CN112350864B - Protection method, device, equipment and computer readable storage medium for domain control terminal - Google Patents

Protection method, device, equipment and computer readable storage medium for domain control terminal Download PDF

Info

Publication number
CN112350864B
CN112350864B CN202011189940.1A CN202011189940A CN112350864B CN 112350864 B CN112350864 B CN 112350864B CN 202011189940 A CN202011189940 A CN 202011189940A CN 112350864 B CN112350864 B CN 112350864B
Authority
CN
China
Prior art keywords
information
classification result
log information
acquiring
processing rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011189940.1A
Other languages
Chinese (zh)
Other versions
CN112350864A (en
Inventor
龚子倬
范渊
吴卓群
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202011189940.1A priority Critical patent/CN112350864B/en
Publication of CN112350864A publication Critical patent/CN112350864A/en
Application granted granted Critical
Publication of CN112350864B publication Critical patent/CN112350864B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application relates to a protection method, a protection device, protection equipment and a computer readable storage medium of a domain control terminal. The protection method of the domain control terminal comprises the following steps: acquiring log information and flow information of a domain control terminal; determining first vulnerability characteristic information of log information and second vulnerability characteristic information of flow information; classifying the first vulnerability characteristic information according to a first preset classification rule to obtain a first classification result, and classifying the second vulnerability characteristic information according to a second preset classification rule to obtain a second classification result; and acquiring a first preset processing rule corresponding to the first classification result to process the log information, and acquiring a second preset processing rule corresponding to the second classification result to process the flow information. By the method and the device, the problem that the analysis time of the relevant information in the Windows domain is long in the related technology is solved, and the analysis time of the relevant information in the Windows domain is reduced.

Description

Protection method, device, equipment and computer readable storage medium for domain control terminal
Technical Field
The present application relates to the field of network security, and in particular, to a method, an apparatus, a device, and a computer-readable storage medium for protecting a domain control terminal.
Background
With the widespread use of computers in social life, most enterprises will have their own internal networks. Due to the common use of the Windows operating system, Windows domain is also used for management in most of the internal network unified management. In the Windows domain, the status of the domain control terminal becomes more and more important, and the domain control terminal has the authority to manage all machines and users in the domain and the relationship in the domain control terminal. Therefore, in the Windows domain, the security of the domain control terminal is the security center of gravity in the whole Windows domain, and is also the security center. Although the Windows domain brings great convenience to network management personnel for internal management of enterprises, the Windows domain brings great convenience and brings many safety problems, because the Windows domain has too much related information, if manual analysis is carried out only through a log system of the Windows domain, a great deal of time is needed for manual analysis.
At present, no effective solution is provided for the problem of long analysis time of the relevant information in the Windows domain in the relevant technology.
Disclosure of Invention
The embodiment of the application provides a protection method, a protection device, protection equipment and a computer readable storage medium of a domain control terminal, so as to at least solve the problem that the analysis time of related information in a Windows domain in the related technology is long.
In a first aspect, an embodiment of the present application provides a method for protecting a domain control terminal, including:
acquiring log information and flow information of a domain control terminal;
determining first vulnerability characteristic information of the log information and second vulnerability characteristic information of the flow information;
classifying the first vulnerability characteristic information according to a first preset classification rule to obtain a first classification result, and classifying the second vulnerability characteristic information according to a second preset classification rule to obtain a second classification result, wherein the first classification result comprises one of the following: normal log information, suspicious log information and malicious log information, wherein the second classification result comprises one of the following items: normal flow information, suspicious flow information and malicious flow information;
and acquiring a first preset processing rule corresponding to the first classification result to process the log information, and acquiring a second preset processing rule corresponding to the second classification result to process the flow information.
In some embodiments, after obtaining the log information and the traffic information of the domain-control terminal, the method further includes:
and caching the log information and the flow information to a Redis database respectively.
In some embodiments, after classifying the first vulnerability characteristic information according to a first preset classification rule to obtain a first classification result and classifying the second vulnerability characteristic information according to a second preset classification rule to obtain a second classification result, the method further includes:
and caching the first classification result and the second classification result.
In some of these embodiments, the first classification result comprises: suspicious log information, the second classification result comprising: suspicious traffic information; acquiring a first preset processing rule corresponding to the first classification result to process the log information, and acquiring a second preset processing rule corresponding to the second classification result to process the flow information, wherein the acquiring of the first preset processing rule corresponding to the first classification result includes:
and alarming the suspicious log information and alarming the suspicious flow information, wherein the first preset processing rule and the second preset processing rule both comprise: and (5) alarm processing.
In some of these embodiments, the first classification result comprises: malicious log information, the second classification result comprising: malicious traffic information; acquiring a first preset processing rule corresponding to the first classification result to process the log information, and acquiring a second preset processing rule corresponding to the second classification result to process the flow information, wherein the step of acquiring the second preset processing rule corresponding to the second classification result comprises the following steps:
acquiring a first operation address of the malicious log information and a second operation address of the malicious flow information;
and forbidding the first operation address and the second operation address, wherein the first preset processing rule and the second preset processing rule both comprise: and (5) sealing and stopping processing.
In some embodiments, the first classification result comprises: malicious log information, the second classification result comprising: malicious traffic information; acquiring a first preset processing rule corresponding to the first classification result to process the log information, and acquiring a second preset processing rule corresponding to the second classification result to process the flow information, wherein the step of acquiring the second preset processing rule corresponding to the second classification result comprises the following steps:
visualizing the malicious log information and the malicious traffic information, wherein the first preset processing rule and the second preset processing rule both comprise: and (6) visualization processing.
In some of these embodiments, the first classification result comprises: normal log information, and the second classification result includes: normal traffic information; acquiring a first preset processing rule corresponding to the first classification result to process the log information, and acquiring a second preset processing rule corresponding to the second classification result to process the flow information, wherein the step of acquiring the second preset processing rule corresponding to the second classification result comprises the following steps:
marking the normal log information and the normal traffic information, and releasing the normal log information and the normal traffic information, wherein the first preset processing rule and the second preset processing rule both comprise: and (5) releasing processing.
In a second aspect, an embodiment of the present application further provides a protection device for a domain control terminal, including:
the acquisition module is used for acquiring log information and flow information of the domain control terminal;
the determining module is used for determining first vulnerability characteristic information of the log information and second vulnerability characteristic information of the flow information;
the classification module is used for classifying the first vulnerability characteristic information according to a first preset classification rule to obtain a first classification result, and classifying the second vulnerability characteristic information according to a second preset classification rule to obtain a second classification result, wherein the first classification result comprises one of the following: normal log information, suspicious log information and malicious log information, wherein the second classification result comprises one of the following items: normal flow information, suspicious flow information and malicious flow information;
and the processing module is used for acquiring a first preset processing rule corresponding to the first classification result to process the log information and acquiring a second preset processing rule corresponding to the second classification result to process the flow information.
In a third aspect, an embodiment of the present application provides a protection device for a domain-controlled terminal, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the protection method for the domain-controlled terminal according to the first aspect when executing the computer program.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the protection method for a domain-controlled terminal according to the first aspect.
Compared with the related art, the protection method, the device, the equipment and the computer readable storage medium for the domain control terminal provided by the embodiment of the application acquire the log information and the flow information of the domain control terminal; determining first vulnerability characteristic information of log information and second vulnerability characteristic information of flow information; classifying the first vulnerability characteristic information according to a first preset classification rule to obtain a first classification result, and classifying the second vulnerability characteristic information according to a second preset classification rule to obtain a second classification result, wherein the first classification result comprises one of the following: normal log information, suspicious log information and malicious log information, wherein the second classification result comprises one of the following items: normal traffic information, suspicious traffic information, and malicious traffic information; the method for acquiring the first preset processing rule corresponding to the first classification result to process the log information and acquiring the second preset processing rule corresponding to the second classification result to process the flow information solves the problem of long analysis time of the related information in the Windows domain in the related technology and reduces the analysis time of the related information in the Windows domain.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more concise and understandable description of the application, and features, objects, and advantages of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a block diagram of a hardware structure of a terminal according to a protection method of a domain control terminal according to an embodiment of the present application;
fig. 2 is a flowchart of a protection method of a domain controlled terminal according to an embodiment of the present application;
fig. 3 is a flowchart of a protection method of a domain controlled terminal according to a preferred embodiment of the present application;
fig. 4 is a block diagram of a protection apparatus of a domain-controlled terminal according to a preferred embodiment of the present application;
FIG. 5 is a schematic diagram of a data storage module operation flow according to an embodiment of the present application;
fig. 6 is a block diagram of a protection device of a domain-controlled terminal according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without making any creative effort belong to the protection scope of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the application, and that it is also possible for a person skilled in the art to apply the application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The use of the terms "including," "comprising," "having," and any variations thereof herein, is meant to cover a non-exclusive inclusion; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but rather can include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The method provided by the embodiment can be executed in a terminal, a computer or a similar operation device. Taking an operation on a terminal as an example, fig. 1 is a block diagram of a hardware structure of a terminal of the protection method for a domain control terminal according to the embodiment of the present application. As shown in fig. 1, the terminal may include one or more processors 102 (only one is shown in fig. 1) (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.) and a memory 104 for storing data, and optionally, the terminal may further include a transmission device 106 for communication functions and an input-output device 108. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the terminal. For example, the terminal may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store computer programs, for example, software programs and modules of application software, such as computer programs corresponding to the protection method of the domain control terminal in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the computer programs stored in the memory 104, so as to implement the above-mentioned method. The memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the terminal. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet via wireless.
The embodiment also provides a protection method of the domain control terminal. Fig. 2 is a flowchart of a protection method for a domain control terminal according to an embodiment of the present application, and as shown in fig. 2, the flowchart includes the following steps:
step S201, obtaining log information and traffic information of the domain control terminal.
In this step, a log information reporting module and a traffic information reporting module may be configured in advance at the domain control terminal, and then log information is reported by the log information reporting module, and the log information and the traffic information are obtained by reporting the traffic information by the traffic information. The acquired log information and the acquired traffic information can both carry vulnerability characteristics, attack characteristics, behavior characteristics and the like of the log information and the traffic information.
It should be noted that, the log information reporting module of the domain control terminal may, but is not limited to, perform log collection and analysis according to a monitoring program (Sysmon) developed by microsoft, so as to collect detailed information of a log Identifier (ID), a source address (IP), request time, and a log corresponding to a microsoft Windows operating system (Windows) domain. The traffic information reporting module of the domain control terminal can collect and analyze traffic according to, but not limited to, Wireshark, so as to filter protocol traffic information such as Kerberos, LDAP, SMB, and the like.
Step S202, first vulnerability characteristic information of log information and second vulnerability characteristic information of flow information are determined.
In this step, the first vulnerability characteristic information and the second vulnerability characteristic information may be determined according to vulnerability characteristics carried by the log information and the traffic information, for example, the first vulnerability characteristic information is detected in the log information, and the second vulnerability characteristic information is detected in the traffic information.
Step S203, classifying the first vulnerability characteristic information according to a first preset classification rule to obtain a first classification result, and classifying the second vulnerability characteristic information according to a second preset classification rule to obtain a second classification result, wherein the first classification result comprises one of the following: normal log information, suspicious log information and malicious log information, wherein the second classification result comprises one of the following items: normal traffic information, suspicious traffic information, and malicious traffic information.
In this step, the user may pre-configure a first preset classification rule for classifying vulnerability characteristic information corresponding to the log information, and may also pre-configure a second preset classification rule for classifying vulnerability characteristics corresponding to the traffic information.
For example, the suspicious traffic information may be obtained by analyzing, but not limited to, an operation log before the IP corresponding to the traffic information, and analyzing a high-risk operation that does not exist before (for example, logging in a domain administrator, enumerating LDAP information, enumerating DNS (domain name system) information, and the like). The malicious traffic information can be obtained by analyzing, but not limited to, vulnerability characteristics corresponding to the traffic information. The suspicious log information may be obtained by analyzing, but not limited to, an operation log before the IP corresponding to the log information, and analyzing a high-risk operation that does not exist before (for example, logging in a domain administrator, enumerating LDAP information, enumerating DNS information, and the like). The malicious log information can be obtained by analyzing, but not limited to, vulnerability characteristics corresponding to the log information. The classification method in the embodiment of the present application is not limited to the above method, and the user may also set the classification method according to the actual scene.
It should be noted that the first preset classification rule may be a rule for classifying the log information into normal log information, suspicious log information, or malicious log information according to vulnerability feature information of the log information; the second preset classification rule may be a rule for classifying the traffic information into normal traffic information, suspicious traffic information, or malicious traffic information according to the vulnerability characteristic information of the traffic information.
Step S204, a first preset processing rule corresponding to the first classification result is obtained to process the log information, and a second preset processing rule corresponding to the second classification result is obtained to process the flow information.
In this step, a first preset processing rule and a second preset processing rule may be configured in advance, and may be used to process the traffic information and the log information according to the processing rule corresponding to the classification result.
Based on the above steps S201 to S204, in the embodiment of the present application, by extracting vulnerability characteristic information corresponding to log information and flow information, determining classification of the log information and the flow information according to the vulnerability characteristic information corresponding to the log information and the flow information, and finally performing corresponding processing on the log information and the flow information according to corresponding classification results, all relevant information in the Windows domain is not required to be analyzed, and only the relevant information in the Windows domain is required to be analyzed according to the vulnerability characteristic information corresponding to the log information and the flow information, so that the problem of long analysis time of the relevant information in the Windows domain in the related art is solved, and analysis time of the relevant information in the Windows domain is reduced.
Meanwhile, in the embodiment of the application, the log information and the flow information are classified and processed by the preset classification rule and the preset processing rule, manual operation is not needed for analysis, the manual operation process is reduced, and the analysis time of the related information in the Windows domain is further reduced.
In some embodiments, after the log information and the traffic information of the domain control terminal are obtained, the following steps are further implemented to respectively cache the log information and the traffic information to a Redis database.
It should be noted that, in practical applications, the traffic information and the log information in the Windows domain may be a large amount, and in order to prevent the corresponding information from being missed, the log information and the traffic information may be kept in the Redis database for caching.
In some embodiments, after classifying the first vulnerability characteristic information according to a first preset classification rule to obtain a first classification result and classifying the second vulnerability characteristic information according to a second preset classification rule to obtain a second classification result, the following steps are further performed: and caching the first classification result and the second classification result.
By caching the first classification result and the second classification result through the steps, the subsequent user can check the first classification result and the second classification result conveniently, and the subsequent user can perform corresponding operation on the log information corresponding to the first classification result and the flow information corresponding to the second classification result conveniently.
In some of these embodiments, the first classification result includes: suspicious log information, the second classification result comprises: suspicious flow information; the method for acquiring the first preset processing rule corresponding to the first classification result to process the log information and acquiring the second preset processing rule corresponding to the second classification result to process the flow information comprises the following steps: and alarming suspicious log information and alarming suspicious flow information, wherein the first preset processing rule and the second preset processing rule comprise: and (5) alarm processing.
The suspicious log information is alarmed and the suspicious flow information is alarmed through the steps, so that the suspicious flow information or the suspicious log information is alarmed.
Meanwhile, in some optional embodiments, the suspicious log information and/or the suspicious traffic information may also be sent to a preset user terminal.
In some of these embodiments, the first classification result comprises: malicious log information, and the second classification result comprises: malicious traffic information; the method for acquiring the first preset processing rule corresponding to the first classification result to process the log information and acquiring the second preset processing rule corresponding to the second classification result to process the flow information comprises the following steps: acquiring a first operation address of malicious log information and a second operation address of malicious flow information; and forbidding a first operation address and a second operation address, wherein the first preset processing rule and the second preset processing rule comprise: and (6) blocking processing.
Acquiring a first operation address of malicious log information and a second operation address of malicious flow information through the steps; the first operation address and the second operation address are sealed, so that the operation address corresponding to malicious flow information or malicious log information is sealed, the problem that security information is leaked due to the fact that operation corresponding to the operation address threatens the domain control terminal is avoided, and the security of the domain control terminal is improved.
Meanwhile, in some optional embodiments, malicious log information and/or malicious traffic information may also be sent to a preset user terminal.
In some of these embodiments, the first classification result includes: malicious log information, the second classification result comprising: malicious traffic information; the method for acquiring the first preset processing rule corresponding to the first classification result to process the log information and acquiring the second preset processing rule corresponding to the second classification result to process the flow information comprises the following steps: visualization malicious log information and malicious flow information, wherein the first preset processing rule and the second preset processing rule both comprise: and (6) visualization processing.
By visualizing the malicious log information and the malicious flow information through the steps, the malicious flow information and the malicious log information are visualized, so that the malicious flow information and the malicious log information are monitored by a user.
In some of these embodiments, the first classification result includes: normal log information, and the second classification result includes: normal traffic information; the method for acquiring the first preset processing rule corresponding to the first classification result to process the log information and acquiring the second preset processing rule corresponding to the second classification result to process the flow information comprises the following steps: marking the normal log information and the normal flow information, and releasing the normal log information and the normal flow information, wherein the first preset processing rule and the second preset processing rule both comprise: and (5) releasing processing.
The normal log information and the normal flow information are marked through the steps, and are released, so that the release of the normal log information and the normal flow information is realized.
It should be noted that the releasing in this embodiment may be to release only the operation corresponding to the normal log information and/or the normal traffic information.
It should be noted that the suspicious log information and the suspicious traffic information are alarmed so as to notify the user to perform corresponding operations; meanwhile, the operation address corresponding to the malicious log information and the malicious flow information is forbidden, so that the operation address can be forbidden to perform corresponding operation on the domain control terminal again, and the safety of the domain control terminal is improved; moreover, the malicious log information and the malicious flow information are visually displayed, so that a user can conveniently monitor the malicious log information and the malicious flow information.
It should be noted that, in this embodiment, the malicious traffic information, the suspicious traffic information, the malicious log information, and the suspicious log information may also be marked.
In this embodiment, the use and the requirement of the network administrator on the security management of the domain controller are realized by performing unified management and processing on the acquired log information and the acquired traffic information data.
The embodiments of the present application are described and illustrated below by means of preferred embodiments.
Fig. 3 is a flowchart of a protection method for a domain-controlled terminal according to a preferred embodiment of the present application. As shown in fig. 3, the method includes:
step S301, acquiring log information and flow information of a domain control terminal;
step S302, caching the log information and the flow information to a Redis database;
in this step, the log information and the traffic information are cached in the Redis database, so that the data can be cached, and the log information and the traffic information collected by the domain control terminal are prevented from being too much.
It should be noted that the log information and the traffic information may be stored separately, so that the corresponding information is acquired in step S303. For example, sub-database a in the Redis database may store log information and sub-database B may store traffic information.
Step S303, obtaining the log information and the flow information from the Redis database.
Step S304, determining first vulnerability characteristic information of the log information and second vulnerability characteristic information of the flow information.
Step S305, classifying the first vulnerability characteristic information according to a first preset classification rule to obtain a first classification result, and classifying the second vulnerability characteristic information according to a second preset classification rule to obtain a second classification result.
In this step, classifying the first vulnerability characteristic information according to a first preset classification rule may include the following steps:
step A, obtaining an ID corresponding to log information of a Windows domain, and matching a rule according to the ID corresponding to the log information;
step B, acquiring other log information of the time point near the account/machine corresponding to the rule in the step A;
step C, judging whether other log information accords with the corresponding attack rule flow; if yes, executing the step D, otherwise, executing the step E;
and D, classifying the first vulnerability characteristic information according to a first preset classification rule, and marking.
And E, marking the log information as normal log information.
In this step, classifying the second vulnerability characteristic information according to a second preset classification rule may include the steps of:
step F, acquiring an ID corresponding to the flow information of the Windows domain, and matching a rule according to the ID corresponding to the flow information;
step G, acquiring flow information of other same protocols according with the time point near the account/machine corresponding to the rule in the step F;
step H, judging whether other flow information with the same protocol conforms to the corresponding attack rule flow; if yes, executing the step I, otherwise, executing the step J;
and step I, classifying the second vulnerability characteristic information according to a second preset classification rule, and marking.
And step J, classifying the second vulnerability characteristic information into normal flow information and marking the normal flow information as the normal flow information.
It should be noted that the first classification result may include one of the following: normal log information, suspicious log information, and malicious log information, and the second classification result may include one of: normal traffic information, suspicious traffic information, and malicious traffic information.
Step S306, obtaining a preset processing rule corresponding to the first classification result, processing the log information, obtaining a preset processing rule corresponding to the second classification result, and processing the traffic information.
Fig. 4 is a block diagram of a protection device of a domain-controlled terminal according to a preferred embodiment of the present application. As shown in fig. 4, the protection apparatus for a domain controlled terminal includes:
and the domain control terminal 41 comprises a log information acquisition unit and a flow information acquisition module.
The log information acquisition unit is used for acquiring log information, and the flow information acquisition unit is used for acquiring flow information. The log information collection module may write a Windows driver, load the driver by the domain control terminal 41, and hold the Windows Event program by Hook, and finally obtain the security log information related to the domain control terminal 41 in the Windows domain. The flow information acquisition module can monitor the network flow of the domain control terminal in the Windows domain through npcap drive, and then extracts and stores corresponding SMB flow, LDAP flow and kerberos flow.
It should be noted that, the related security log information and the corresponding attack method can be represented by table one, as shown in table one:
Figure BDA0002752492950000111
Figure BDA0002752492950000121
table-log information and attack method association table
And a data processing module 42, wherein the data processing module 42 includes a Redis data storage unit, a log information classification unit, a traffic information classification unit, a log information matching unit, a traffic information matching unit, a log information analysis storage unit, and a traffic information analysis storage unit.
The Redis data storage unit is used for storing the acquired log information and flow information in the domain control terminal 41; the log information classification unit is used for determining vulnerability characteristic information of the log information in the Redis data storage unit and classifying the vulnerability characteristic information; the flow information classification unit is used for determining vulnerability characteristic information corresponding to the flow information in the Redis data storage unit and classifying the vulnerability characteristic information; the log information matching unit is used for matching and processing the corresponding processing rule according to the log information classification result; the flow information matching unit is used for matching and processing the corresponding processing rule according to the flow information classification result; the log information analysis storage unit is used for storing an operation log generated in the process of analyzing the log information; the flow information analysis storage unit is used for storing operation logs generated in the process of analyzing the flow information.
And the data storage module 43 comprises a data indexing unit, a data warning unit and a data sealing unit. The data indexing unit can use an elastic search as a back-end engine, the elastic search supports word segmentation search, and is used for displaying a relation icon corresponding to an attack path and an attack depicting a potential attacker by adopting a neo4j relation graph database according to the attacker storing and indexing log information or flow information, so that the visualization can be more direct. The data alarm unit can be used for carrying out corresponding alarm operation according to the processing results of the log information classification unit and the flow information classification unit. The data sealing unit may be configured to perform corresponding sealing operation according to processing results of the log information classification unit and the traffic information classification unit.
It should be noted that the Elasticsearch is a distributed, highly-extended, highly-real-time search and data analysis engine. It can conveniently make a large amount of data have the capability of searching, analyzing and exploring. The horizontal flexibility of the elastic search is fully utilized, so that the data becomes more valuable in a production environment. The implementation principle of the Elasticissearch is mainly divided into the following steps, firstly, a user submits data to an Elasticissearch database, then a word controller divides words of corresponding sentences, the weights and word division results are stored into the data, when the user searches data, the results are ranked and scored according to the weights, and then returned results are presented to the user.
Fig. 5 is a schematic diagram of an operation flow of a data storage module according to an embodiment of the present application, and as shown in fig. 5, first, a processing result in a data processing unit may be obtained, and traffic information and log information corresponding to the processing result are indexed by an Elasticsearch, and visualized by a neo4j relational graph database. Meanwhile, suspicious flow information and suspicious log information in the data processing unit can be sent to a preset user terminal so as to inform a user of performing corresponding operation. Malicious flow information and malicious log information in data processing can also be sent to a domain control terminal, so that the control terminal blocks a terminal or a terminal account corresponding to the malicious flow information and the malicious log information, for example, sends blocking information; malicious flow information and malicious log information in data processing can also be sent to a preset user terminal to inform a user of corresponding operations.
It should be noted that the sending to the preset user terminal may be, but is not limited to, by SMS, email, etc.
Through the embodiment, the method for protecting the domain control terminal is realized based on the log information and the flow information, and the problems of various vulnerabilities and complex penetration attack methods existing in the Windows domain environment in the related technology are effectively solved.
The embodiment of the application also provides a method for judging the association of the log information and the flow information. The method and the device analyze and judge whether the operation corresponding to the log information and the traffic information is malicious operation or not by combining the log information/the traffic information at the relevant time of the user/the machine in the Windows domain, can analyze malicious attack behaviors in time, and can reduce the pure rule matching misjudgment behaviors.
The embodiment of the application also provides a method for judging and visually displaying the attack mode in the Windows domain. And the attack path and related terminals of the attacker corresponding to the log information and the flow information can be displayed through a Neo4j relational database, so that a network administrator can visually see the attack path of the attacker on the internal network, the influence area, the attack source, the attack key time node, the attack machine and other information.
Fig. 6 is a block diagram of a protection device of a domain-controlled terminal according to an embodiment of the present application, and as shown in fig. 6, the device includes:
the acquisition module 61 is configured to acquire log information and traffic information of the domain control terminal;
a determining module 62, coupled to the obtaining module 61, configured to determine first vulnerability characteristic information of the log information and second vulnerability characteristic information of the traffic information;
a classification module 63, coupled to the determination module 62, configured to classify the first vulnerability characteristic information according to a first preset classification rule to obtain a first classification result, and classify the second vulnerability characteristic information according to a second preset classification rule to obtain a second classification result, where the first classification result includes one of the following: normal log information, suspicious log information and malicious log information, wherein the second classification result comprises one of the following items: normal flow information, suspicious flow information and malicious flow information;
and the processing module 64 is coupled to the classifying module 63 and configured to obtain a first preset processing rule corresponding to the first classification result to process the log information and obtain a second preset processing rule corresponding to the second classification result to process the traffic information.
In some of these embodiments, the apparatus further comprises: and the first cache module is used for caching the log information and the flow information to a Redis database respectively.
In some embodiments, the apparatus further includes a second caching module configured to cache the first classification result and the second classification result.
In some of these embodiments, the processing module 64 includes: and the warning unit is used for warning suspicious log information and warning suspicious flow information, wherein the first preset processing rule and the second preset processing rule comprise: and (5) alarm processing.
In some of these embodiments, the processing module 64 includes: the acquisition unit is used for acquiring a first operation address of the malicious log information and a second operation address of the malicious flow information; and the seal unit is used for sealing the first operation address and the second operation address, wherein the first preset processing rule and the second preset processing rule both comprise: and (6) blocking processing.
In some of these embodiments, the processing module 64 includes: the visualization unit is used for visualizing the malicious log information and the malicious flow information, wherein the first preset processing rule and the second preset processing rule comprise: and (6) visualization processing.
In some of these embodiments, the processing module 64 includes: a marking unit for marking the normal log information and the normal flow information; and the releasing unit is used for releasing the normal log information and the normal flow information, wherein the first preset processing rule and the second preset processing rule comprise: and (5) releasing the processing.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules may be located in different processors in any combination.
In addition, with reference to the protection method of the domain control terminal in the foregoing embodiment, the embodiment of the present application may be implemented by providing a computer-readable storage medium. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement the protection method for the domain control terminal in any of the above embodiments.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, and these are all within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A protection method of a domain control terminal is characterized by comprising the following steps:
acquiring log information and flow information of a domain control terminal;
determining first vulnerability characteristic information of the log information and second vulnerability characteristic information of the flow information;
classifying the first vulnerability characteristic information according to a first preset classification rule to obtain a first classification result, and classifying the second vulnerability characteristic information according to a second preset classification rule to obtain a second classification result, wherein the first classification result comprises one of the following: normal log information, suspicious log information and malicious log information, wherein the second classification result comprises one of the following items: normal flow information, suspicious flow information and malicious flow information;
and acquiring a first preset processing rule corresponding to the first classification result to process the log information, and acquiring a second preset processing rule corresponding to the second classification result to process the flow information.
2. The method for protecting a domain-controlled terminal according to claim 1, wherein after acquiring the log information and the traffic information of the domain-controlled terminal, the method further comprises:
and caching the log information and the flow information to a Redis database respectively.
3. The method for protecting the domain control terminal according to claim 1, wherein the first vulnerability characteristic information is classified according to a first preset classification rule to obtain a first classification result, and the second vulnerability characteristic information is classified according to a second preset classification rule to obtain a second classification result, and after the method further comprises:
and caching the first classification result and the second classification result.
4. The method for protecting a domain-controlled terminal according to claim 1, wherein the first classification result comprises: suspicious log information, the second classification result comprising: suspicious traffic information; acquiring a first preset processing rule corresponding to the first classification result to process the log information, and acquiring a second preset processing rule corresponding to the second classification result to process the flow information, wherein the step of acquiring the second preset processing rule corresponding to the second classification result comprises the following steps:
and giving an alarm to the suspicious log information and giving an alarm to the suspicious traffic information, wherein the first preset processing rule and the second preset processing rule both comprise: and (5) alarm processing.
5. The method for protecting a domain-controlled terminal according to claim 1, wherein the first classification result comprises: malicious log information, the second classification result comprising: malicious traffic information; acquiring a first preset processing rule corresponding to the first classification result to process the log information, and acquiring a second preset processing rule corresponding to the second classification result to process the flow information, wherein the step of acquiring the second preset processing rule corresponding to the second classification result comprises the following steps:
acquiring a first operation address of the malicious log information and a second operation address of the malicious flow information;
and forbidding the first operation address and the second operation address, wherein the first preset processing rule and the second preset processing rule both comprise: and (6) blocking processing.
6. The method for protecting a domain-controlled terminal according to claim 1, wherein the first classification result comprises: malicious log information, the second classification result comprising: malicious traffic information; acquiring a first preset processing rule corresponding to the first classification result to process the log information, and acquiring a second preset processing rule corresponding to the second classification result to process the flow information, wherein the acquiring of the first preset processing rule corresponding to the first classification result includes:
visualizing the malicious log information and the malicious traffic information, wherein the first preset processing rule and the second preset processing rule both comprise: and (6) visualization processing.
7. The method for protecting a domain-controlled terminal according to claim 1, wherein the first classification result comprises: normal log information, and the second classification result includes: normal traffic information; acquiring a first preset processing rule corresponding to the first classification result to process the log information, and acquiring a second preset processing rule corresponding to the second classification result to process the flow information, wherein the acquiring of the first preset processing rule corresponding to the first classification result includes:
marking the normal log information and the normal traffic information, and releasing the normal log information and the normal traffic information, wherein the first preset processing rule and the second preset processing rule both comprise: and (5) releasing processing.
8. A protection device of a domain control terminal is characterized by comprising:
the acquisition module is used for acquiring the log information and the flow information of the domain control terminal;
the determining module is used for determining first vulnerability characteristic information of the log information and second vulnerability characteristic information of the flow information;
the classification module is used for classifying the first vulnerability characteristic information according to a first preset classification rule to obtain a first classification result, and classifying the second vulnerability characteristic information according to a second preset classification rule to obtain a second classification result, wherein the first classification result comprises one of the following: normal log information, suspicious log information and malicious log information, wherein the second classification result comprises one of the following items: normal traffic information, suspicious traffic information, and malicious traffic information;
and the processing module is used for acquiring a first preset processing rule corresponding to the first classification result to process the log information and acquiring a second preset processing rule corresponding to the second classification result to process the flow information.
9. A protection apparatus of a domain-controlled terminal, comprising a memory, a processor, and a computer program stored on the memory and running on the processor, wherein the processor implements the protection method of the domain-controlled terminal according to any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium on which a computer program is stored, the program implementing the protection method of a domain-controlled terminal according to any one of claims 1 to 7 when executed by a processor.
CN202011189940.1A 2020-10-30 2020-10-30 Protection method, device, equipment and computer readable storage medium for domain control terminal Active CN112350864B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011189940.1A CN112350864B (en) 2020-10-30 2020-10-30 Protection method, device, equipment and computer readable storage medium for domain control terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011189940.1A CN112350864B (en) 2020-10-30 2020-10-30 Protection method, device, equipment and computer readable storage medium for domain control terminal

Publications (2)

Publication Number Publication Date
CN112350864A CN112350864A (en) 2021-02-09
CN112350864B true CN112350864B (en) 2022-07-22

Family

ID=74356739

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011189940.1A Active CN112350864B (en) 2020-10-30 2020-10-30 Protection method, device, equipment and computer readable storage medium for domain control terminal

Country Status (1)

Country Link
CN (1) CN112350864B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113014574B (en) * 2021-02-23 2023-07-14 深信服科技股份有限公司 Method and device for detecting intra-domain detection operation and electronic equipment

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9467464B2 (en) * 2013-03-15 2016-10-11 Tenable Network Security, Inc. System and method for correlating log data to discover network vulnerabilities and assets
US9319421B2 (en) * 2013-10-14 2016-04-19 Ut-Battelle, Llc Real-time detection and classification of anomalous events in streaming data
US9923912B2 (en) * 2015-08-28 2018-03-20 Cisco Technology, Inc. Learning detector of malicious network traffic from weak labels
CN109361573B (en) * 2018-12-13 2022-02-18 武汉市硅丰科技发展有限责任公司 Flow log analysis method, system and computer readable storage medium

Also Published As

Publication number Publication date
CN112350864A (en) 2021-02-09

Similar Documents

Publication Publication Date Title
US9069954B2 (en) Security threat detection associated with security events and an actor category model
CN110809010B (en) Threat information processing method, device, electronic equipment and medium
US20160164893A1 (en) Event management systems
US20160019388A1 (en) Event correlation based on confidence factor
CN111163115A (en) Internet of things safety monitoring method and system based on double engines
CN111092852A (en) Network security monitoring method, device, equipment and storage medium based on big data
CN104038466B (en) Intruding detection system, method and apparatus for cloud computing environment
CN111600863B (en) Network intrusion detection method, device, system and storage medium
WO2011153227A2 (en) Dynamic multidimensional schemas for event monitoring priority
WO2011149773A2 (en) Security threat detection associated with security events and an actor category model
CN113542227A (en) Account security protection method and device, electronic device and storage medium
CN114139178A (en) Data link-based data security monitoring method and device and computer equipment
CN112350864B (en) Protection method, device, equipment and computer readable storage medium for domain control terminal
CN113098852B (en) Log processing method and device
CN111049853A (en) Security authentication system based on computer network
CN110958267B (en) Method and system for monitoring threat behaviors in virtual network
CN115567258A (en) Network security situation awareness method, system, electronic device and storage medium
CN113343231A (en) Data acquisition system of threat information based on centralized management and control
CN106993005A (en) The method for early warning and system of a kind of webserver
CN107124390B (en) Security defense and implementation method, device and system of computing equipment
KR100868195B1 (en) Method and apparatus for managing database by using monitoring function
CN116055083B (en) Method for improving network security and related equipment
CN115412359B (en) Web application security protection method and device, electronic equipment and storage medium
Chen et al. A wireless intrusion Alerts Clustering Method for mobile internet
CN117040916A (en) Secret-stealing detection method device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant