CN112788034B - Processing method and device for resisting network attack, electronic equipment and storage medium - Google Patents

Processing method and device for resisting network attack, electronic equipment and storage medium Download PDF

Info

Publication number
CN112788034B
CN112788034B CN202110041910.4A CN202110041910A CN112788034B CN 112788034 B CN112788034 B CN 112788034B CN 202110041910 A CN202110041910 A CN 202110041910A CN 112788034 B CN112788034 B CN 112788034B
Authority
CN
China
Prior art keywords
suspicious
attack
type
attack traffic
suspicious attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110041910.4A
Other languages
Chinese (zh)
Other versions
CN112788034A (en
Inventor
武志勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Taikang Insurance Group Co Ltd
Original Assignee
Taikang Insurance Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Taikang Insurance Group Co Ltd filed Critical Taikang Insurance Group Co Ltd
Priority to CN202110041910.4A priority Critical patent/CN112788034B/en
Publication of CN112788034A publication Critical patent/CN112788034A/en
Application granted granted Critical
Publication of CN112788034B publication Critical patent/CN112788034B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The disclosure provides a processing method and device for resisting network attacks, electronic equipment and a storage medium, and relates to the technical field of computers. The processing method for resisting the network attack comprises the following steps: identifying an attack object of a network flow inlet, and sending data of the attack object to a web application firewall for screening; determining suspicious attack flow according to the screening result of the web application firewall on the attack object; performing feature identification on suspicious attack traffic; determining whether first-class suspicious attack traffic or second-class suspicious attack traffic exists according to the feature identification result; if the first type of suspicious attack traffic exists, leading the first type of suspicious attack traffic into a simulation running environment; and if the second type of suspicious attack traffic exists, importing the second type of suspicious attack traffic into the real operation environment. By the technical scheme, the efficiency and the reliability of resisting network attacks are improved, and the interference on a service system in a real operating environment is reduced.

Description

Processing method and device for resisting network attack, electronic equipment and storage medium
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method and an apparatus for processing network attacks, an electronic device, and a storage medium.
Background
Hacking approaches can be divided into non-destructive attacks and destructive attacks, wherein the non-destructive attacks are generally used to disturb the operation of the system and not to steal the system data, and generally a denial of service attack or an information bomb is used, and the destructive attacks are intended to intrude into another computer system, steal the system secret information, and destroy the data of the target system.
Backdoor programs, information bombs, denial of Service, network snooping, DDOS (Distributed Denial of Service), etc. are common attack means for hackers.
In the related technology, when a hacker attacks, different tools are used for attacking, most of the tools come from the internet, on one hand, the workload for screening real attack events in massive attack alarm data is large, the efficiency is low, and on the other hand, the normal operation of a real operation environment is influenced by the identification and screening process of attack flow.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The present disclosure aims to provide a processing method, an apparatus, an electronic device and a storage medium for countering network attacks, which at least to some extent solve the technical problem of low efficiency of screening out real attack events.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to one aspect of the present disclosure, a processing method for resisting network attacks is provided, which includes: identifying an attack object of a network flow inlet, and sending data of the attack object to a web application firewall for screening; determining suspicious attack flow according to the screening result of the web application firewall on the attack object; performing feature identification on suspicious attack traffic; determining whether a first type of suspicious attack traffic or a second type of suspicious attack traffic exists according to the feature identification result; if the first type of suspicious attack traffic exists, the first type of suspicious attack traffic is led into the simulation operation environment; and if the second type of suspicious attack traffic exists, importing the second type of suspicious attack traffic into the real operation environment.
In one embodiment of the present disclosure, the performing feature identification on suspicious attack traffic includes: analyzing a network protocol address and a characteristic statement in a data packet of suspicious attack traffic; and determining the matched abnormal log record according to the network protocol address and the characteristic statement.
In one embodiment of the present disclosure, the exception log record includes at least one of an antivirus log record, an intelligence log record, and a historical log record.
In an embodiment of the present disclosure, if there is a first type of suspicious attack traffic, importing the first type of suspicious attack traffic into the simulation running environment includes: if the first type of suspicious attack traffic exists, recording quintuple information of a data packet of the first type of suspicious attack traffic; caching the network interaction request of the first class of suspicious attack traffic; identifying a service system which requests access in the cached network interaction request; and in the simulation operation environment, leading the first class of suspicious attack flow into a service system according to the quintuple information.
In an embodiment of the present disclosure, the honeypot system is preset in the simulation operating environment, and if there is a first type of suspicious attack traffic, the importing the first type of suspicious attack traffic into the simulation operating environment further includes: identifying suspicious attack traffic of the environmental detection class through a honeypot system; in the simulation operation environment, suspicious attack traffic of the environment detection class is led into a service system which requests to access through the identification record of the honeypot system.
In one embodiment of the present disclosure, the processing method for countering network attacks further includes: judging whether a first class of suspicious attack traffic in a service system has an attack behavior; detecting a trigger item generated by a service system according to the attack behavior; and switching the first type of suspicious attack traffic to a real operating environment or blocking access interaction of the first type of suspicious attack traffic according to the trigger item.
In an embodiment of the present disclosure, switching the first class of suspicious attack traffic to a real operating environment or blocking access interaction of the first class of suspicious attack traffic according to the trigger includes: determining the times of various attack behaviors according to the trigger items; comparing the magnitude relation between the times and the preset times; if the times are less than or equal to the preset times, switching the first type of suspicious attack traffic to a real operation environment; and if the times are more than the preset times, blocking the access interaction of the first type of suspicious attack traffic.
In an embodiment of the present disclosure, switching the first type of suspicious attack traffic to a real operating environment or blocking access interaction of the first type of suspicious attack traffic according to the trigger further includes: and accessing subsequent traffic which is the same as the network protocol address of the first class of suspicious attack traffic switched to the real operating environment.
In an embodiment of the present disclosure, the trigger item includes at least one of an external interaction request, a newly added log, and a newly added process of the service system.
According to another aspect of the present disclosure, there is provided a processing apparatus for countering a network attack, including: the screening module is used for identifying an attack object of a network flow inlet and sending data of the attack object to a web application firewall for screening; the determining module is used for determining suspicious attack flow according to the screening result of the web application firewall on the attack object; the identification module is used for carrying out characteristic identification on the suspicious attack flow; the determining module is further used for determining whether the first type of suspicious attack traffic or the second type of suspicious attack traffic exists according to the feature identification result; the processing module is used for leading the first type of suspicious attack traffic into the simulation running environment if the first type of suspicious attack traffic exists; the processing module is further configured to, if a second type of suspicious attack traffic exists, import the second type of suspicious attack traffic into the real operating environment.
According to still another aspect of the present disclosure, there is provided an electronic device including: a processor; and a memory for storing executable instructions for the processor; wherein the processor is configured to execute any one of the above processing methods for resisting network attacks by executing the executable instructions.
According to yet another aspect of the present disclosure, there is provided a computer-readable storage medium on which a computer program is stored, the computer program, when executed by a processor, implementing the processing method for resisting network attacks of any one of the above.
According to the processing scheme for resisting the network attack, after the attack object at the network flow inlet is screened and identified, the first type of suspicious attack flow is led into the simulation operation environment, the efficiency and the reliability for resisting the network attack are improved, the second type of suspicious attack flow without attack force is led into the real operation environment, the interaction and the access of the real operation environment are realized, and the interference on the service system of the real operation environment is reduced.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
FIG. 1 is a flow chart illustrating a method for handling network attacks in an embodiment of the present disclosure;
FIG. 2 is a flow chart of another processing method for countering network attacks in the embodiment of the disclosure;
FIG. 3 is a flow chart of another processing method for countering network attacks in the embodiment of the present disclosure;
FIG. 4 is a flow chart of another processing method for countering network attacks in the embodiment of the disclosure;
FIG. 5 is a flow chart of another processing method for countering network attacks in the embodiment of the disclosure;
FIG. 6 is a flow chart of another processing method for countering network attacks in the embodiment of the present disclosure;
FIG. 7 is a flow chart of another processing method for countering network attacks in the embodiment of the present disclosure;
FIG. 8 is a schematic diagram of a processing platform for countering network attacks in an embodiment of the disclosure;
fig. 9 is a schematic diagram of a processing apparatus for countering network attacks in an embodiment of the disclosure;
fig. 10 shows a schematic diagram of an electronic device in an embodiment of the disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
According to the scheme provided by the application, after the attack object at the network flow inlet is screened and identified, the first type of suspicious attack flow is guided into the simulation operation environment, the efficiency and the reliability for resisting network attack are improved, and the second type of suspicious attack flow without attack power is guided into the real operation environment, so that the interaction and the access of the real operation environment are realized, and the interference to the service system of the real operation environment is reduced.
The scheme provided by the embodiment of the application relates to technologies such as network attack resisting processing and machine automation deployment, and is specifically explained by the following embodiment.
WAF: the Web Application Firewall performs anomaly detection on a request of HTTP (HyperText Transfer Protocol), and rejects a request that does not meet the HTTP standard. And it can only allow partial options of the HTTP protocol to pass through, thereby reducing the scope of attack. Even more, some Web application firewalls may severely limit options in the HTTP protocol that are too loose or not fully formulated. In addition, by enhancing the input verification, malicious network intrusion behaviors such as webpage tampering, information leakage, trojan horse implantation and the like can be effectively prevented, so that the possibility of the attack on the Web server is reduced.
Port scan attacks: the attacker computer can determine which TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) ports of the target computer are open by sending an appropriate message, and the process is as follows:
(1) A TCP SYN (synchronization) packet or UDP packet is sent with a port number that is incremented from 0 (the port number is a 16-bit number, thus 65535 in maximum, and is limited in number).
(2) If the RST (reset) Message for the TCP Message or the ICMP (Internet Control Message Protocol) unreachable Message for the UDP Message is received, it indicates that the port is not open.
(3) If an ACK message is received for this TCP SYN message or no ICMP message is received for this UDP message, it indicates that the TCP port is open and the UDP port may be open (since there are implementations that may not respond to ICMP unreachable messages even if the UDP port is not open).
Based on the method, the TCP or UDP ports opened by the target computer can be easily judged, and then the next attack is carried out according to the specific numbers of the ports.
Fragment IP message attack: in order to transmit a large IP packet, the IP protocol stack needs to fragment the IP packet according to the Maximum Transmission Unit (MTU) of the link interface, which is the Maximum packet size (in bytes) that can pass through a layer of a communication protocol, and the receiving computer can easily assemble these IP fragment packets by filling the fragment indication field in the appropriate IP header.
When processing these fragment messages, the target computer caches the first fragment message, and then waits for the subsequent fragment message, which consumes a part of memory and some data structures of the IP protocol stack.
If the attacker sends only one fragment message to the target computer, but not all fragment messages, the attacker computer waits until an internal timer expires, and if the attacker sends a large number of fragment messages, the attacker consumes the resources of the target computer, so that a corresponding normal IP message cannot be generated, which is also a DOS (Disk Operating System) attack.
TCP message attack without any flag set: normally, any TCP message sets at least one of five flags including SYN, FIN (indicating that no more new data is sent on the connection side), ACK, RST, and PSH (indicating a push bit of TCP), the first TCP message (TCP connection request message) sets the SYN flag, and subsequent messages set the ACK flag.
Some protocol stacks are based on the assumption that there is no processing procedure for TCP packets without any flag set, and therefore, such protocol stacks may crash if such packets are received. The attacker uses the characteristic to attack the target computer.
TCP message attack with FIN flag but no ACK flag set: normally, the ACK flag is set in all messages except the first message (SYN message), including the TCP connection teardown message (the message with the FIN flag set). However, some attackers may send TCP packets with FIN flag set but no ACK flag set to the target computer, which may cause the target computer to crash.
PING challenge of death: the TCP/IP specification requires that the length of the IP packet is within a certain range (e.g., 0-64K), but some attacking computers may send PING packets with length greater than 64K to the target computer, resulting in the target computer IP protocol stack crashing.
Address guessing attacks: similar to port scanning attack, an attacker judges whether a target computer exists or not by sending a large number of ICMP ECHO messages with target address changes. If the corresponding ECMP ECHO REPLY message is received, the target computer is indicated to exist, and then the next attack can be carried out on the computer.
A quintuple: usually referring to source IP address, source port, destination IP address, destination port and transport layer protocol, a quintuple can distinguish different sessions, and the corresponding session is unique, for example: "192.168.1.1;10000; TCP;121.14.88.76;80 "form a five-tuple. The meaning is that a terminal with an IP address of 192.168.1.1 is connected with a terminal with an IP address of 121.14.88.76 and a port of 80 through a port 10000 by using a TCP protocol.
A honeypot system: similar to intelligence collection systems, the original goal of designing honeypots was to allow hackers to intrude, thereby collecting evidence while hiding real server addresses, and a honeypot system has these functions: attack discovery, alert generation, strong recording capability, fraud, assistance in investigation. Another function is performed by the administrator who calls for intruders if necessary based on evidence collected from the honeypots.
Hereinafter, each step of the processing method for resisting network attacks in the present exemplary embodiment will be described in more detail with reference to the drawings and the embodiments.
Fig. 1 shows a flowchart of a processing method for resisting network attacks in the embodiment of the present disclosure. The method provided by the embodiment of the present disclosure may be executed by any electronic device with computing processing capability, such as a terminal and/or a server cluster. In the following description, a terminal is taken as an execution subject for illustration.
As shown in fig. 1, the terminal executes a processing method for resisting network attacks, and includes the following steps:
step S102, identifying an attack object of a network flow entrance, and sending data of the attack object to a web application firewall for screening.
And step S104, determining suspicious attack flow according to the screening result of the web application firewall on the attack object.
And step S106, performing characteristic identification on the suspicious attack traffic.
And step S108, determining whether the first type of suspicious attack traffic or the second type of suspicious attack traffic exists according to the characteristic identification result.
Step S110, if the first type of suspicious attack traffic exists, the first type of suspicious attack traffic is guided into the simulation operating environment.
Step S112, if there is a second type of suspicious attack traffic, importing the second type of suspicious attack traffic into the real operating environment.
In one embodiment of the disclosure, by identifying an attack object at a network flow inlet and sending data of the attack object to a web application firewall for screening, suspicious attack flows are determined according to a screening result of the web application firewall on the attack object, all the suspicious attack flows are identified in a simulation environment, efficiency and reliability of resisting network attacks are improved, a second class of suspicious attack flows without attack force are led into a real operation environment, interaction and access of the real operation environment are realized, and interference on a service system of the real operation environment is reduced.
In addition, the devices in the simulation operation environment can be freely combined, the new safety devices are prevented from being on line, the influence on the production environment is avoided, the actual influence on the normal operation of the system service is reduced while the attack flow is identified, and the operation performance of the normal service environment is improved.
As shown in fig. 2, the performing feature identification on suspicious attack traffic includes:
step S202, analyzing the network protocol address and the characteristic statement in the data packet of the suspicious attack flow.
And step S204, determining matched abnormal log records according to the network protocol address and the characteristic statement.
In one embodiment of the present disclosure, the feature statement may be, for example, but not limited to, the following:
htmlsps () function: for escaping text displayed on a page.
Htmlentities () function: for escaping text displayed on a page.
Strip _tags () function: and filtering out input and outputting the labels in the input.
Header () function: a header ("Content-type: application/json") is used.
Url code () function: for outputting processing character type parameters to be brought into page links.
Inval () function: for processing the numeric parameter output page.
Sql injection: the SQL command is inserted into a Web form to submit or input a query character string of a domain name or page request, and finally the purpose of deceiving a server to execute the malicious SQL command is achieved.
In one embodiment of the present disclosure, a matching abnormal log record is determined through a network protocol address and a feature statement, and the pre-stored abnormal log record is used for recording the attack behavior of an attacker, wherein the attack behavior includes the network protocol address of the attacker.
In one embodiment of the present disclosure, the exception log record includes at least one of an antivirus log record, an intelligence log record, and a historical log record.
In one embodiment of the present disclosure, the antivirus log records include records of local attacker, the information log records include information collected by the honeypot system, and hackers first invade the honeypot system to collect evidence and hide real server addresses, and a honeypot system has these functions: discovery of attacks, generation of warnings, strong recording capabilities, spoofing, assistance in surveys, and the like, but is not limited thereto.
As shown in fig. 3, if there is a first type of suspicious attack traffic, importing the first type of suspicious attack traffic into the simulation operating environment includes:
step S302, if the first type of suspicious attack traffic exists, recording quintuple information of a data packet of the first type of suspicious attack traffic.
Step S304, caching the network interaction request of the first type of suspicious attack traffic.
Step S306, identifying the service system which is requested to be accessed in the cached network interaction request.
Step S308, in the simulation running environment, the first class of suspicious attack traffic is led into the service system according to the quintuple information.
In an embodiment of the disclosure, a network interaction request of a first class of suspicious attack traffic is cached, the first class of suspicious attack traffic is led into a service system according to quintuple information in a simulation operation environment, an attack behavior of the first class of suspicious attack traffic is recorded in the service system of the simulation operation environment, and reliability and accuracy of network attack identification are improved through recording and analyzing the attack behavior.
As shown in fig. 4, the presetting of the honeypot system in the simulation operating environment, if there is a first type of suspicious attack traffic, the importing the first type of suspicious attack traffic into the simulation operating environment further includes:
and S402, identifying the suspicious attack traffic of the environment detection class through the honeypot system.
And step S404, in the simulation running environment, importing suspicious attack traffic of the environment detection class into the service system which requests to access through the identification record of the honeypot system.
In an embodiment of the present disclosure, the attack of the environment detection class belongs to an APT ((Advanced Persistent Threat) attack), which is a comprehensive attack integrating a plurality of common attack modes, and a plurality of attack approaches are synthesized to try to break through network defense, generally by Web or email transmission, and using vulnerabilities of an application program or an operating system, and a traditional network protection mechanism cannot provide uniform defense, and a plurality of stages are first adopted to penetrate a network, and then valuable information is extracted, so that the attack is less likely to be discovered, and therefore, suspicious attack traffic of the environment detection class is identified by a honeypot system and is guided to a service system requesting access, so as to improve accuracy and reliability of identification of the attack traffic of the environment detection class.
As shown in fig. 5, the processing method for resisting network attack further includes:
step S502, judging whether the first type suspicious attack traffic in the service system has attack behavior.
Step S504, the trigger item generated by the service system is detected according to the attack behavior.
Step S506, the first type of suspicious attack traffic is switched to a real running environment or the access interaction of the first type of suspicious attack traffic is blocked according to the trigger item.
In an embodiment of the present disclosure, a trigger item generated by a service system is detected according to an attack behavior, a first class of suspicious attack traffic is switched to a real operating environment according to the trigger item, that is, the first class of suspicious attack traffic without an attack force is switched to the real operating environment, so as to implement service interaction and normal operation in the real operating environment, and if access interaction of the first class of suspicious attack traffic is blocked according to the trigger item, access blocking of the first class of suspicious attack traffic with an attack property is isolated from the service system in the real operating environment, so as to improve security of the real operating environment.
As shown in fig. 6, switching the first type of suspicious attack traffic to the real operating environment or blocking the access interaction of the first type of suspicious attack traffic according to the trigger includes:
and step S602, determining the times of various attack behaviors according to the trigger items.
Step S604, comparing the magnitude relationship between the number of times and a preset number of times.
Step S606, if the number of times is less than or equal to the preset number of times, the first type of suspicious attack traffic is switched to the real operating environment.
Step S608, if the number of times is greater than the preset number of times, blocking access interaction of the first type of suspicious attack traffic.
In an embodiment of the present disclosure, it is determined whether the first type of suspicious attack traffic has the attack power by comparing a magnitude relationship between the number of times and a preset number of times, for example, the preset number of times may be set to 1, and the smaller the preset number of times is, the stricter a determination condition on the first type of suspicious attack traffic is, and the higher an accuracy rate of identifying the first type of suspicious attack traffic is. In addition, the more types of the triggering items are, the more the reliability of the first type suspicious attack traffic identification is improved.
As shown in fig. 7, switching the first type of suspicious attack traffic to the real operating environment or blocking the access interaction of the first type of suspicious attack traffic according to the trigger further includes:
step S702, accessing the subsequent traffic, which is the same as the network protocol address of the first type of suspicious attack traffic switched to the real operating environment, to the real operating environment.
In an embodiment of the present disclosure, subsequent flows that are the same as the network protocol address of the first type of suspicious attack flow switched to the real operating environment are accessed to the real operating environment, that is, when it is determined that the first type of suspicious attack flow does not have an attack power, the subsequent flows having the same source as the first type of suspicious attack flow are released, and there is no need to perform attack identification in the simulation operating environment, which not only reduces the interaction pressure and the computation pressure of the simulation operating environment, but also improves the smoothness of the operation of the service system in the real operating environment.
In an embodiment of the present disclosure, the trigger item includes at least one of an external interaction request, a newly added log, and a newly added process of the service system.
A processing platform 800 for countering network attacks according to this embodiment of the invention is described below with reference to fig. 8. The processing platform 800 for network attack defense shown in fig. 8 is only an example, and should not bring any limitation to the function and the scope of the application of the embodiments of the present invention.
As shown in fig. 8, a processing platform 800 for combating network attacks includes: attack capture module 802, simulation system 804, mousetrap module 806, and traffic steering module 808.
(1) Attack capture module 802: the method is used for defining a safety event rule, is used for newly adding an attack identification alarm at a flow entrance, guides the identified flow to a simulation system, and guides the unidentified normal flow to a real operation environment.
(2) The simulation system 804: the method is used for constructing a simulation operation environment, such as a virtual machine language system, virtual resources exist in a minimized mode, different service systems and hardware equipment are deployed in an infeasible virtual machine environment, a real machine room environment is simulated (a real operation environment is copied), and due to the fact that the virtual machine environment is not a real operation environment, only flow is analyzed, resource consumption space is small, and cost is low.
(3) Trap module 806: in the simulation running environment, the system is used for trapping attacks, the trapping system can set some attack points with bugs to induce attackers to attack, and an attack identification system is added into the flow to strip and identify the attack flow.
(4) The flow direction module 808: and counting and scoring the attack events generated by the attack traffic in the trapping module, wherein the score is lower when more alarm events are triggered, the total score reaches more than 80 percent and is judged as normal traffic, and the traffic is guided to a real service scene and is judged as normal access.
In one embodiment of the present disclosure, the processing platform 800 for resisting network attacks performs the processing steps of resisting network attacks, including:
step (1): an attacker accesses a service system to trigger a capture module, the module can send data to cloud waf, the waf starts a full strategy and the maximum alarm amount, after first-layer attack screening, a result is butted with an internal log collection platform, IP and characteristic sentences in an attack flow packet can be connected with abnormal logs in an enterprise in a log platform, wherein the abnormal logs comprise antivirus logs, information logs, IP with frequently-occurring historical problems and the like, the 2 nd flow is triggered when the suspiciousness reaches an internal control threshold, and when the abnormal logs are not triggered, the flow directly accesses a real operating environment.
Step (2): the capturing module records information such as a quintuple of a data packet of an attacker, caches an interactive request of a TCP (transmission control protocol), and guides flow into a simulation operation environment, the simulation operation environment automatically identifies an intranet service system accessed by the attacker and switches the flow into the system, and the trapping system inserts a system-based behavior analysis system into the service system in advance.
And (3): after the attack is identified, an attack behavior judgment mechanism is introduced, and the behavior judgment mechanism is mainly used for judging the attack behavior, and can judge aiming at user operation commands, system logs, ports and processes, but is not limited to the judgment. The trigger of the attack behavior can be incorporated into the attack count according to the trigger, for example, when a program or a script on the system accesses a request port to the outside instantly (the system does not request the outside by default), a large amount of logs are generated (the virtual system does not generate logs by default), a new process appears (the virtual system does not generate new processes by default), and the like.
And (4): and continuously enabling the attacker to complete the attack, wherein the attack identification degree is higher when the number of the attacked service systems is more.
And (5): if the attack of environment detection type is faced, a honeypot system, a port and the like are also preset in the simulation system to identify the detection based on network flow.
And (6): and (3) after confirming the non-attack behavior, the flow guiding module automatically replays the cache flow in the step (2) in a formal environment aiming at the specified service system, switches the subsequent IP flow to a real operation environment, enables a user to normally access, feeds back the IP to a firewall if the flow is the attack behavior, automatically blocks the IP, and puts the IP into the capturing module in the step (1) to be regarded as a malicious IP, and regards the subsequent access as the malicious IP.
In the step (7), because the user records information such as the header of the data (the browser, the source IP and the target IP used) in the step (2), and the like, when the data of the subsequent user is not changed in the access process, the subsequent user is determined as a normal user in the step (1) by default and is not subjected to simulation analysis and determination until the complete service interaction is finished.
A processing apparatus 900 for countering a network attack according to this embodiment of the present invention is described below with reference to fig. 9. The processing apparatus 900 for resisting network attacks shown in fig. 9 is only an example, and should not bring any limitation to the functions and the application scope of the embodiment of the present invention.
The processing apparatus 900 for combating network attacks is represented in the form of a hardware module. The components of the processing apparatus 900 for countering network attacks may include, but are not limited to: a screening module 902, a determination module 904, an identification module 906, and a processing module 908.
The screening module 902 is configured to identify an attack object at a network traffic entry, and send data of the attack object to a web application firewall for screening.
The determining module 904 is configured to determine suspicious attack traffic according to a screening result of the web application firewall on the attack object.
The identification module 906 is configured to perform feature identification on suspicious attack traffic.
The determining module 904 is further configured to determine whether the first type of suspicious attack traffic or the second type of suspicious attack traffic exists according to the feature recognition result.
The processing module 908 is configured to, if there is a first type of suspicious attack traffic, import the first type of suspicious attack traffic into the simulation running environment.
The processing module 908 is further configured to, if there is suspicious attack traffic of the second type, import the suspicious attack traffic of the second type into the real operating environment.
An electronic device 1000 according to this embodiment of the invention is described below with reference to fig. 10. The electronic device 1000 shown in fig. 10 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 10, the electronic device 1000 is embodied in the form of a general purpose computing device. The components of the electronic device 1000 may include, but are not limited to: the at least one processing unit 1010, the at least one memory unit 1020, and a bus 1030 that couples various system components including the memory unit 1020 and the processing unit 1010.
Where the storage unit stores program code that may be executed by the processing unit 1010 to cause the processing unit 1010 to perform the steps according to various exemplary embodiments of the present invention described in the "exemplary methods" section above in this specification. For example, the processing unit 1010 may perform the steps as shown in fig. 1 to 7, and other steps defined in the processing method of the present disclosure for combating network attacks.
The storage unit 1020 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM) 10201 and/or a cache memory unit 10202, and may further include a read-only memory unit (ROM) 10203.
The memory unit 1020 may also include a program/utility 10204 having a set (at least one) of program modules 10205, such program modules 10205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 1030 may be any one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, and a local bus using any of a variety of bus architectures.
The electronic device 1000 may also communicate with one or more external devices 1040 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 1000 to communicate with one or more other computing devices. Such communication may occur through input/output (I/O) interfaces 1050. Also, the electronic device 1000 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 1060. A network adapter 1060 communicates with the other modules of the electronic device 1000 over the bus 1030. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
In an exemplary embodiment of the present disclosure, there is also provided a computer readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above-mentioned "exemplary methods" section of the present description, when the program product is run on the terminal device.
The program product for implementing the above method according to the embodiment of the present invention may employ a portable compact disc read only memory (CD-ROM) and include program codes, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages, for example, for use in connection with the processing of network attacks. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Moreover, although the steps of the methods of the present disclosure are depicted in the drawings in a particular order, this does not require or imply that the steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions, etc.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, and may also be implemented by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

Claims (11)

1. A method for processing against network attacks, comprising:
identifying an attack object of a network flow inlet, and sending data of the attack object to a web application firewall for screening;
determining suspicious attack flow according to the screening result of the web application firewall on the attack object;
performing feature identification on the suspicious attack traffic;
determining whether a first type of suspicious attack traffic or a second type of suspicious attack traffic exists according to the feature identification result;
if the first type of suspicious attack traffic exists, importing the first type of suspicious attack traffic into a simulation operation environment comprises:
if the first type of suspicious attack traffic exists, recording quintuple information of a data packet of the first type of suspicious attack traffic;
caching the network interaction request of the first class of suspicious attack traffic;
identifying a service system which requests access in the cached network interaction request;
in the simulation operation environment, the first class of suspicious attack flow is led into the service system according to the quintuple information;
and if the second type of suspicious attack traffic exists, importing the second type of suspicious attack traffic into a real operating environment.
2. The method of claim 1, wherein the identifying the suspicious attack traffic according to the characteristics comprises:
analyzing the network protocol address and the characteristic statement in the data packet of the suspicious attack flow;
and determining matched abnormal log records according to the network protocol address and the characteristic statements.
3. The method of claim 2, wherein the network attack is performed by a network attack,
the abnormal log record includes at least one of a disinfection log record, an intelligence log record, and a history log record.
4. The processing method for resisting network attacks according to any one of claims 1 to 3, wherein a honeypot system is preset in the simulation operating environment, and if the first type of suspicious attack traffic exists, the importing the first type of suspicious attack traffic into the simulation operating environment further comprises:
identifying suspicious attack traffic of an environment detection class through the honeypot system;
and in the simulation operation environment, the suspicious attack flow of the environment detection class is led into a service system which requests to access through the identification record of the honeypot system.
5. The method of claim 1, further comprising:
judging whether a first class of suspicious attack traffic in the service system has an attack behavior;
detecting a trigger item generated by the service system according to the attack behavior;
and switching the first type of suspicious attack traffic to the real operating environment or blocking the access interaction of the first type of suspicious attack traffic according to the trigger item.
6. The processing method for resisting network attack according to claim 5, wherein switching the first type of suspicious attack traffic to the real operating environment or blocking access interaction of the first type of suspicious attack traffic according to the trigger comprises:
determining the times of various attack behaviors according to the trigger items;
comparing the magnitude relation between the times and preset times;
if the times are less than or equal to the preset times, switching the first type of suspicious attack traffic to the real operating environment;
and if the times are more than the preset times, blocking the access interaction of the first type of suspicious attack traffic.
7. The processing method for resisting network attack according to claim 6, wherein switching the first type of suspicious attack traffic to the real operating environment or blocking access interaction of the first type of suspicious attack traffic according to the trigger further comprises:
and accessing subsequent traffic which is the same as the network protocol address of the first class of suspicious attack traffic switched to the real operating environment.
8. The method for processing network attack resistance according to any one of claims 5 to 7,
the triggering item comprises at least one of an external interaction request, a newly added log and a newly added process of the service system.
9. A processing apparatus for countering network attacks, comprising:
the screening module is used for identifying an attack object at a network flow inlet and sending data of the attack object to a web application firewall for screening;
the determining module is used for determining suspicious attack flow according to the screening result of the web application firewall on the attack object;
the identification module is used for carrying out characteristic identification on the suspicious attack traffic;
the determining module is further used for determining whether the first type of suspicious attack traffic or the second type of suspicious attack traffic exists according to the feature identification result;
the processing module is configured to, if the first type of suspicious attack traffic exists, import the first type of suspicious attack traffic into a simulation running environment, where the importing includes:
if the first type of suspicious attack traffic exists, recording quintuple information of a data packet of the first type of suspicious attack traffic;
caching the network interaction request of the first class of suspicious attack traffic;
identifying a service system which requests access in the cached network interaction request;
in the simulation operation environment, the first class of suspicious attack flow is led into the service system according to the quintuple information;
the processing module is further configured to, if the second type of suspicious attack traffic exists, import the second type of suspicious attack traffic into a real operating environment.
10. An electronic device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to execute the processing method for resisting network attacks according to any one of claims 1 to 8 through executing the executable instructions.
11. A computer-readable storage medium having stored thereon a computer program, characterized in that,
the computer program, when executed by a processor, implements the method of handling network attacks according to any one of claims 1 to 8.
CN202110041910.4A 2021-01-13 2021-01-13 Processing method and device for resisting network attack, electronic equipment and storage medium Active CN112788034B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110041910.4A CN112788034B (en) 2021-01-13 2021-01-13 Processing method and device for resisting network attack, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110041910.4A CN112788034B (en) 2021-01-13 2021-01-13 Processing method and device for resisting network attack, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112788034A CN112788034A (en) 2021-05-11
CN112788034B true CN112788034B (en) 2023-04-07

Family

ID=75755630

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110041910.4A Active CN112788034B (en) 2021-01-13 2021-01-13 Processing method and device for resisting network attack, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112788034B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115529145A (en) * 2021-06-25 2022-12-27 中国移动通信集团广东有限公司 Network security intrusion detection and protection system and method
CN113746810B (en) * 2021-08-13 2023-04-18 哈尔滨工大天创电子有限公司 Network attack inducing method, device, equipment and storage medium
CN113992370B (en) * 2021-10-19 2022-06-17 广州锦行网络科技有限公司 Flow forwarding control method and trapping node based on flow forwarding control
CN114205306A (en) * 2021-11-26 2022-03-18 阿里云计算有限公司 Flow identification method, equipment and storage medium
CN114374535B (en) * 2021-12-09 2024-01-23 北京和利时系统工程有限公司 Controller network attack defense method and system based on virtualization technology
CN116055222B (en) * 2023-03-23 2023-06-16 北京长亭未来科技有限公司 Method and device for preventing attack file from bypassing WAF detection

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2020149390A (en) * 2019-03-14 2020-09-17 三菱電機株式会社 Cyber attack detector
CN111756761A (en) * 2020-06-29 2020-10-09 杭州安恒信息技术股份有限公司 Network defense system and method based on flow forwarding and computer equipment
CN111988265A (en) * 2019-05-23 2020-11-24 深信服科技股份有限公司 Network traffic attack identification method, firewall system and related components

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180152475A1 (en) * 2016-11-30 2018-05-31 Foundation Of Soongsil University-Industry Cooperation Ddos attack detection system based on svm-som combination and method thereof
US10855701B2 (en) * 2017-11-03 2020-12-01 F5 Networks, Inc. Methods and devices for automatically detecting attack signatures and generating attack signature identifications
US11206286B2 (en) * 2019-06-04 2021-12-21 Qatar Foundation For Education, Science And Community Development Methods and systems for reducing unwanted data traffic in a computer network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2020149390A (en) * 2019-03-14 2020-09-17 三菱電機株式会社 Cyber attack detector
CN111988265A (en) * 2019-05-23 2020-11-24 深信服科技股份有限公司 Network traffic attack identification method, firewall system and related components
CN111756761A (en) * 2020-06-29 2020-10-09 杭州安恒信息技术股份有限公司 Network defense system and method based on flow forwarding and computer equipment

Also Published As

Publication number Publication date
CN112788034A (en) 2021-05-11

Similar Documents

Publication Publication Date Title
CN112788034B (en) Processing method and device for resisting network attack, electronic equipment and storage medium
US10200384B1 (en) Distributed systems and methods for automatically detecting unknown bots and botnets
Corona et al. Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues
Harris et al. TCP/IP security threats and attack methods
JP2020515962A (en) Protection against APT attacks
Hunt et al. Network forensics: an analysis of techniques, tools, and trends
US20030084319A1 (en) Node, method and computer readable medium for inserting an intrusion prevention system into a network stack
KR102501372B1 (en) AI-based mysterious symptom intrusion detection and system
Ajeetha et al. Machine learning based DDOS attack detection
CN111464526A (en) Network intrusion detection method, device, equipment and readable storage medium
Murphy et al. An application of deception in cyberspace: Operating system obfuscation1
Wang et al. RansomTracer: exploiting cyber deception for ransomware tracing
Kim et al. Agent-based honeynet framework for protecting servers in campus networks
Särelä et al. Evaluating intrusion prevention systems with evasions
CN115102781B (en) Network attack processing method, device, electronic equipment and medium
Zhao et al. Network security model based on active defense and passive defense hybrid strategy
Li-Juan Honeypot-based defense system research and design
Blackwell Ramit-Rule-Based Alert Management Information Tool
Iavich et al. 5G Security Function and Its Testing Environment
Mabsali et al. Effectiveness of Wireshark Tool for Detecting Attacks and Vulnerabilities in Network Traffic
Naseer et al. Denial of Services (DoS) Attack: Implementation in Wireless LAN and Countermeasures
Todd et al. Alert verification evasion through server response forging
Rahmawati et al. Web Application Firewall Using Proxy and Security Information and Event Management (SIEM) for OWASP Cyber Attack Detection
Daimen et al. Jamming Windows OS Through DDoS
Fleming et al. Network intrusion and detection: An evaluation of snort

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant