CN115550029A - Method and device for determining remote control abnormity, storage medium and electronic equipment - Google Patents
Method and device for determining remote control abnormity, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN115550029A CN115550029A CN202211189833.8A CN202211189833A CN115550029A CN 115550029 A CN115550029 A CN 115550029A CN 202211189833 A CN202211189833 A CN 202211189833A CN 115550029 A CN115550029 A CN 115550029A
- Authority
- CN
- China
- Prior art keywords
- data message
- remote control
- security
- intranet
- record table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
Abstract
The application provides a method and a device for determining remote control abnormity, a storage medium and electronic equipment, wherein the abnormity determining method comprises the following steps: acquiring a data message transmitted by an intranet asset; under the condition that the data message has security threat, extracting security information corresponding to the data message through a security engine; and determining whether the intranet assets are abnormal in remote control or not based on the safety information and the remote control record table updated in real time. According to the method and the device, whether remote control abnormality exists in the intranet assets is determined through the remote control record table updated in real time and the safety information, abnormal behaviors of the intranet assets under vulnerability control which is not blocked by gateway equipment can be avoided, and the accuracy and the comprehensiveness of abnormality detection are greatly improved.
Description
Technical Field
The present application relates to the field of network asset communication security technologies, and in particular, to a method and an apparatus for determining remote control abnormality, a storage medium, and an electronic device.
Background
In the process of intranet penetration, after the intranet server is attacked by a plurality of network vulnerabilities, the gateway device can successfully block the attacks and give an alarm, but security vulnerabilities of a remote control protocol which are not blocked by the gateway device still exist, and at the moment, an external network attacker can bypass identity verification by utilizing the vulnerabilities to directly utilize the remote control protocol to connect the intranet server. After an external network attacker sinks the internal network server, authority information such as a user name, a password and the like of the internal network system can be stolen, so that more internal network assets are controlled, external data transmission is carried out on the attacker through the internal network assets by using a remote control protocol, and the attacker steals internal network data.
At present, one mode is to reduce password cracking of a remote control protocol through a brute force cracking mode so as to prevent intranet assets from being attacked, but the basis of the mode is connection rate and login failure times which are experience values, so that the accuracy of the mode is low; the other mode is that an attacker is attracted and deceived through a honeypot host with a built-in high-risk vulnerability, and the attack purpose and the attack means of the attacker are studied and learned, so that the purpose of delaying or even blocking attack destructive behavior is achieved, but the high-interaction honeypot technology depends on a virtual honeypot host and cannot identify unknown vulnerabilities, so that the accuracy and the comprehensiveness of the mode are low.
Disclosure of Invention
In view of this, an embodiment of the present application aims to provide a method, an apparatus, a storage medium, and an electronic device for determining a remote control abnormality, which are used to solve the problem in the prior art that both accuracy and comprehensiveness of abnormality detection are low.
In a first aspect, an embodiment of the present application provides a method for determining an abnormality in remote control, including:
acquiring a data message transmitted by an intranet asset;
under the condition that the data message has security threat, extracting security information corresponding to the data message through a security engine;
and determining whether the intranet asset has remote control abnormity or not based on the safety information and a remote control record table updated in real time.
In one possible implementation, the determining method further includes:
extracting attribute information of the data message from the data message, wherein the attribute information at least comprises a source address and a destination address of the data message and an application protocol corresponding to the data message;
and verifying the data message based on the attribute information.
In a possible implementation manner, the verifying the data packet based on the attribute information includes:
determining whether the source address and the destination address of the data message belong to an external network address;
if not, determining whether the application protocol corresponding to the data message belongs to a remote control protocol;
if yes, determining whether the application protocol corresponding to the data message is successfully logged in;
and if the login is successful, determining that the data message passes the verification.
In a possible embodiment, the updating method of the remote control record table in the case that the verification passes includes:
determining whether a source address and a destination address of the data message and an application protocol corresponding to the data message exist in a remote control record table;
if the remote control record table exists, updating the remote control record table by using the login time of the intranet assets;
and if not, updating a remote control record table by using the source address, the destination address, the application protocol and the login time.
In a possible implementation manner, in a case that the data packet has a security threat, extracting, by a security engine, security information corresponding to the data packet includes:
detecting the data message through the security engine to determine whether the data message has security threat;
and under the condition that the data message has security threat, extracting a threat source address, a threat destination address and a threat level corresponding to the data message.
In a possible implementation manner, the determining whether the intranet asset has a remote control abnormality based on the safety information and a remote control record table updated in real time includes:
determining whether a threat source address or a threat destination address included in the security information exists in the current remote control record table;
and if so, determining that the intranet asset has remote control abnormity.
In a second aspect, an embodiment of the present application further provides an apparatus for determining an abnormality in remote control, where the apparatus includes:
the acquisition module is configured to acquire a data message transmitted by the intranet asset;
the extraction module is configured to extract the security information corresponding to the data message through a security engine under the condition that the data message has security threat;
and the determining module is configured to determine whether the remote control abnormality exists in the intranet asset based on the safety information and a remote control record table updated in real time.
In one possible implementation, the anomaly determination device further comprises a verification module configured to:
extracting attribute information of the data message from the data message, wherein the attribute information at least comprises a source address and a destination address of the data message and an application protocol corresponding to the data message;
and verifying the data message based on the attribute information.
In a third aspect, an embodiment of the present application further provides a storage medium, where the computer readable storage medium stores a computer program, and the computer program is executed by a processor to perform the following steps:
acquiring a data message transmitted by an intranet asset;
under the condition that the data message has security threat, extracting security information corresponding to the data message through a security engine;
and determining whether the intranet assets are in remote control abnormity or not based on the safety information and a real-time updated remote control record table.
In a fourth aspect, an embodiment of the present application further provides an electronic device, where the electronic device includes: a processor and a memory, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating over a bus when the electronic device is operating, the machine-readable instructions when executed by the processor performing the steps of:
acquiring a data message transmitted by an intranet asset;
under the condition that the data message has security threat, extracting security information corresponding to the data message through a security engine;
and determining whether the intranet assets are in remote control abnormity or not based on the safety information and a real-time updated remote control record table.
According to the embodiment of the application, whether remote control abnormality exists in the intranet assets is determined through the remote control record table updated in real time and the safety information, abnormal behaviors of the intranet assets under vulnerability control which is not blocked by gateway equipment can be avoided, and accuracy and comprehensiveness of abnormality detection are greatly improved.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions in the present application or the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and for those skilled in the art, other drawings can be obtained according to these drawings without inventive exercise.
FIG. 1 illustrates a flow chart of a method of remote control anomaly determination provided herein;
fig. 2 is a flowchart illustrating that a remote control record table is updated based on attribute information of a data packet in a method for determining a remote control exception according to the present application;
fig. 3 is a flowchart illustrating verification of a data packet based on attribute information in a method for determining a remote control exception according to the present application;
fig. 4 is a schematic structural diagram illustrating a device for determining remote control abnormality provided in the present application;
fig. 5 shows a schematic structural diagram of an electronic device provided in the present application.
Detailed Description
Various aspects and features of the present application are described herein with reference to the drawings.
It will be understood that various modifications may be made to the embodiments of the present application. Accordingly, the foregoing description should not be considered as limiting, but merely as exemplifications of embodiments. Those skilled in the art will envision other modifications within the scope and spirit of the application.
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the application and, together with a general description of the application given above and the detailed description of the embodiments given below, serve to explain the principles of the application.
These and other characteristics of the present application will become apparent from the following description of a preferred form of embodiment, given as a non-limiting example, with reference to the attached drawings.
It should also be understood that, although the present application has been described with reference to some specific examples, a person of skill in the art shall certainly be able to achieve many other equivalent forms of application, having the characteristics as set forth in the claims and hence all coming within the field of protection defined thereby.
The above and other aspects, features and advantages of the present application will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.
Specific embodiments of the present application are described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely exemplary of the application, which can be embodied in various forms. Well-known and/or repeated functions and constructions are not described in detail to avoid obscuring the application of unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present application in virtually any appropriately detailed structure.
The specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the application.
In the first aspect, to facilitate understanding of the present application, a method for determining a remote control abnormality provided in the present application will be described in detail first. As shown in fig. 1, according to the method steps shown in fig. 1, the problem of low accuracy and comprehensiveness of abnormality detection in the prior art can be solved for the abnormality determination method provided in the embodiment of the present application. The method comprises the following specific steps of S101-S103.
S101, acquiring a data message transmitted by the intranet asset.
In specific implementation, the electronic device may identify assets in the local area network based on a set timing task, and further obtain intranet assets belonging to the local area network. The assets refer to information or resources with value in the local area network, for example, services turned on by a host in the local area network, basic devices associated with the host, such as a router, a printer, and the like.
In the embodiment of the application, the server or the controller acquires the data message transmitted by each intranet asset in real time, and the data message may be a message transmitted between other assets in a local area network to which the intranet asset belongs and the intranet asset, or a message transmitted between an extranet asset and the intranet asset.
S102, under the condition that the data message has security threat, the security engine extracts the security information corresponding to the data message.
In specific implementation, a security engine, such as an intrusion prevention system IPS, a web application firewall WAF, or the like, is usually set in the local area network, and during a data packet transmission process, the security engine detects the data packet to determine whether a security threat exists in the data packet. Optionally, the security engine corresponds to a determination rule that is preset, for example, an external network address transmits a virus to an external network or an internal network, an attack chain is "attack intrusion", and the internal network is diffused in other cases; for the security engine IPS, the intranet source address is the intranet diffusion, the extranet source address is the attack intrusion, and for the security engine WAF, an attack chain and the like may also be determined according to other rule names, which is worth explaining that for the security event of the command control type, the attack chain is the command control.
And under the condition that the data message has a security threat, extracting a threat source address, a threat destination address and a threat level corresponding to the data message.
S103, determining whether the intranet assets are abnormal in remote control or not based on the safety information and the remote control record table updated in real time.
After the security information is obtained, determining whether a threat source address or a threat destination address included in the security information exists in a current remote control record table, wherein the current remote control record table is a remote control record table obtained by real-time updating; if yes, determining that the intranet asset has remote control abnormity, namely that the event executed by the intranet asset is an attack event; and if the threat source address or the threat destination address does not exist in the current remote control record table, determining that the remote control abnormality does not exist in the intranet assets.
Optionally, it may be further determined whether the threat source address or the threat destination address present in the current remote control log table is an internal network address or an external network address, respectively. As one example, for attack events such as an advertisement trojan, backdoor software and the like, if a threat source address is an intranet address and a threat destination address is an intranet address or an extranet address, determining that the risk level of the intranet asset is high-risk, and except for the case, determining that the risk levels of the intranet asset are low-risk; aiming at an attack event of browsing a malicious Uniform Resource Locator (URL), if a threat source address is an intranet address and a threat destination address is an intranet address or an extranet address, determining that the risk level of the intranet asset is in medium risk; except for the situation, determining that the risk levels of the intranet assets are all low-risk and the like.
Of course, the risk level of the intranet asset when each event is executed may also be determined within a preset period, and then, the highest risk level is determined as the final risk level of the intranet asset, which is not specifically limited in this embodiment of the present application.
According to the embodiment of the application, whether remote control abnormality exists in the intranet assets is determined through the remote control record table updated in real time and the safety information, abnormal behaviors of the intranet assets under vulnerability control which is not blocked by gateway equipment can be avoided, and accuracy and comprehensiveness of abnormality detection are greatly improved.
In the anomaly determination method provided in the embodiment of the application, the method flowchart shown in fig. 2 may be referred to verify the data packet based on the attribute information, and the specific steps include S201 to S204.
S201, determining whether the source address and the destination address of the data message belong to the external network address.
S202, if not, determining whether the application protocol corresponding to the data message belongs to a remote control protocol.
S203, if yes, determining whether the application protocol corresponding to the data message is successfully logged in.
S204, if the login is successful, the data message is determined to pass the verification.
Optionally, when the data packet is verified based on the attribute information, it is determined whether a source address and a destination address of the data packet belong to an external network address, where the source address and the destination address belonging to an internal network address may be preset, and then it is determined whether the source address and the destination address of the data packet exist in the source address and the destination address of the internal network address, and if so, it is determined that the source address and the destination address of the data packet belong to the internal network address, that is, the data packet is transmitted normally, the internal network asset is also in a normal state, and at this time, it is not necessary to record a remote control record table.
If the source address and the destination address of the data message do not exist in the source address and the destination address of the internal network address, determining that the source address or the destination address of the data message belongs to the external network address, and at this time, further determining whether an application Protocol corresponding to the data message belongs to a Remote control Protocol, wherein the Remote control Protocol comprises a command line interface Remote management Protocol (Secure Shell Protocol, SSH), a command line interface Remote management Protocol Telnet, a Remote Desktop Protocol (Remote Desktop Protocol, RDP) and the like.
And under the condition that the application protocol corresponding to the data message does not belong to the remote control protocol, the data message is represented to be transmitted normally, the intranet asset is also in a normal state, and at the moment, the recording of a remote control record table is not required.
And under the condition that the application protocol corresponding to the data message belongs to the remote control protocol, determining whether the application protocol corresponding to the data message is successfully logged, if so, determining that the data message passes the verification, and recording a remote control record table. For the SSH protocol, the number of times that SSH2 is allowed to continuously log in and fail, for example, 5 times may be preset, at this time, about 31 SSH messages are generated, and whether log-in is successful or failed is determined according to the number of SSH messages; for telnet protocol, if the message string contains "Login Failed" or "% Username or password in correct! ", then the sign-in fails; for the RDP protocol, the login failure can be determined through the RDP message number.
And under the condition of passing the verification, updating the remote control record table based on the attribute information of the data message so as to obtain the current remote control record table in real time.
Here, in consideration of the existence of a message transmission error such as a source address error and/or a destination address error, at this time, it is not necessary to perform subsequent transmission recording, that is, it is not necessary to update the remote control recording table, and recording of the remote control recording table is performed only under the condition that data message transmission is normal. Therefore, after the data message transmitted by the intranet asset is acquired, the attribute information of the data message is extracted from the data message, wherein the attribute information at least comprises a source address and a destination address of the data message and an application protocol corresponding to the data message. And further, verifying the data message based on the attribute information, and updating the remote control record table based on the attribute information of the data message under the condition that the data message passes the verification.
Alternatively, when the data stream transmitted by the intranet asset flows through a gateway or other devices, the extranet address check, the control protocol login success check, and the like can be performed.
As one example, fig. 3 shows a flowchart of an update manner of the remote control record table in the case that the verification is passed, wherein specific steps include S301 to S303.
S301, determining whether the source address and the destination address of the data message and the application protocol corresponding to the data message exist in the remote control record table.
And S302, if the remote control record table exists, updating the remote control record table by using the login time of the intranet assets.
S303, if not, updating the remote control record table by using the source address, the destination address, the application protocol and the login time.
In specific implementation, after a source address, a destination address and an application protocol corresponding to a data message are extracted, whether the source address and the destination address of the data message and the application protocol corresponding to the data message exist in a remote control record table or not is determined, wherein the remote control record table at least comprises historical data messages transmitted each time, historical source addresses corresponding to the historical data messages, historical destination addresses, historical application protocols, historical login time and the like.
If the source address, the destination address and the application protocol corresponding to the data message exist in the remote control record table, extracting the login time of the data message from the data message, wherein the login time is the time when the intranet asset is accessed by other intranet assets or extranet assets, or the time when the intranet asset accesses other intranet assets or extranet assets, and of course, the login time of the application protocol and the like can also be used. And then, updating the remote control record table by using the login time of the intranet assets.
If the source address, the destination address and the application protocol corresponding to the data message do not exist in the remote control record table, the remote control record table is updated by using the source address, the destination address, the application protocol and the login time, that is, the intranet asset, the source address, the destination address, the application protocol and the login time are added to the remote control record table.
Based on the same inventive concept, the second aspect of the present application further provides an abnormality determining apparatus corresponding to the abnormality determining method, and since the principle of solving the problem of the abnormality determining apparatus in the present application is similar to that of the abnormality determining method in the present application, the implementation of the abnormality determining apparatus may refer to the implementation of the method, and repeated details are omitted.
Fig. 4 shows a schematic diagram of an abnormality determining apparatus provided in an embodiment of the present application, which specifically includes:
an acquisition module 401 configured to acquire a data message transmitted by an intranet asset;
an extracting module 402, configured to extract, by a security engine, security information corresponding to the data packet when the data packet has a security threat;
a determining module 403, configured to determine whether there is a remote control abnormality in the intranet asset based on the security information and the real-time updated remote control record table.
In yet another embodiment, the anomaly determination device further includes a verification module 404 configured to:
extracting attribute information of the data message from the data message, wherein the attribute information at least comprises a source address and a destination address of the data message and an application protocol corresponding to the data message;
and verifying the data message based on the attribute information.
In yet another embodiment, the verification module 404 is specifically configured to:
determining whether the source address and the destination address of the data message belong to an external network address;
if not, determining whether the application protocol corresponding to the data message belongs to a remote control protocol;
if yes, determining whether the application protocol corresponding to the data message is successfully logged in;
and if the login is successful, determining that the data message passes the verification.
In another embodiment, the abnormality determining apparatus further includes an updating module 405 specifically configured to:
determining whether a source address and a destination address of the data message and an application protocol corresponding to the data message exist in a remote control record table;
if yes, updating a remote control record table by using the login time of the intranet assets;
and if the source address, the destination address, the application protocol and the login time do not exist, updating the remote control record table.
In yet another embodiment, the extraction module 402 is specifically configured to:
detecting the data message through the security engine, and determining whether the data message has security threat;
and under the condition that the data message has security threat, extracting a threat source address, a threat destination address and a threat level corresponding to the data message.
In another embodiment, the determining module 403 is specifically configured to:
determining whether a threat source address or a threat destination address included in the security information exists in a current remote control record table;
and if so, determining that the intranet assets are abnormal in remote control.
According to the embodiment of the application, whether remote control abnormality exists in the intranet assets is determined through the remote control record table updated in real time and the safety information, abnormal behaviors of the intranet assets under vulnerability control which is not blocked by gateway equipment can be avoided, and accuracy and comprehensiveness of abnormality detection are greatly improved.
An embodiment of the present application provides a storage medium, which is a computer-readable medium storing a computer program, where the computer program is executed by a processor to implement the method provided in any embodiment of the present application, and the method includes the following steps S11 to S13:
s11, acquiring a data message transmitted by the intranet asset;
s12, under the condition that the data message has security threat, extracting security information corresponding to the data message through a security engine;
and S13, determining whether remote control abnormality exists in the intranet assets or not based on the safety information and the remote control record table updated in real time.
When the computer program is executed by the processor to determine the method, the processor specifically executes the following steps: extracting attribute information of the data message from the data message, wherein the attribute information at least comprises a source address and a destination address of the data message and an application protocol corresponding to the data message; and verifying the data message based on the attribute information.
When the computer program is executed by the processor to verify the data message based on the attribute information, the processor also executes the following steps: determining whether the source address and the destination address of the data message belong to an external network address; if not, determining whether the application protocol corresponding to the data message belongs to a remote control protocol; if yes, determining whether the application protocol corresponding to the data message is successfully logged in; and if the login is successful, determining that the data message passes the verification.
When the computer program is used for executing the updating mode of the remote control record table under the condition that the verification is passed by the processor, the following steps are also executed by the processor: determining whether a source address and a destination address of the data message and an application protocol corresponding to the data message exist in a remote control record table; if yes, updating a remote control record table by using the login time of the intranet assets; and if the source address, the destination address, the application protocol and the login time do not exist, updating the remote control record table.
When the computer program is executed by the processor and the security engine extracts the security information corresponding to the data message under the condition that the data message has security threat, the processor executes the following steps: detecting the data message through the security engine to determine whether the data message has security threat; and under the condition that the data message has security threat, extracting a threat source address, a threat destination address and a threat level corresponding to the data message.
When the computer program is executed by the processor and based on the safety information and the remote control record table updated in real time, whether the remote control abnormality exists in the intranet assets is determined, and the following steps are further executed by the processor: determining whether a threat source address or a threat destination address included in the security information exists in a current remote control record table; and if so, determining that the intranet asset has remote control abnormity.
According to the embodiment of the application, whether remote control abnormality exists in the intranet assets is determined through the remote control record table updated in real time and the safety information, abnormal behaviors of the intranet assets under vulnerability control which is not blocked by gateway equipment can be avoided, and accuracy and comprehensiveness of abnormality detection are greatly improved.
An electronic device is further provided in an embodiment of the present application, and a schematic structural diagram of the electronic device may be as shown in fig. 5, where the electronic device at least includes a memory 501 and a processor 502, a computer program is stored on the memory 501, and the processor 502 implements the method provided in any embodiment of the present application when executing the computer program on the memory 501. Illustratively, the electronic device computer program steps are as follows S21 to S23:
s21, acquiring a data message transmitted by the intranet assets;
s22, under the condition that the data message has security threat, extracting security information corresponding to the data message through a security engine;
and S23, determining whether remote control abnormality exists in the intranet assets or not based on the safety information and the remote control record table updated in real time.
The processor, when executing the determination method stored on the memory, further executes the following computer program: extracting attribute information of the data message from the data message, wherein the attribute information at least comprises a source address and a destination address of the data message and an application protocol corresponding to the data message; and verifying the data message based on the attribute information.
When the processor executes the data message verification stored in the memory based on the attribute information, the processor also executes the following computer program: determining whether the source address and the destination address of the data message belong to an external network address; if not, determining whether the application protocol corresponding to the data message belongs to a remote control protocol; if yes, determining whether the application protocol corresponding to the data message is successfully logged in; and if the login is successful, determining that the data message passes the verification.
When the processor executes the updating mode of the remote control record table under the condition that the verification stored in the memory is passed, the following computer programs are also executed: determining whether a source address and a destination address of the data message and an application protocol corresponding to the data message exist in a remote control record table; if yes, updating a remote control record table by using the login time of the intranet assets; and if the source address, the destination address, the application protocol and the login time do not exist, updating the remote control record table.
When the processor extracts the security information corresponding to the data message through the security engine under the condition that the security threat exists in the data message and is stored in the execution memory, the processor also executes the following computer program: detecting the data message through the security engine to determine whether the data message has security threat; and under the condition that the data message has security threat, extracting a threat source address, a threat destination address and a threat level corresponding to the data message.
When the processor determines whether the remote control abnormality exists in the intranet assets based on the safety information and the real-time updated remote control record table stored in the execution memory, the processor also executes the following computer programs: determining whether a threat source address or a threat destination address included in the security information exists in a current remote control record table; and if so, determining that the intranet assets are abnormal in remote control.
According to the embodiment of the application, whether remote control abnormality exists in the intranet assets is determined through the remote control record table and the safety information which are updated in real time, abnormal behaviors of vulnerability control intranet assets which are not blocked by gateway equipment can be avoided, and the accuracy and the comprehensiveness of abnormality detection are greatly improved.
Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes. Optionally, in this embodiment, the processor executes the method steps described in the above embodiments according to the program code stored in the storage medium. Optionally, for a specific example in this embodiment, reference may be made to the examples described in the above embodiment and optional implementation, and this embodiment is not described herein again. It will be apparent to those skilled in the art that the modules or steps of the present application described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a memory device and executed by a computing device, and in some cases, the steps shown or described may be executed out of order, or separately as integrated circuit modules, or multiple modules or steps thereof may be implemented as a single integrated circuit module. Thus, the present application is not limited to any specific combination of hardware and software.
Moreover, although exemplary embodiments have been described herein, the scope thereof includes any and all embodiments based on the present application with equivalent elements, modifications, omissions, combinations (e.g., of various embodiments across), adaptations or alterations. The elements of the claims are to be interpreted broadly based on the language employed in the claims and not limited to examples described in the present specification or during the prosecution of the application, which examples are to be construed as non-exclusive. It is intended, therefore, that the specification and examples be considered as exemplary only, with a true scope and spirit being indicated by the following claims and their full scope of equivalents.
The above description is intended to be illustrative and not restrictive. For example, the above-described examples (or one or more versions thereof) may be used in combination with each other. For example, other embodiments may be used by those of ordinary skill in the art upon reading the above description. In addition, in the above detailed description, various features may be grouped together to streamline the application. This should not be interpreted as an intention that a disclosed feature not claimed is essential to any claim. Rather, subject matter of the present application can lie in less than all features of a particular disclosed embodiment. Thus, the following claims are hereby incorporated into the detailed description as examples or embodiments, with each claim standing on its own as a separate embodiment, and it is contemplated that these embodiments may be combined with each other in various combinations or permutations. The scope of the application should be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.
The embodiments of the present application have been described in detail, but the present application is not limited to these specific embodiments, and those skilled in the art can make various modifications and modified embodiments based on the concept of the present application, and these modifications and modified embodiments should fall within the scope of the present application.
Claims (10)
1. A method for determining remote control anomalies, comprising:
acquiring a data message transmitted by an intranet asset;
under the condition that the data message has security threat, extracting security information corresponding to the data message through a security engine;
and determining whether the intranet assets are in remote control abnormity or not based on the safety information and a real-time updated remote control record table.
2. The determination method according to claim 1, further comprising:
extracting attribute information of the data message from the data message, wherein the attribute information at least comprises a source address and a destination address of the data message and an application protocol corresponding to the data message;
and verifying the data message based on the attribute information.
3. The method of claim 2, wherein validating the data packet based on the attribute information comprises:
determining whether the source address and the destination address of the data message belong to an external network address;
if not, determining whether the application protocol corresponding to the data message belongs to a remote control protocol;
if yes, determining whether the application protocol corresponding to the data message is successfully logged in;
and if the login is successful, determining that the data message passes the verification.
4. The method for determining according to claim 2, wherein the updating manner of the remote control record table in case of passing the verification comprises:
determining whether a source address and a destination address of the data message and an application protocol corresponding to the data message exist in a remote control record table;
if yes, updating a remote control record table by using the login time of the intranet assets;
and if the address does not exist, updating the remote control record table by using the source address, the destination address, the application protocol and the login time.
5. The method according to claim 1, wherein extracting, by a security engine, security information corresponding to the data packet when the data packet has a security threat comprises:
detecting the data message through the security engine to determine whether the data message has security threat;
and under the condition that the data message has security threat, extracting a threat source address, a threat destination address and a threat level corresponding to the data message.
6. The method for determining according to claim 1, wherein determining whether the intranet asset has a remote control abnormality based on the security information and a remote control record table updated in real time comprises:
determining whether a threat source address or a threat destination address included in the security information exists in a current remote control record table;
and if so, determining that the intranet assets are abnormal in remote control.
7. An apparatus for remotely determining an abnormality, comprising:
the acquisition module is configured to acquire a data message transmitted by the intranet asset;
the extraction module is configured to extract the security information corresponding to the data message through a security engine under the condition that the data message has security threat;
a determining module configured to determine whether a remote control abnormality exists in the intranet asset based on the security information and a real-time updated remote control record table.
8. The determination apparatus of claim 7, further comprising a verification module configured to:
extracting attribute information of the data message from the data message, wherein the attribute information at least comprises a source address and a destination address of the data message and an application protocol corresponding to the data message;
and verifying the data message based on the attribute information.
9. A storage medium, having a computer program stored thereon, the computer program when executed by a processor performing the steps of:
acquiring a data message transmitted by an intranet asset;
under the condition that the data message has security threat, extracting security information corresponding to the data message through a security engine;
and determining whether the intranet assets are in remote control abnormity or not based on the safety information and a real-time updated remote control record table.
10. An electronic device, comprising: a processor and a memory, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating over a bus when an electronic device is operating, the machine-readable instructions when executed by the processor performing the steps of:
acquiring a data message transmitted by an intranet asset;
under the condition that the data message has security threat, extracting security information corresponding to the data message through a security engine;
and determining whether the intranet asset has remote control abnormity or not based on the safety information and a remote control record table updated in real time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211189833.8A CN115550029A (en) | 2022-09-28 | 2022-09-28 | Method and device for determining remote control abnormity, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211189833.8A CN115550029A (en) | 2022-09-28 | 2022-09-28 | Method and device for determining remote control abnormity, storage medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115550029A true CN115550029A (en) | 2022-12-30 |
Family
ID=84730431
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211189833.8A Pending CN115550029A (en) | 2022-09-28 | 2022-09-28 | Method and device for determining remote control abnormity, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115550029A (en) |
-
2022
- 2022-09-28 CN CN202211189833.8A patent/CN115550029A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Alata et al. | Lessons learned from the deployment of a high-interaction honeypot | |
| US9363286B2 (en) | System and methods for detection of fraudulent online transactions | |
| Cazorla et al. | Cyber stealth attacks in critical information infrastructures | |
| ES2854701T3 (en) | Computer storage methods and media to divide the security of sessions | |
| Le et al. | DoubleGuard: Detecting intrusions in multitier web applications | |
| US7752662B2 (en) | Method and apparatus for high-speed detection and blocking of zero day worm attacks | |
| CN111917714B (en) | Zero trust architecture system and use method thereof | |
| Lin et al. | Threat modeling for CSRF attacks | |
| CN106209907B (en) | Method and device for detecting malicious attack | |
| Yamada et al. | RAT-based malicious activities detection on enterprise internal networks | |
| EP2922265B1 (en) | System and methods for detection of fraudulent online transactions | |
| Arogundade | Network security concepts, dangers, and defense best practical | |
| Chaboya et al. | Network intrusion detection: automated and manual methods prone to attack and evasion | |
| KR20170091989A (en) | System and method for managing and evaluating security in industry control network | |
| Hubballi et al. | XSSmitigate: Deep packet inspection based XSS attack quarantine in software defined networks | |
| Gerža et al. | Security of ISES measureserver® module for remote experiments against malign attacks | |
| CN115550029A (en) | Method and device for determining remote control abnormity, storage medium and electronic equipment | |
| Rosenthal | Intrusion Detection Technology: Leveraging the Organization's Security Posture. | |
| Oktivasari et al. | Analysis of effectiveness of iptables on web server from slowloris attack | |
| Nilsson et al. | Vulnerability scanners | |
| Orucho et al. | Security threats affecting user-data on transit in mobile banking applications: A review | |
| Gorbatiuk et al. | Method of detection of http attacks on a smart home using the algebraic matching method | |
| PÎRNĂU | General Aspects of Some Causes of Web Application Vulnerabilities | |
| Salemi et al. | " Automated rules generation into Web Application Firewall using Runtime Application Self-Protection | |
| Dudin et al. | Open source rules for Real-Time protection of web server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |