypot terminal;
2. finding potential threats according to the analysis result, and making a corresponding repair strategy;
for example, if a hacker is found to exploit a certain vulnerability of Windows7, all terminals installed with Windows7 in the current network are potentially risky terminals; for another example, a hacker has invaded the inside of the network and is attacking the honeypot laterally through a certain terminal, and then the certain terminal is a risk terminal; and for example, if a hacker uploads trojan software, a security strategy for checking and killing trojan is established, and the like.
3. Issuing a repair strategy to a terminal with the same potential threat through a probe;
4. waiting for receiving a repair strategy execution result returned by each terminal probe;
5. and modifying the state information of the terminal in the archive according to the execution result.
The flow of the probe (Agent) is (see fig. 8):
1, receiving data (including threat test packets and repair strategies) issued by an upper management terminal;
2, executing (including threat test package and repair strategy);
and 3, reporting the execution result (including the test result of the threat test packet and the execution result of the repair strategy) to the upper management terminal.
It should be noted that, an upper management terminal (Manager) generally exclusively runs on one host, where the host may be a physical host or a virtual host, and the same applies to the hosts mentioned below.
The probe (Agent) is deployed on each service host (terminal) in advance and is connected with the Manager through a network for communication, and the Manager manages all the service hosts (terminals) through the Agent.
The honeypot can be independently deployed on one host and hidden among client service hosts, so that the honeypot is convenient to discover by hackers. If a plurality of honeypots are deployed, a honeynet is formed, so that hackers are trapped more, and potential threats are easier to discover.
The embodiment provides a method for discovering potential threats in a honeypot-based terminal, which is characterized in that the advantages of the honeypot are utilized to accurately excavate an attack method, used tools and means and an attack intention of a hacker, and then targeted safe automatic repair is automatically performed through lightweight probe software in a terminal host, so that the safe threat discovery is more accurate, the formulated repair strategy is more targeted, and the bug repair is more comprehensive.
Because the situation is complicated and cannot be illustrated by a list, a person skilled in the art can realize that many examples exist according to the basic method principle provided by the application and the practical situation, and the protection scope of the application should be protected without enough inventive work.
Referring to fig. 9, fig. 9 is a block diagram illustrating a structure of a system for repairing a potential threat in a terminal according to an embodiment of the present application, where the system for repairing a potential threat in a terminal may include:
a malicious intrusion traffic receiving unit 100, configured to obtain malicious traffic intruding into a honeypot terminal in a network; the network comprises upper management terminals, a first preset number of honey pot terminals and a second preset number of service terminals, wherein the honey pot terminals are the same type of the service terminals;
the potential threat and repair strategy determining unit 200 is used for determining a target potential threat existing on a corresponding honeypot terminal according to the malicious traffic and obtaining a target repair strategy corresponding to the target potential threat;
the repair policy issuing unit 300 is configured to issue the target repair policy to the service terminal having the target potential threat, so as to repair the target potential threat according to the target repair policy.
The unit 200 for determining the potential threat and repair policy includes:
the target repair strategy query subunit is used for querying a preset repair strategy library to obtain a target repair strategy corresponding to the target potential threat; the repair strategy library comprises the corresponding relation between each potential threat and each repair strategy.
Further, the repair system may further include:
and the new repair strategy request and supplement unit is used for reporting a new repair strategy request packet carrying the target potential threat through a preset path when the target repair strategy corresponding to the target potential threat cannot be found in the repair strategy library so as to supplement the fed back new repair strategy into the repair strategy library.
The repair policy issuing unit 300 may include:
all issuing subunits are used for issuing target repair strategies to each service terminal in the network; or
The target service terminal determining subunit is used for determining a target service terminal with a target potential threat in the network;
and the accurate issuing subunit is used for issuing the target repair strategy to the target service terminal.
Further, the target service terminal determining subunit may include:
the threat test packet issuing module is used for issuing a target potential threat test packet to each service terminal in the network; the target potential threat test packet is used for testing whether a target potential threat exists on a harmless test terminal;
and the result receiving and target service terminal determining module is used for receiving the threat test result returned by the probe preset on each service terminal and determining the target service terminal with the target potential threat according to the threat test result.
Further, the repair system may further include:
an execution result receiving unit, configured to receive a repair policy execution result sent by an executed service terminal; the executed service terminal is a service terminal which carries out potential threat repair according to the received target repair strategy;
the restoration success processing unit is used for setting the restoration state of the target potential threat corresponding to the executed service terminal as restored when the target potential threat corresponding to the executed service terminal is confirmed to be restored according to the restoration strategy execution result;
and the repair unsuccessful processing unit is used for issuing the target repair strategy to the corresponding executed service terminal again when the target potential threat on the corresponding executed service terminal is determined not to be repaired according to the repair strategy execution result.
Based on the foregoing embodiments, the present application further provides a device for repairing a potential threat in a terminal, where the device may include a memory and a processor, where the memory stores a computer program, and the processor may implement the steps provided in the foregoing embodiments when calling the computer program in the memory. Of course, the repair device may also include various necessary network interfaces, power supplies, and other components.
The present application also provides a computer-readable storage medium, on which a computer program is stored, which, when executed by an execution terminal or processor, can implement the steps provided by the above-mentioned embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The principles and embodiments of the present application are described herein using specific examples, and in order to achieve the progressive relationship among the various examples, each example is described with emphasis on differences from other examples, and similar parts among the various examples may be referred to. For the apparatus disclosed in the embodiments, reference is made to the corresponding method section. The above description of the embodiments is only intended to help understand the method of the present application and its core ideas. It will be apparent to those skilled in the art that various changes and modifications can be made in the present invention without departing from the principles of the invention, and these changes and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
Claims (12)
1. A method for remediating a potential threat within a terminal, comprising:
acquiring malicious traffic invading a honeypot terminal in a network; the network comprises upper management terminals, a first preset number of honeypot terminals and a second preset number of service terminals, wherein the honeypot terminals are the same type of the service terminals;
determining a target potential threat existing on a corresponding honeypot terminal according to the malicious flow, and obtaining a target repairing strategy corresponding to the target potential threat;
sending the target repairing strategy to the service terminal with the target potential threat through a probe on the service terminal so as to repair the target potential threat according to the target repairing strategy;
receiving a repair strategy execution result sent by a probe on an executed service terminal; the executed service terminal is a service terminal which carries out potential threat repair according to the received target repair strategy;
when the target potential threat on the corresponding executed service terminal is determined to be repaired according to the repair strategy execution result, setting the repair state of the target potential threat corresponding to the executed service terminal as repaired;
when the target potential threat on the corresponding executed service terminal is determined not to be repaired according to the repair strategy execution result, the target repair strategy is issued to the corresponding executed service terminal again;
determining a target potential threat existing on a corresponding honeypot terminal according to the malicious traffic, and obtaining a target repairing strategy corresponding to the target potential threat, wherein the target repairing strategy comprises the following steps:
analyzing the malicious traffic, and determining a target potential threat existing on a corresponding honeypot terminal according to an analysis result;
inquiring a preset repair strategy library to obtain a target repair strategy corresponding to the target potential threat; the repair strategy library comprises corresponding relations between the potential threats and the repair strategies.
2. The repair method according to claim 1, further comprising:
when the target repair strategy corresponding to the target potential threat cannot be found in the repair strategy library, reporting a new repair strategy request packet carrying the target potential threat through a preset path, and supplementing the fed back new repair strategy into the repair strategy library.
3. The repairing method according to claim 1, wherein issuing the target repairing policy to the service terminal having the target potential threat comprises:
and issuing the target repair strategy to each service terminal in the network.
4. The repairing method according to claim 1, wherein issuing the target repairing policy to the service terminal having the target potential threat comprises:
determining a target service terminal with the target potential threat in the network;
and sending the target repair strategy to the target service terminal.
5. The repair method of claim 4, wherein determining a targeted traffic terminal within the network at which the targeted potential threat exists comprises:
each service terminal in the network issues a target potential threat test packet; wherein the target potential threat test packet is used for harmless testing whether the target potential threat exists on the terminal;
and receiving a threat test result returned by a probe preset on each service terminal, and determining a target service terminal with the target potential threat according to the threat test result.
6. A system for remediating a potential threat within a terminal, comprising:
the malicious intrusion flow receiving unit is used for acquiring malicious flow intruding into a honeypot terminal in a network; the network comprises upper management terminals, a first preset number of honeypot terminals and a second preset number of service terminals, wherein the honeypot terminals are the same type of the service terminals;
the potential threat and repair strategy determining unit is used for determining a target potential threat existing on the corresponding honeypot terminal according to the malicious flow and obtaining a target repair strategy corresponding to the target potential threat;
a repair strategy issuing unit, configured to issue the target repair strategy to a service terminal with the target potential threat through a probe on the service terminal, so as to repair the target potential threat according to the target repair strategy;
an execution result receiving unit, configured to receive a repair policy execution result sent by a probe on an executed service terminal; the executed service terminal is a service terminal which carries out potential threat repair according to a received target repair strategy;
the repair success processing unit is used for setting the repair state of the target potential threat corresponding to the executed service terminal as repaired when the repair strategy execution result confirms that the target potential threat corresponding to the executed service terminal is repaired;
the repair unsuccessful processing unit is used for issuing the target repair strategy to the corresponding executed service terminal again when the target potential threat on the corresponding executed service terminal is determined not to be repaired according to the repair strategy execution result;
the potential threat and repair policy determination unit includes:
the potential threat determination subunit is used for analyzing the malicious traffic and determining a target potential threat existing on the corresponding honeypot terminal according to an analysis result;
the target repair strategy query subunit is used for querying a preset repair strategy library to obtain a target repair strategy corresponding to the target potential threat; wherein, the repair strategy library comprises the corresponding relation between each potential threat and each repair strategy.
7. The repair system of claim 6, further comprising:
and the new repair strategy request and supplement unit is used for reporting a new repair strategy request packet carrying the target potential threat through a preset path when the target repair strategy corresponding to the target potential threat cannot be found in the repair strategy library so as to supplement the fed back new repair strategy into the repair strategy library.
8. The repair system of claim 6, wherein the repair policy issuing unit comprises:
and all the issuing subunits are used for issuing the target repair strategy to each service terminal in the network.
9. The repair system of claim 6, wherein the repair policy issuing unit comprises:
a target service terminal determining subunit, configured to determine a target service terminal with the target potential threat in the network;
and the precise issuing subunit is used for issuing the target repair strategy to the target service terminal.
10. The repair system of claim 9, wherein the target service terminal determining subunit comprises:
the threat test packet issuing module is used for issuing a target potential threat test packet to each service terminal in the network; wherein the target potential threat test packet is used for harmless testing whether the target potential threat exists on the terminal;
and the result receiving and target service terminal determining module is used for receiving a threat test result returned by the probe preset on each service terminal and determining the target service terminal with the target potential threat according to the threat test result.
11. A device for remediating a potential threat within a terminal, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the method of repairing a potential threat in a terminal as claimed in any one of claims 1 to 5 when executing said computer program.
12. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the method for remediating a potential threat within a terminal as claimed in any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811141055.9A CN109255243B (en) | 2018-09-28 | 2018-09-28 | Method, system, device and storage medium for repairing potential threats in terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811141055.9A CN109255243B (en) | 2018-09-28 | 2018-09-28 | Method, system, device and storage medium for repairing potential threats in terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109255243A CN109255243A (en) | 2019-01-22 |
| CN109255243B true CN109255243B (en) | 2022-06-21 |
Family
ID=65048154
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811141055.9A Active CN109255243B (en) | 2018-09-28 | 2018-09-28 | Method, system, device and storage medium for repairing potential threats in terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109255243B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113722714A (en) * | 2021-11-03 | 2021-11-30 | 北京微步在线科技有限公司 | Network threat processing method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103561004A (en) * | 2013-10-22 | 2014-02-05 | 西安交通大学 | Cooperative type active defense system based on honey nets |
| CN106411937A (en) * | 2016-11-15 | 2017-02-15 | 中国人民解放军信息工程大学 | Mimicry defense architecture based zero-day attack detection, analysis and response system and method thereof |
| CN106685953A (en) * | 2016-12-27 | 2017-05-17 | 北京安天网络安全技术有限公司 | Unknown file detection system and method based on security baseline sample machine |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10447733B2 (en) * | 2014-06-11 | 2019-10-15 | Accenture Global Services Limited | Deception network system |
| CN106295334B (en) * | 2015-06-05 | 2019-07-26 | 阿里巴巴集团控股有限公司 | Ile repair method and device |
| CN107135187A (en) * | 2016-02-29 | 2017-09-05 | 阿里巴巴集团控股有限公司 | Preventing control method, the apparatus and system of network attack |
| CN108509797A (en) * | 2018-02-23 | 2018-09-07 | 福州恒奥信息科技有限公司 | Industrial control system bug excavation method, device and restorative procedure based on fuzz testing |
-
2018
- 2018-09-28 CN CN201811141055.9A patent/CN109255243B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103561004A (en) * | 2013-10-22 | 2014-02-05 | 西安交通大学 | Cooperative type active defense system based on honey nets |
| CN106411937A (en) * | 2016-11-15 | 2017-02-15 | 中国人民解放军信息工程大学 | Mimicry defense architecture based zero-day attack detection, analysis and response system and method thereof |
| CN106685953A (en) * | 2016-12-27 | 2017-05-17 | 北京安天网络安全技术有限公司 | Unknown file detection system and method based on security baseline sample machine |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109255243A (en) | 2019-01-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111756759B (en) | Network attack tracing method, device and equipment | |
| US10230750B2 (en) | Secure computing environment | |
| US10095866B2 (en) | System and method for threat risk scoring of security threats | |
| CN109660539B (en) | Method and device for identifying defect-losing equipment, electronic equipment and storage medium | |
| US8196204B2 (en) | Active computer system defense technology | |
| CN110881043B (en) | Method and device for detecting web server vulnerability | |
| US20140181972A1 (en) | Preventive intrusion device and method for mobile devices | |
| CN113660224B (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| CN104468632A (en) | Loophole attack prevention method, device and system | |
| CN108369541B (en) | System and method for threat risk scoring of security threats | |
| US20040030931A1 (en) | System and method for providing enhanced network security | |
| CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
| US20210194915A1 (en) | Identification of potential network vulnerability and security responses in light of real-time network risk assessment | |
| CN107733725B (en) | Safety early warning method, device, equipment and storage medium | |
| CN110099044A (en) | Cloud Host Security detection system and method | |
| CN114003904B (en) | Information sharing method, device, computer equipment and storage medium | |
| CN109255243B (en) | Method, system, device and storage medium for repairing potential threats in terminal | |
| CN112347484A (en) | Software vulnerability detection method, device, equipment and computer readable storage medium | |
| KR101022167B1 (en) | Apparatus for optimizing log of intrusion detection system with consideration of the vulnerability of the network devices | |
| US11108800B1 (en) | Penetration test monitoring server and system | |
| CN111147491B (en) | Vulnerability repairing method, device, equipment and storage medium | |
| CN113709130A (en) | Risk identification method and device based on honeypot system | |
| CN112422501A (en) | Forward and reverse tunnel protection method, device, equipment and storage medium | |
| Ghribi et al. | Multi-layer Cooperative Intrusion Detection System for Cloud Environment. | |
| Kumar et al. | A review on 0-day vulnerability testing in web application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |