CN117544429B - Attack protection method, apparatus, electronic device and computer readable storage medium - Google Patents

Attack protection method, apparatus, electronic device and computer readable storage medium Download PDF

Info

Publication number
CN117544429B
CN117544429B CN202410033115.4A CN202410033115A CN117544429B CN 117544429 B CN117544429 B CN 117544429B CN 202410033115 A CN202410033115 A CN 202410033115A CN 117544429 B CN117544429 B CN 117544429B
Authority
CN
China
Prior art keywords
interaction
attack
target
network
target object
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410033115.4A
Other languages
Chinese (zh)
Other versions
CN117544429A (en
Inventor
林福生
郭伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202410033115.4A priority Critical patent/CN117544429B/en
Publication of CN117544429A publication Critical patent/CN117544429A/en
Application granted granted Critical
Publication of CN117544429B publication Critical patent/CN117544429B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

The embodiment of the application discloses an attack protection method, an attack protection device, electronic equipment and a computer readable storage medium; according to the embodiment of the invention, after the inlet flow data of the target object in the network interaction platform is obtained, risk identification is carried out on the inlet flow data, so that an identification result is obtained, when the identification result indicates that the inlet flow data has risk, an attack object identifier is determined in the inlet flow data, and according to the attack object identifier and the interaction relationship, an interaction path between the target object and the interaction object is blocked in the network interaction platform; the scheme can comprehensively protect attack risks existing under different interaction relations; the embodiment of the invention can be applied to various scenes such as cloud technology, artificial intelligence, intelligent traffic, auxiliary driving and the like.

Description

Attack protection method, apparatus, electronic device and computer readable storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an attack protection method, an attack protection device, an electronic device, and a computer readable storage medium.
Background
An internet switching center (Internet eXchange Point, IXP for short) is an internet switching platform that provides interconnection services for a plurality of different networks, which is typically maintained by a third party neutral mechanism, and provides peer-to-peer interconnection services externally. Other networks may access the IXP, referred to as a member of the IXP network. In the IXP network, the members may be interconnected by an interconnection protocol. Distributed denial of service attacks (Distributed Denial of Service Attack, abbreviated as DDoS attacks) are one of the most common attack modes in the current internet, which use a distributed network to initiate a large number of requests, and occupy the attack behaviors of a target server or network resources. This attack may paralyze the target system, causing it to fail to process the request normally.
Currently, remote triggering of black hole (Remote Triger Black Hole, RTBH) services is the primary way to deal with DDoS attacks. However, the RTBH service is mainly aimed at DDoS attacks existing in the scene of interconnection based on the polygonal routing protocol in the IXP network, while for the scene of interconnection by adopting other types of interconnection protocols, the RTBH service cannot block attack traffic generated by the DDoS attacks.
Disclosure of Invention
The embodiment of the invention provides an attack protection method, an attack protection device, electronic equipment and a computer readable storage medium, which can comprehensively protect attack risks existing under different interaction relations, reduce the influence of network attack on a target object through various interaction paths and improve the protection effect.
The embodiment of the invention provides an attack protection method, which comprises the following steps:
acquiring inlet flow data of a target object in a network interaction platform, wherein the network interaction platform comprises the target object and at least one interaction object corresponding to the target object, and at least one interaction relation is included between the target object and the interaction object;
performing risk identification on the inlet flow data to obtain an identification result;
when the identification result indicates that the inlet flow data has risk, determining an attack object identifier in the inlet flow data, wherein the attack object identifier indicates an attack object for attacking the target object in the interaction object;
And plugging the interaction path between the target object and the interaction object in the network interaction platform according to the attack object identification and the interaction relationship.
Accordingly, an embodiment of the present invention provides an attack protection device, including:
the network interaction platform comprises the target object and at least one interaction object corresponding to the target object, wherein the target object and the interaction object comprise at least one interaction relation;
the identification unit is used for carrying out risk identification on the inlet flow data to obtain an identification result;
the determining unit is used for determining an attack object identifier in the inlet flow data when the identification result indicates that the inlet flow data has risk, wherein the attack object identifier indicates an attack object which attacks the target object in the interaction object;
and the blocking unit is used for blocking the interaction path between the target object and the interaction object in the network interaction platform according to the attack object identification and the interaction relationship.
In some embodiments, the blocking unit may be specifically configured to determine, according to the attack object identifier, a target interaction relationship between the target object and the attack object in the interaction relationship; and blocking the interaction path between the target object and the interaction object in the network interaction platform based on the target interaction relationship.
In some embodiments, the blocking unit may be specifically configured to obtain an interaction relationship list corresponding to the target object; searching the interactive relation corresponding to the attack object identifier from the interactive relation list, and taking the searched interactive relation as the target interactive relation between the target object and the attack object.
In some embodiments, the interaction relationship includes at least one of a polygonal interaction relationship, a bilateral interaction relationship, and a unilateral interaction relationship, where the blocking unit may specifically be configured to perform network blocking on at least the attack object on the network interaction platform when the target interaction relationship includes the bilateral interaction relationship; and when the target interaction relationship does not comprise the bilateral interaction relationship, determining a blocking object according to the type of the target interaction relationship, and performing network blocking on the blocking object on the network interaction platform.
In some embodiments, the blocking unit may be specifically configured to adjust the bilateral interaction relationship to a unilateral interaction relationship, and designate an interaction direction of the unilateral interaction relationship as the target object pointing to the attack object; and limiting the interaction authority between the attack object and the target object on the network interaction platform based on the adjusted unilateral interaction relationship.
In some embodiments, the blocking unit may be specifically configured to release the bilateral interaction relationship in the network interaction platform, so as to cut off an interaction path between the attack object and the target object on the network interaction platform.
In some embodiments, the blocking unit may be specifically configured to obtain, when the target interaction relationship further includes a polygonal interaction relationship, a target object identifier of the target object; carrying out attack risk marking on the target object identifier to obtain an attack object identifier; and sending the attacked object identifier to an interactive object so that the interactive object can adjust a data sending path between the interactive object and the target object after receiving the attacked object identifier.
In some embodiments, the blocking unit may be specifically configured to obtain an address of a routing server associated with the target object on the network interaction platform; and sending the attacked object identifier to the routing server based on the address of the routing server, so that the routing server announces the attacked object identifier to all interaction objects in the network interaction platform.
In some embodiments, the blocking unit may be specifically configured to determine an interaction direction of the unilateral interaction relationship when the target interaction relationship includes the unilateral interaction relationship; when the interaction direction is that the attack object points to the target object, determining that the blocking object comprises the attack object when the interaction direction is that the attack object points to the target object; and reversely adjusting the interaction direction or releasing the unilateral interaction relationship.
In some embodiments, the blocking unit may be specifically configured to determine that the blocking object includes the target object when the target interaction relationship further includes a polygonal interaction relationship; acquiring a target object identifier of the target object; carrying out attack risk marking on the target object identifier to obtain an attack object identifier; and sending the attacked object identifier to an interactive object so that the interactive object can adjust a data sending path between the interactive object and the target object after receiving the attacked object identifier.
In some embodiments, the attack protection device may further include a risk marking unit, where the risk marking unit may be specifically configured to perform attack anomaly marking on the attack object identifier to obtain an anomaly object identifier; and sending the abnormal object identification to an interactive object except the attack object so that the interactive object carries out risk pre-control on the attack object.
In some embodiments, the identifying unit may be specifically configured to perform data drainage on the inlet flow data to obtain an inlet flow data copy; and performing risk identification on the inlet flow data copy.
In some embodiments, the identifying unit may be specifically configured to perform feature extraction on the copy of the inlet flow data to obtain an inlet flow feature; and determining an anomaly of the inlet flow data based on the inlet flow characteristics.
In addition, the embodiment of the invention also provides electronic equipment, which comprises a processor and a memory, wherein the memory stores application programs, and the processor is used for running the application programs in the memory so as to execute the attack protection method provided by the embodiment of the invention.
In addition, the embodiment of the invention also provides a computer program product, which comprises a computer program/instruction, wherein the computer program/instruction realizes the steps in the attack protection method provided by the embodiment of the application when being executed by a processor.
In addition, the embodiment of the invention also provides a computer readable storage medium, which stores a plurality of instructions, wherein the instructions are suitable for being loaded by a processor to execute the steps in any of the attack protection methods provided by the embodiment of the invention.
According to the embodiment of the invention, after the inlet flow data of the target object on the network interaction platform is obtained, risk identification is carried out on the inlet flow data, and an identification result is obtained; when the identification result indicates that the inlet flow data has risk, determining an attack object identification in the inlet flow data; then, according to the attack object identification and the interaction relation, blocking an interaction path between the target object and the interaction object in the network interaction platform; according to the scheme, under the scene that various interaction relations exist between the target object and other objects on the network interaction platform, the abnormal identification is carried out on the inlet flow data of the target object, the attack object identification is extracted from the abnormal inlet flow data, and after the attack object identification is determined, the network can be carried out on attacks related to the target object under different interaction relations, so that the comprehensive protection of attack risks existing under different interaction relations is realized, the influence of network attack on the target object through various interaction paths is reduced, and the protection effect is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an application scenario of an attack protection method provided by an embodiment of the present invention;
fig. 2 is a schematic flow chart of an attack protection method according to an embodiment of the present invention;
fig. 3a is a schematic diagram of another scenario of an attack protection method according to an embodiment of the present invention;
FIG. 3b is a schematic diagram of the embodiment of the present invention after plugging in the scenario of FIG. 3 a;
FIG. 3c is another schematic illustration of the embodiment of the present invention after plugging in the scenario of FIG. 3 a;
fig. 4 is a schematic diagram of another scenario of an attack protection method according to an embodiment of the present invention;
FIG. 5 is another flow chart of an attack protection method according to an embodiment of the present invention;
fig. 6 is another schematic view of a scenario of an attack protection method provided by an embodiment of the present invention;
FIG. 7 is a schematic structural diagram of an attack protection device according to an embodiment of the present invention;
Fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to fall within the scope of the invention.
The embodiment of the invention provides an attack protection method, an attack protection device, electronic equipment and a computer readable storage medium. The attack protection device can be integrated in an electronic device, and the electronic device can be a server or a network device such as a terminal.
The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, network acceleration services (Content Delivery Network, CDN), basic cloud computing services such as big data and an artificial intelligent platform. The terminal may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, etc. The terminal and the server may be directly or indirectly connected through wired or wireless communication, which is not limited herein.
Fig. 1 shows an application scenario schematic diagram of an attack protection method provided by an embodiment of the present invention. As shown in fig. 1, a routing server is provided on the network interaction platform, and a plurality of objects (including an object 1, an object 2, an object 3, an object 4 and an object n) can respectively establish a connection relationship with the routing server, and in addition, the objects can also independently establish a connection relationship.
The network interaction platform may be an internet switching center (IXP), the routing server may be a global routing reflector provided by the IXP, and the object may be a network device placed on the IXP by an internet provider. IXP provides space for Internet operators to perform network interconnection, exchange flow and resources, and the Internet operators can conveniently perform network interconnection with each other by using a rack or a place and placing and managing own network equipment on the IXP. The number of routing servers in IXP may be set according to the actual situation, for example, the number of routing servers may be 1, 2, 3, or other numbers.
Taking the example that the attack protection device is integrated in the electronic device, the electronic device may be a network device corresponding to any object on the network interaction platform. For example, the attack guard may be integrated in the network device corresponding to the object 1, the attack guard may be integrated in the network device corresponding to the object 2, and the attack guard may be integrated in the network devices corresponding to the object 3, the object 4, and the object n. For ease of distinction, some object on the network interaction platform that integrates attack guards will be referred to below as a target object, and other objects (whether or not attack pattern devices are integrated) will be referred to below as interaction objects. For example, if the attack protection device is integrated in the network device corresponding to the object 1, the object 1 may be referred to as a target object, and the remaining other objects (including the object 2, the object 3, the object 4, and the object n) may be referred to as interaction objects. It should be noted that, the attack protection device may also be integrated in a network device corresponding to the interactive object, for example, the attack protection device may be integrated in a network device corresponding to the object 2, or may be integrated in a network device corresponding to the object 3, or may be integrated in a network device corresponding to another interactive object.
The attack protection device is integrated in the electronic device, the electronic device is a network device corresponding to the object 1, and the object 1 is taken as a target object as an example. The electronic equipment can perform risk identification on the inlet flow data after acquiring the inlet flow data of the target object on the network interaction platform to obtain an identification result; when the identification result indicates that the inlet flow data has risk, determining an attack object identification in the inlet flow data; and then, according to the identification of the attack object and the interaction relation, blocking the interaction path between the target object and the interaction object in the network interaction platform, so that the attack risk existing under different interaction relations is comprehensively protected, the influence of the network attack on the target object through various interaction paths is reduced, and the protection effect is improved.
With the rapid development of cloud computing, more and more enterprises and individuals migrate data and application programs to the cloud, and the attack protection method provided by the embodiment of the invention can be used for solving the security problem of the data on the cloud, for example, can cope with distributed denial of service (DDoS) attack, and relates to cloud networks, cloud security and cloud computing directions in the cloud technology field.
Cloud technology (Cloud technology) refers to a hosting technology that unifies serial resources such as hardware, software, networks and the like in a wide area network or a local area network to realize calculation, storage, processing and sharing of data. The cloud technology is a generic term of network technology, information technology, integration technology, management platform technology, application technology and the like based on cloud computing business model application, can form a resource pool, and is flexible and convenient as required. Cloud computing technology will become an important support. Background services of technical networking systems require a large amount of computing, storage resources, such as video websites, picture-like websites, and more portals. Along with the high development and application of the internet industry, each article possibly has an own identification mark in the future, the identification mark needs to be transmitted to a background system for logic processing, data with different levels can be processed separately, and various industry data needs strong system rear shield support and can be realized only through cloud computing.
Cloud networks (clouds web) are specifically a general term for Cloud-age internet technology, integration, and applications. Cloud networks use clouds to implement connections between network resources, which may represent a pool of resources that users pay for on-demand access by integrating separate servers into a virtual network service system through network technology.
Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, institutions, secure Cloud platforms based on Cloud computing business model applications. Cloud security fuses emerging technologies and concepts such as parallel processing, grid computing, unknown virus behavior judgment and the like, acquires the latest information of Trojan horse and malicious programs in the Internet through abnormal monitoring of a large number of network clients on software behaviors, sends the latest information to a server for automatic analysis and processing, and distributes solutions of viruses and Trojan horse to each client. The main research directions of cloud security include:
(1) Cloud computing security, namely, how to guarantee security of cloud and various applications on the cloud, including cloud computer system security, security storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like;
(2) Clouding of a safety infrastructure, mainly researching how to build and integrate safety infrastructure resources by adopting cloud computing, and optimizing a safety protection mechanism, wherein the cloud computing technology is used for constructing a super-large-scale safety event and an information acquisition and processing platform, realizing acquisition and association analysis of mass information, and improving the control capability and risk control capability of the whole-network safety event;
(3) Cloud security services, mainly research on various security services provided for users based on cloud computing platforms, such as anti-virus services and the like.
Cloud computing (enclosed computing) refers to the delivery and usage patterns of IT infrastructure, refers to the usage of the IT infrastructure over a network
The needed resources are obtained in an easy-to-expand mode according to the need; generalized cloud computing refers to the delivery and usage patterns of services, meaning that the required services are obtained in an on-demand, easily scalable manner over a network. Such services may be IT, software, internet related, or other services. Cloud Computing is a product of fusion of traditional computer and network technology developments such as Grid Computing (Grid Computing), distributed Computing (Distributed Computing), parallel Computing (Parallel Computing), utility Computing (Utility Computing), network storage (Network Storage Technologies), virtualization (Virtualization), load balancing (Load balancing), and the like. With the development of the internet, real-time data flow and diversification of connected devices, and the pushing of requirements of search services, social networks, mobile commerce, open collaboration and the like, cloud computing is rapidly developed. Unlike the previous parallel distributed computing, the generation of cloud computing will promote the revolutionary transformation of the whole internet mode and enterprise management mode in concept.
It will be appreciated that, in the specific embodiments of the present application, related data such as object identification and object images of objects are involved, and when the following embodiments of the present application are applied to specific products or technologies, permission or consent is required, and collection, use and processing of related data is required to comply with related laws and regulations and standards of related countries and regions.
The following will describe in detail. The following description of the embodiments is not intended to limit the preferred embodiments.
The embodiment will be described from the perspective of an attack protection device, which may be integrated in an electronic device, where the electronic device may be a server or a network device such as a terminal; the terminal may include a tablet computer, a notebook computer, a personal computer (PC, personal Computer), a wearable device, a virtual reality device, or other devices such as an intelligent device that may generate an image file.
An attack protection method comprising: acquiring inlet flow data of a target object in a network interaction platform, wherein the network interaction platform comprises the target object and at least one interaction object corresponding to the target object, and at least one interaction relation is arranged between the target object and the interaction object; performing risk identification on the inlet flow data to obtain an identification result; when the identification result indicates that the inlet flow data has risk, determining an attack object identifier in the inlet flow data, wherein the attack object identifier indicates an object which attacks a target object in the interactive object; and plugging the interaction path between the target object and the interaction object in the network interaction platform according to the attack object identification and the interaction relationship.
As shown in fig. 2, the specific flow of the attack protection method is as follows:
101. and acquiring the inlet flow data of the target object on the network interaction platform.
The network interaction platform comprises a target object and at least one interaction object corresponding to the target object, wherein at least one interaction relation is included between the target object and the interaction object. As shown in fig. 1, the object 1 is taken as a target object, and the other objects (including the object 2, the object 3, the object 4 and the object n) are interaction objects corresponding to the target object.
The network interaction platform can provide two peer-to-peer interconnection protocols for objects connected into the network interaction platform, namely a Multi-edge interconnection protocol (MLPA, multi-Lateral Peering Agreement, MLPA for short) and a double-edge interconnection protocol (Bi-Lateral Peering Agreement, BLPA for short), so that the objects are interconnected, and an interaction relationship is established.
For the multilateral interconnection protocol, the network interaction platform generally provides two routing servers as global routing transmitters, the routing servers are IBGP neighbors, and a connection relationship is established between each object and one of the routing servers. When a certain object is to announce a route, the route is announced to a corresponding route server, and the route server is reflected to all other objects in the network interaction platform, so that the purpose of announcing the route in the network interaction platform in a whole network is achieved. For example, under the polygon interconnection protocol, the object 1, the object 2, the object 3, the object 4 and the object n respectively establish a connection relationship with the route server, when the object 1 is to announce a route, the object 1 announces the route to the corresponding route server, and the route server reflects the route to all other objects (including the object 2, the object 3, the object 4 and the object n) in the network interaction platform, so as to achieve the purpose of announcing the route in the whole network. The polygon interconnection protocol transmits the route announced by a certain object to all other objects, so that the routing policies received by all other objects are the same. In the embodiment of the application, a border gateway protocol Peer (BGP Peer) established through a polygonal interconnection protocol may be referred to as a Public Peer (Public Peer).
For the bilateral interconnection protocol, namely, any two objects on the network interaction platform can directly establish a connection relationship without a routing server. For example, a connection relationship may be directly established between the object 1 and the object 2, a connection relationship may be directly established between the object 1 and the object 3, and so on. In the bilateral interconnection protocol, a route announced by one object is only received by an object directly establishing a connection relationship with the object, and is not announced to other objects. In the embodiment of the application, a border gateway protocol Peer (BGP Peer) established through a bilateral interconnection protocol may be referred to as a Private Peer (Private Peer).
In the network interaction platform, each object generally establishes a connection relationship based on a polygonal interconnection protocol, and each object can also independently establish a connection relationship with other objects based on the polygonal interconnection protocol. Thus, at least one interaction relationship is comprised between the target object and the interaction object. For example, as shown in fig. 1, the target object (object 1) and the interaction object (including object 2, object 3, object 4 and object n) have a polygonal interconnection protocol therebetween, and the polygonal interconnection protocol is represented by a solid line in fig. 1; and, there is a bilateral interconnection protocol between the target object (object 1) and the object 2 in the interaction object, and the bilateral interconnection protocol is represented by a dotted line in fig. 1.
In addition, the network interaction platform can also provide a unilateral interaction protocol for the objects connected into the network interaction platform, namely, a unidirectional connection relationship can be established between any two objects on the network interaction platform without a routing server. For example, a unidirectional connection relationship that the object 1 points to the object 2 may be directly established between the object 1 and the object 2, where the route announced by the object 1 is only received by the object 2 and is not announced to other objects, but at the same time, the route announced by the object 2 cannot be directly received by the object 1, and the route needs to be announced to the corresponding route server first and then reflected by the route server to other objects (including the object 1, the object 3, the object 4 and the object n) in the network interaction platform. For example, as shown in fig. 1, a single-side interaction protocol is provided between the object 3 and the object 4, and the interaction direction of the single-side interaction protocol is that the object 3 points to the object 4, and the single-side interaction protocol is indicated by a dotted line with an arrow in fig. 1, and the arrow direction corresponds to the interaction direction.
It should be understood that the interaction relationship between the target object and the interaction object shown in fig. 1 is merely exemplary of the interaction relationship existing between the target object and the interaction object on the network interaction platform, and does not have a limiting effect on the interaction relationship actually existing between the target object and the interaction object.
On the network interaction platform, different protocols correspond to different interaction relations. The interaction relationship between the target object and the interaction object comprises at least one of a polygonal interaction relationship, a double-sided interaction relationship and a single-sided interaction relationship. The multi-side interaction relationship can be understood as an interaction relationship established based on a multi-side interaction protocol, the double-side interaction relationship can be understood as an interaction relationship established based on a double-side interaction protocol, and the single-side interaction relationship can be understood as an interaction relationship established based on a single-side interaction protocol.
After the target object and the interactive object establish the interactive relation on the network interactive platform, the target object can send data to the interactive object, and the interactive object can also send data to the target object. The entry traffic data of the target object may understand the data received by the target object at a certain time or a certain period of time, which is sent by the interaction object. The interactive relation between the target object and the interactive object is different, and the transmission path or transmission mode of the corresponding data is different.
102. And performing risk identification on the inlet flow data to obtain an identification result.
The target object can receive the data sent by the interactive object in real time and process the received inlet flow data. When a network attack occurs, that is, when an attack object exists on the network interaction platform, data sent by the attack object can threaten other objects. Therefore, the target object can use the integrated attack protection device to perform risk identification on the received inlet flow data so as to determine whether the inlet flow data has potential safety hazards.
The risk identification of the inlet flow data may include: carrying out data drainage on the inlet flow data to obtain inlet flow data copies; and performing risk identification on the inlet flow data copy. The method for guiding the inlet flow data can be various, for example, a spectroscopic device can be used to split the inlet flow data entering the target object network flow inlet, that is, copy the inlet flow data to obtain a copy of the inlet flow data, so that the inlet flow data is guided to the attack protection device for subsequent risk identification.
The risk identification of the inlet flow data copy may be performed in various manners, for example, feature extraction may be performed on the inlet flow data to obtain an inlet flow feature; an anomaly of the inlet flow data is determined based on the inlet flow characteristics. When the feature extraction is performed on the inlet flow data, feature extraction can be performed on the flow peak value condition, the flow distribution condition, the data packet interval time, the data packet size and the like of the inlet flow data, so as to obtain corresponding inlet flow features such as flow peak value features, flow distribution features, data packet interval time features, data packet size features and the like. The ingress traffic characteristics may then be compared to the characteristics of known network attack data, for example, the ingress traffic characteristics may be compared to the characteristics of a DDoS attack, and based on the comparison, a determination may be made as to whether an anomaly exists.
When one or more of the characteristics of the inlet flow accords with the characteristics of the network attack data, for example, if the characteristics of sudden surge of the flow peak value, uneven flow distribution and the like occur, the risk of the inlet flow data can be judged; otherwise, if the characteristics of the inlet flow data are not matched with the characteristics of the network attack data, the inlet flow data can be judged to be normal.
103. When the identification result indicates that the inlet flow data has risk, determining an attack object identification in the inlet flow data, wherein the attack object identification indicates an attack object for attacking the target object in the interaction object.
For the risky inlet flow data, the inlet flow data can be further analyzed, and data reflecting the source or identity information of the attack object can be extracted or screened out. For example, an attack object identification corresponding to the attack object may be extracted from the ingress traffic data. The attack object identification may be a physical address of the attack object, for example, the attack object identification may be a (interface) MAC address of the attack object. Because different objects have different identifications on the network interaction platform, according to the identification of the attack object, the attack object can be locked from a plurality of interaction objects which establish interaction relation with the target object.
104. And plugging the interaction path between the target object and the interaction object in the network interaction platform according to the attack object identification and the interaction relationship.
The method for blocking the interaction path between the target object and the interaction object in the network interaction platform according to the attack object identification and the interaction relationship can be various. For example, it may include: determining a target interaction relation between the target object and the attack object in the interaction relation according to the attack object identification; and plugging the interaction path between the target object and the interaction object in the network interaction platform based on the target interaction relationship. As previously described, the network interaction platform includes a target object and at least one interaction object corresponding to the target object, and at least one interaction relationship is included between the target object and the interaction object. Because the attack object is derived from the interaction object, the interaction relationship between the target object and the interaction object comprises the target interaction relationship between the target object and the attack object. After the identification of the attack object is determined, the identification of the attack object is equivalent to that of the interaction object. At this time, according to the type of the target interaction relationship between the target object and the attack object, the interaction path between the target object and the interaction object can be blocked in the network interaction platform.
The method for determining the target interaction relationship between the target object and the attack object in the interaction relationship according to the attack object identification can be various. For example, it may include: acquiring an interaction relation list corresponding to a target object; searching the interactive relation corresponding to the attack object identifier from the interactive relation list, and taking the searched interactive relation as a target interactive relation between the target object and the attack object. When the target object establishes an interaction relationship with other objects on the network interaction platform, a corresponding interaction relationship list can be established and stored in the network equipment corresponding to the target object. The object establishing the interactive relation with the target object and the type of the interactive relation established between the target object and the interactive object can be recorded in the interactive relation list of the target object.
For example, when the target object is the object 1, the interactive objects corresponding to the target object include the object 2, the object 3, the object 4, and the object n. The target object establishes a polygonal interaction relationship with the object 2, the object 3, the object 4 and the object n respectively; the target object also establishes a bilateral interaction relationship with object 2 in the interaction object. Accordingly, the interactive relation list of the target object (object 1) may record the interactive relation related to the target object and the interactive objects corresponding to the interactive relations of the various types.
For example, when the target object is the object 4, the interactive objects corresponding to the target object include the object 1, the object 2, the object 3, and the object n. The target object establishes a polygonal interaction relationship with the object 1, the object 2, the object 3 and the object n respectively; the target object also establishes a unilateral interaction relationship with the object 3 in the interaction object, and the interaction direction of the unilateral interaction relationship is that the object 3 points to the target object. Accordingly, the interactive relation related to the target object (object 4) and the interactive objects corresponding to the various types of interactive relations can be recorded in the interactive relation list of the target object (object 4).
As previously described, different objects have different identifications due to the presence on the network interaction platform. Therefore, the identification numbers of the objects can be recorded in the interaction relation list, the corresponding objects can be determined according to the recorded identification numbers, and the interaction relation between the objects and the target objects can be further determined.
When different types of interaction relations are established between the target object and other objects on the network interaction platform, different types of interaction relation lists can be established according to the types of the interaction relations. For example, the interactive object information having the polygonal interactive relationship with the target object may be separately listed as one interactive relationship list, i.e., a polygonal interactive relationship list. Correspondingly, the interaction object information which establishes the bilateral relation with the target object can be independently listed as an interaction relation list, namely, a bilateral interaction relation list; the interactive object information of the unilateral interactive relation established with the target object can be independently listed as an interactive relation list, namely the unilateral interactive relation list.
In the bilateral interaction relation list, a physical address (interface MAC address) and a network address (interface IP address) corresponding to an interaction object establishing bilateral interaction relation with the target object can be recorded, and the physical address and the network address of each interaction object correspond to each other one by one. At this time, the bilateral interaction list may be understood as an address resolution protocol table, that is, ARP table. As described above, since the attack object identifier may be a physical address of the attack object, the network address corresponding to the attack object may be searched in the bilateral interaction relationship list according to the attack object identifier of the previous hop, that is, the network address corresponding to the attack object with the Private Peer established with the target object may be searched in the ARP table according to the attack object identifier, so as to block data sent by the attack object at the network layer according to the network address. The attack object identifier of the previous hop can be understood as an interface MAC address of the previous hop interaction object accessed to the IXP network, that is, an interface MAC address of the attack object connected to the target object.
In the unilateral interaction relation list, a physical address (interface MAC address) and a network address (interface IP address) corresponding to an interaction object establishing unilateral interaction relation with the target object may be recorded, where the physical address and the network address of each interaction object are corresponding to each other one by one. At this time, the single-sided interactive relationship list can be understood as an address resolution protocol table, i.e. ARP table. Therefore, the network address corresponding to the attack object can be searched in the unilateral interaction relation list according to the attack object identification, so that data sent by the attack object can be plugged in a network layer according to the network address.
After the attack object identifier corresponding to the target object is determined, the attack object identifier can be searched from the interaction relation list of the target object, and the interaction relation corresponding to the attack object identifier recorded in the interaction relation list is used as a target interaction relation. The target interaction relationship between the target object versus the attack object may include the following: only polygonal interaction relations exist; only bilateral interaction relations exist; only a unilateral interaction relationship exists; simultaneously, a polygonal interaction relationship and a bilateral interaction relationship exist; and simultaneously, a multi-side interaction relationship and a single-side interaction relationship exist.
Plugging is a basic protection method in the field of network security, and the basic idea is to limit or shield an attack source so that network attacks cannot interrupt or invade communication services. The blocking can limit the network, the IP address, the port and the protocol, and can also be performed according to malicious behaviors of an attacker.
Under different target interaction relations, the blocking modes of the target objects are different. Specifically, based on the target interaction relationship, the interaction path between the target object and the interaction object is blocked in the network interaction platform, which may include the following two cases:
(1) When the target interaction relationship comprises a bilateral interaction relationship, at least network blocking is carried out on the attack object on the network interaction platform. The target interaction relationship between the target object and the attack object comprises a bilateral interaction relationship, and the target interaction relationship can be only the bilateral interaction relationship or can also comprise both the bilateral interaction relationship and the polygonal interaction relationship. In both cases, the risk of the attack object to the target object based on the bilateral interaction relationship needs to be cut off.
When the target interaction relationship includes a bilateral interaction relationship, a manner of performing network blocking on at least the attack object on the network interaction platform may include: the double-sided interaction relationship is adjusted to be a single-sided interaction relationship, and the interaction direction of the single-sided interaction relationship is designated as the target object to point to the attack object; based on the adjusted unilateral interaction relationship, the interaction authority between the attack object and the target object is limited on the network interaction platform.
Fig. 3a shows another schematic view of a scenario of the attack protection method provided by the embodiment of the present invention, and fig. 3b shows a schematic view after the implementation of the blocking in the scenario of fig. 3 a. As shown in fig. 3a, the target interaction relationship between the target object and the attack object is a bilateral interaction relationship. At this time, as shown in fig. 3b, the original two-sided interaction relationship may be adjusted to a one-sided interaction relationship, and the interaction direction of the one-sided interaction relationship may be designated as the target object pointing to the attack object. The interaction authority of the attack object and the target object is limited, and the attack object cannot normally send data to the target object in the adjusted unilateral interaction relationship; in addition, because the interaction authority is limited, the data which is sent to the target object by the attack object through the bilateral interaction relation can be cleared by the target object, so that the blocking effect is achieved, and the aim of blocking the attack is fulfilled.
In addition, when the target interaction relationship includes a bilateral interaction relationship, at least network blocking is performed on the attack object on the network interaction platform, and the method further includes: and releasing the bilateral interaction relation in the network interaction platform so as to cut off the interaction path of the attack object and the target object on the network interaction platform. Fig. 3c shows another schematic diagram after plugging in the scenario of fig. 3 a. As shown in fig. 3c, the bilateral interaction relationship between the target object and the attack object can be directly released, so that the interaction path between the attack object and the target object is cut off, and at this time, the attack object cannot normally send data to the target object, and the target object cannot normally send data to the attack object. Because the original bilateral interaction relation is relieved, the data which is sent to the target object by the attack object through the bilateral interaction relation can be cleared by the target object, so that the aim of blocking the attack is fulfilled.
In the embodiment of the present application, when the target interaction relationship includes a bilateral interaction relationship, the attack object is a BGP neighbor of the target object, and at this time, a network address corresponding to the attack object in which the Private Peer is established with the target object may be found in the ARP table by using a Peer trigger (abbreviated as a Peer trigger) according to the attack object identifier, and the BGP neighbor is turned off, so that a session with the remote BGP neighbor may be directly closed, so that a route learned by the target object through the Private Peer is also cleared, and the attack traffic may be discarded at the remote end because an effective route cannot be found. The Peer trigger is mainly used for closing the Private Peer and triggering the remote interactive object to execute the route withdrawal operation, so that attack flow from the Private Peer is blocked.
On the basis that the target interaction relationship comprises a bilateral interaction relationship, at least network blocking is carried out on the attack object on a network interaction platform, and the method can further comprise the following steps: when the target interaction relationship also comprises a polygonal interaction relationship, a target object identification of the target object is obtained; carrying out attack risk marking on the target object identifier to obtain an attack object identifier; and sending the attacked object identifier to the interactive object so that the interactive object adjusts a data sending path between the interactive object and the target object after receiving the attacked object identifier.
When the target interaction relationship comprises both the bilateral interaction relationship and the polygonal interaction relationship, two paths for the attack object to send data to the target object are provided, and at this time, in order to avoid the target object from being attacked, the risks generated by the two paths are required to be cut off. Fig. 4 is a schematic diagram of another scenario of an attack protection method according to an embodiment of the present invention. As shown in fig. 4, for risks generated by the bilateral interaction relationship, the plugging method described above may be directly adopted, which includes (1) releasing the bilateral interaction relationship; (2) and adjusting the bilateral interaction relation into a unilateral interaction relation, and designating the interaction direction of the unilateral interaction relation as a target object to point to the attack object.
For risks generated by the polygonal interaction relationship, the identity of the target object can be directly obtained. The target object identification may be understood as an identity of the target object, which may be a network address of the target object. After the target object identifier is obtained, the target object identifier can be marked to obtain the attacked object identifier. The method for marking the target object identifier may be various, for example, for possible attack risk, a platform operator of the network interaction platform may negotiate with each object connected to the network interaction platform in advance to obtain a recognized risk marking code, and when any object identifies an attack, the risk marking code may be sent to other objects in a routing manner, so that after other objects receive the routing with the risk marking code, a data sending path between the other objects and the target object is adjusted.
Based on the above, the risk marking code can be adopted to mark the target object identifier, and the obtained attacked object identifier comprises the target object identifier and the risk marking code. And then, the attacked object identifier is sent to the interactive object, so that the interactive object adjusts a data sending path between the interactive object and the target object after receiving the attacked object identifier. After receiving the identifier of the attacked object, the interactive object may have various ways to process the data originally ready for the attacked object at the local end. For example, the interactive object may temporarily close the polygonal interactive relationship with the target object and purge the data originally intended for the attacked object at the local end. Or, the interactive object can change the data transmission path, and the data originally ready to be sent to the attacked object is transmitted to the blocking server arranged on the network interactive platform, and the blocking server cleans the data.
In addition, there may be a variety of ways to send the attacked object identification to the interactive object. For example, an address of a routing server associated with a target object on a network interaction platform may be obtained; based on the address of the routing server, the attacked object identification is sent to the routing server, so that the routing server announces the attacked object identification to all the interactive objects in the network interactive platform. As described above, the data transmission paths corresponding to the polygonal interaction relationship are: when a certain object is to announce a route, the route is announced to a corresponding route server, and the route server is reflected to all other objects in the network interaction platform, so that the purpose of announcing the route in the network interaction platform in a whole network is achieved. Therefore, the manner of sending the attacked object identifier to the interactive object can refer to the data transmission path corresponding to the polygonal interactive relationship, namely, the address of the routing server associated with the target object is determined first, then the attacked object identifier is sent to the routing server according to the address, after the routing server receives the attacked object identifier, the attacked object identifier is reflected to all interactive objects of the target object in the network interactive platform, so that after the interactive object receives the attacked object identifier, the data which is originally ready to be sent to the target object is processed at the local end and is not sent to the target object, and blocking is realized.
In this embodiment, when the target interaction relationship further includes a polygonal interaction relationship, the RTBH service may be triggered by a remote trigger black hole trigger (abbreviated as RTBH trigger), so as to block attack traffic coming from the Public Peer. Specifically, the RTBH trigger may determine an address of a routing server associated with the target object, then send the attacked object identifier to the routing server according to the address, and after receiving the attacked object identifier, the routing server reflects the attacked object identifier to all interaction objects of the target object in the network interaction platform, so that after receiving the attacked object identifier, the interaction object processes data originally ready to be sent to the target object at its own end, and does not send the data to the target object.
(2) And when the target interaction relationship does not comprise the bilateral interaction relationship, determining a blocking object according to the type of the target interaction relationship, and performing network blocking on the blocking object on a network interaction platform. The target interaction relationship between the target object and the attack object does not comprise a double-sided interaction relationship, and the target interaction relationship can be only a polygonal interaction relationship, can be only a single-sided interaction relationship, and can also comprise a single-sided interaction relationship and a polygonal interaction relationship. When the target interaction relationship is only a polygonal interaction relationship, the blocking object is a target object; when the target interaction relationship is only a unilateral interaction relationship, the blocking object is an attack object; when the target interaction relationship simultaneously comprises a unilateral interaction relationship and a multilateral interaction relationship, the blocking object comprises a target object and an attack object.
When the target interaction relationship is only a polygonal interaction relationship, the method for blocking the target object on the network interaction platform is processed according to the polygonal interaction relationship processing method. For example, as described above, when the target interaction relationship is only a polygonal interaction relationship, the RTBH service may be triggered by a remote trigger black hole trigger (abbreviated as RTBH trigger), so as to block the attack traffic from the Public Peer. Specifically, the RTBH trigger may determine an address of a routing server associated with the target object, then send the attacked object identifier to the routing server according to the address, and after receiving the attacked object identifier, the routing server reflects the attacked object identifier to all interaction objects of the target object in the network interaction platform, so that after receiving the attacked object identifier, the interaction object processes data originally ready to be sent to the target object at its own end, and does not send the data to the target object.
From the above, it can be seen that the embodiment of the present application has a certain universality, and not only can be well applied to a scenario where a polygonal interaction protocol and a bilateral interaction protocol exist between a target object and an interaction object, but also can be adapted to a scenario where only the bilateral interaction protocol or the polygonal interaction protocol exists between the target object and the interaction object.
When the target interaction relationship does not include the bilateral interaction relationship, determining a blocking object according to the type of the target interaction relationship, and performing network blocking on the blocking object on a network interaction platform, which may include: when the target interaction relationship comprises a unilateral interaction relationship, determining the interaction direction of the unilateral interaction relationship; when the interaction direction is that the attack object points to the target object, determining that the blocking object comprises the attack object; and reversely adjusting the interaction direction or removing the unilateral interaction relation.
As shown in fig. 4, the target interaction relationship between the target object and the attack object is a unilateral interaction relationship, and the interaction direction of the target interaction relationship is that the attack object points to the target object. At this time, the interaction direction of the target interaction relationship can be adjusted to be that the target object points to the attack object, in the unilateral interaction relationship after the interaction direction is adjusted, the attack object cannot normally send data to the target object, and because the interaction authority is limited, the data sent to the target object by the attack object through the unilateral interaction relationship can be cleared by the target object, so that the blocking effect is achieved, and the purpose of blocking the attack is achieved.
When the target interaction relationship between the target object and the attack object is a unilateral interaction relationship and the interaction direction of the target interaction relationship is that the attack object points to the target object, the attack can be blocked by directly contacting the unilateral interaction relationship. After the unilateral interaction relation between the target object and the attack object is relieved, the method is equivalent to cutting off the path of the attack object directly transmitting data to the target object, and the data transmitted to the target object by the attack object through the unilateral interaction relation can be cleared by the target object together due to the fact that the original unilateral interaction relation is relieved, so that the effect of blocking the attack is achieved.
When the target interaction relationship does not include the bilateral interaction relationship, determining a blocking object according to the type of the target interaction relationship, and performing network blocking on the blocking object on a network interaction platform, and further comprising: when the target interaction relationship also comprises a polygonal interaction relationship, determining that the blocking object comprises the target object; obtaining a target object identifier of a target object, and marking the target object identifier with an attack risk to obtain an attack object identifier; and sending the attacked object identifier to the interactive object so that the interactive object adjusts a data sending path between the interactive object and the target object after receiving the attacked object identifier. When the target interaction relationship simultaneously comprises a unilateral interaction relationship and a multilateral interaction relationship, and the interaction direction of the unilateral interaction relationship is that the attack object points to the target object, two paths for sending data to the target object by the attack object exist. In order to avoid the target object from being attacked, the attack risk generated by the two paths needs to be cut off. Wherein for risks due to unilateral interaction relationships. The plugging method described above can be directly adopted. For risks generated by the polygonal interaction relationship, the plugging method can be adopted, namely, the target object identifier of the target object is obtained, and the target object identifier is subjected to attack risk marking to obtain the attack object identifier; and sending the attacked object identifier to the interactive object so that the interactive object adjusts a data sending path between the interactive object and the target object after receiving the attacked object identifier.
After the network blocking related to the target object is started on the network interaction platform according to the attack object identification and the interaction relation, the method can further comprise the following steps: carrying out attack anomaly marking on the attack object identifier to obtain an anomaly object identifier; and sending the abnormal object identification to the interactive objects except the attack object so that the interactive objects can perform risk pre-control on the attack object. As described above, for various target interactions between the attack object and the target object, corresponding network blocking can be performed. In order to further improve the protection effect on the attack object, after the various networks are plugged, the attack object identifier is singly marked with an attack exception to obtain an exception object identifier, and the exception object identifier is sent to the interaction objects except the attack object, so that the risk of the attack object is pre-controlled after the interaction object receives the exception object identifier. There are various ways to send the abnormal object identification to the interactive object other than the attack object. For example, the abnormal object identifier can be directly sent to the interactive objects except the attack object through the double-side interactive relationship and the single-side interactive relationship established between the target object and the interactive object; the abnormal object identification can also be sent to the interactive objects except the attack object in a route announcement mode based on the polygonal interactive relation established between the target object and the interactive object. Of course, the two modes can be adopted simultaneously to send the abnormal object identification to the interactive objects except the attack object.
After the interactive objects except the attack object receive the abnormal object identification, risk prevention and control can be performed based on the type of the interactive relationship between the interactive objects and the attack object. For example, if the interaction object and the attack object have a bilateral interaction relationship, the interaction object may adjust the bilateral interaction relationship to be a unilateral interaction relationship, and designate an interaction direction of the adjusted unilateral interaction relationship as the interaction object pointing to the attack object; the interaction object can also directly release the bilateral interaction relation with the attack object. If the interaction object and the attack object have a unilateral interaction relationship, the interaction object can reversely adjust the interaction direction after determining that the interaction direction of the unilateral interaction relationship is the interaction direction of the attack object to the interaction object; the interactive object can also directly release the unilateral interactive relation with the attack object.
As can be seen from the above, in the embodiment of the present application, after obtaining the inlet flow data of the target object on the network interaction platform, risk identification is performed on the inlet flow data, so as to obtain an identification result; when the identification result indicates that the inlet flow data has risk, determining an attack object identification in the inlet flow data; and then, according to the attack object identification and the interaction relation, plugging the interaction path between the target object and the interaction object in the network interaction platform. According to the scheme, under the scene that various interaction relations exist between the target object and other objects on the network interaction platform, the abnormal identification is carried out on the inlet flow data of the target object, the attack object identification is extracted from the abnormal inlet flow data, and after the attack object identification is determined, the network can be carried out on attacks related to the target object under different interaction relations, so that the comprehensive protection of attack risks existing under different interaction relations is realized, the influence of network attack on the target object through various interaction paths is reduced, and the protection effect is improved.
According to the method described in the above embodiments, examples are described in further detail below.
In this embodiment, the attack protection device is specifically integrated in an electronic device corresponding to a target object, where the electronic device is a server corresponding to the target object on a network interaction platform, and the network interaction platform is an internet switching center (IXP) for example. Fig. 5 shows another flow diagram of the attack protection method provided by the embodiment of the present invention, and fig. 6 shows another scene diagram of the attack protection method provided by the embodiment of the present invention.
As shown in fig. 5, an attack protection method specifically includes the following steps:
201. and the server acquires the inlet flow data of the target object on the network interaction platform.
As shown in fig. 6, the network interaction platform includes a target object and at least one interaction object corresponding to the target object, where the target object and the interaction object include at least one interaction relationship. For example, the interaction relationship between the target object and the interaction object may include at least one of a polygonal interaction relationship, a bilateral interaction relationship, and a unilateral interaction relationship. The polygonal interaction relationship can be understood as an interaction relationship established based on a polygonal interaction protocol, the bilateral interaction relationship can be understood as an interaction relationship established based on a bilateral interaction protocol, and the unilateral interaction relationship can be understood as an interaction relationship established based on a unilateral interaction protocol.
After the target object and the interactive object establish the interactive relation on the network interactive platform, the target object can send data to the interactive object, and the interactive object can also send data to the target object. The entry traffic data of the target object may be understood as data transmitted to the target object by the interactive object received by the server at a certain moment or a certain period of time. The interactive relation between the target object and the interactive object is different, and the transmission path or transmission mode of the corresponding data is different.
202. And the server performs risk identification on the inlet flow data to obtain an identification result.
For example, the server may stream the ingress traffic data to obtain a copy of the ingress traffic data; and performing risk identification on the inlet flow data copy to obtain an identification result. The server may drain the inlet traffic data in various manners, for example, may split the inlet traffic data entering the target network traffic inlet, that is, copy the inlet traffic data to obtain a copy of the inlet traffic data, so as to drain the inlet traffic data to the attack protection device for subsequent risk identification.
There are a number of ways in which the server may risk identify the copy of the ingress traffic data. For example, the server may perform feature extraction on the inlet flow data to obtain an inlet flow feature; thereafter, an anomaly of the inlet flow data is determined based on the inlet flow characteristics. When the server performs feature extraction on the inlet flow data, feature extraction can be performed aiming at the flow peak value condition, the flow distribution condition, the data packet interval time, the data packet size and the like of the inlet flow data, so as to obtain corresponding inlet flow features such as flow peak value features, flow distribution features, data packet interval time features, data packet size features and the like. The server may then compare the ingress traffic characteristics with the characteristics of the known network attack data, e.g., the server may compare the ingress traffic characteristics with the characteristics of the DDoS attack and determine whether an anomaly exists based on the comparison.
When one or more of the characteristics of the inlet flow accords with the characteristics of the network attack data, for example, if the characteristics of sudden surge of the flow peak, uneven flow distribution and the like occur, the server can judge that the inlet flow data has risks; otherwise, if the characteristics of the inlet flow data are not matched with the characteristics of the network attack data, the server can judge that the inlet flow data are normal.
203. And when the identification result indicates that the inlet flow data has risk, the server determines the attack object identification in the inlet flow data.
Wherein the attack object identification indicates an attack object of the interaction object that attacks the target object. For the ingress traffic data with risk, the server may extract an attack object identifier corresponding to the attack object from the ingress traffic data. The attack object identification may be a physical address of the attack object, for example, the attack object identification may be a (interface) MAC address of the attack object. Since different objects have different identifications on the network interaction platform. Thus, based on the attack object identification, the server can lock the attack object from a plurality of interaction objects which establish interaction relation with the target object. For example, the interface MAC address of the attack object (object 2) shown in FIG. 6 is 00-0C-85-72-AB-72.
204. And the server determines a target interaction relation between the target object and the attack object in the interaction relation according to the attack object identification.
For example, the server may obtain an interaction relationship list corresponding to the target object; searching the interactive relation corresponding to the attack object identifier from the interactive relation list, and taking the searched interactive relation as a target interactive relation between the target object and the attack object.
When different types of interaction relations are established between the target object and other objects on the network interaction platform, the server can establish different types of interaction relation lists according to the types of the interaction relations. For example, the server may list the interaction object information that has a bilateral relationship with the target object as a single interaction relationship list, i.e., a bilateral interaction relationship list. In the bilateral interaction relation list, a physical address (interface MAC address) and a network address (interface IP address) corresponding to an interaction object establishing bilateral interaction relation with the target object can be recorded, and the physical address and the network address of each interaction object are in one-to-one correspondence. At this time, the bilateral interaction list may be understood as an address resolution protocol table, that is, ARP table. As described above, since the attack object identifier may be a physical address of the attack object, a network address corresponding to the attack object may be searched in the bilateral interaction relationship list according to the attack object identifier, so as to block data sent by the attack object at the network layer according to the network address. For example, the interface (interface) IP address of the attack object shown in fig. 6 is: 12.12.13.13, the interface MAC address and the interface IP address of the object 2 which establishes the bilateral interaction relation with the target object are recorded in the bilateral interaction relation list (namely ARP list) recorded by the target object, and are 00-0C-85-72-AB-72 and 12.12.13.13 respectively. At this time, after determining the attack object identifier (i.e. the interface MAC address of the attack object), the server may query the bilateral interaction relation list, and if the interface MAC address of the attack object is queried in the bilateral interaction relation list, determine that a bilateral interaction relation is established between the attack object and the target object, and further, may find the interface IP address of the attack object through the bilateral interaction relation list; otherwise, if the interface MAC address of the attack object is not queried in the bilateral interaction relation list, determining that the bilateral interaction relation does not exist between the attack object and the target object.
205. When the target interaction relationship comprises a bilateral interaction relationship, the server releases the bilateral interaction relationship on the network interaction platform.
When the server determines that the attack object has a bilateral interaction relationship with the target object, as shown in fig. 6, the server may directly execute a policy a, where the content corresponding to the policy a is: the server can directly release the bilateral interaction relation between the target object and the attack object, so that the interaction path between the attack object and the target object is cut off, and at the moment, the attack object cannot normally send data to the target object, and the target object cannot normally send data to the attack object. Because the original bilateral interaction relation is relieved, the data which is sent to the target object by the attack object through the bilateral interaction relation can be cleared by the server, so that the aim of blocking the attack is fulfilled.
Specifically, a network address corresponding to an attack object with a Private Peer established with a target object can be found in an ARP table through a Peer trigger (abbreviated as a Peer trigger) according to the attack object identifier, and the BGP neighbor is turned off, so that a session with a far-end BGP neighbor can be directly closed, the route learned by the target object through the Private Peer is also cleaned, and the attack traffic can be discarded at the far end because an effective route cannot be found. The Peer trigger is mainly used for closing the Private Peer and triggering the remote interactive object to execute the route withdrawal operation, so that attack flow from the Private Peer is blocked.
206. When the target interaction relationship further comprises a polygonal interaction relationship, the server further obtains a target object identifier of the target object, carries out attack risk marking on the target object identifier to obtain an attack object identifier, and sends the attack object identifier to the interaction object so that the interaction object can adjust a data sending path between the attack object identifier and the target object after receiving the attack object identifier.
On the basis that the target interaction relationship comprises a bilateral interaction relationship, when the target interaction relationship further comprises a polygonal interaction relationship, the server can directly contact the bilateral interaction relationship between the target object and the attack object aiming at the bilateral interaction relationship. In addition, for the polygonal interaction relationship, the server can execute a policy B, and the content corresponding to the policy B is that the server can adopt a risk marking code to mark the target object identifier, and the obtained attacked object identifier comprises the target object identifier and the risk marking code. And then, the server sends the attacked object identifier to the interactive object so that the interactive object can adjust the data sending path between the interactive object and the target object after receiving the attacked object identifier. Wherein the target object identification may be a network address of the target object, which may be an interface IP address of the target object. For example, the interface IP address of the target object shown in fig. 6 is 12.12.12.12. On the basis, the server can adopt the risk marking code to mark the interface IP address, and the obtained attacked object identifier can comprise the interface IP address of the target object as 12.12.12.12 and the risk marking code.
After receiving the identifier of the attacked object, the interactive object may have various ways to process the data originally ready for the attacked object at the local end. For example, the interactive object may temporarily close the polygonal interactive relationship with the target object and purge the data originally intended for the attacked object at the local end. Or, the interactive object can change the data transmission path, and the data originally ready to be sent to the attacked object is transmitted to the blocking server arranged on the network interactive platform, and the blocking server cleans the data.
There are a number of ways in which the server may send the attacked object identification to the interactive object. For example, the server may obtain an address of a routing server associated with the target object on the network interaction platform; based on the address of the routing server, the attacked object identification is sent to the routing server, so that the routing server announces the attacked object identification to all the interactive objects in the network interactive platform.
Specifically, the RTBH service may be triggered by remotely triggering a black hole trigger (abbreviated as RTBH trigger), so as to block attack traffic coming from Public Peer. Specifically, the RTBH trigger may determine an address of a routing server associated with the target object, then send the attacked object identifier to the routing server according to the address, and after receiving the attacked object identifier, the routing server reflects the attacked object identifier to all interaction objects of the target object in the network interaction platform, so that after receiving the attacked object identifier, the interaction object processes data originally ready to be sent to the target object at its own end, and does not send the data to the target object.
As can be seen from the above, after obtaining the inlet flow data of the target object on the network interaction platform, the server in this embodiment performs risk identification on the inlet flow data to obtain an identification result; when the identification result indicates that the inlet flow data has risk, determining an attack object identification in the inlet flow data; and then, according to the attack object identification and the interaction relation, plugging the interaction path between the target object and the interaction object in the network interaction platform. According to the scheme, under the scene that various interaction relations exist between the target object and other objects on the network interaction platform, the abnormal identification is carried out on the inlet flow data of the target object, the attack object identification is extracted from the abnormal inlet flow data, and after the attack object identification is determined, the network can be carried out on attacks related to the target object under different interaction relations, so that the comprehensive protection of attack risks existing under different interaction relations is realized, the influence of network attack on the target object through various interaction paths is reduced, and the protection effect is improved.
In order to better implement the above method, the embodiment of the present invention further provides an attack protection device, where the attack protection device may be integrated in a network device, such as a server or a terminal, where the terminal may include a tablet computer, a notebook computer, and/or a personal computer.
For example, as shown in fig. 7, the attack protection device may include an acquisition unit 301, an identification unit 302, a determination unit 303, and a blocking unit 304, as follows:
(1) An acquisition unit 301;
the acquiring unit 301 is configured to acquire ingress traffic data of a target object on the network interaction platform.
The network interaction platform comprises a target object and at least one interaction object corresponding to the target object, wherein the target object and the interaction object comprise at least one interaction relation. For example, the interaction relationship between the target object and the interaction object may include at least one of a polygonal interaction relationship, a bilateral interaction relationship, and a unilateral interaction relationship.
(2) An identification unit 302;
and the identification unit 302 is configured to perform risk identification on the inlet flow data, and obtain an identification result.
For example, the identifying unit 302 may be specifically configured to perform data drainage on the inlet flow data to obtain an inlet flow data copy; and performing risk identification on the inlet flow data copy.
(3) A determination unit 303;
and the determining unit 303 is configured to determine an attack object identifier in the ingress traffic data when the identification result indicates that the ingress traffic data is at risk, where the attack object identifier indicates an attack object that attacks the target object in the interaction object.
(4) Plugging unit 304
And the plugging unit 304 is configured to plug the interaction path between the target object and the interaction object in the network interaction platform according to the attack object identifier and the interaction relationship.
For example, the blocking unit 304 may be specifically configured to determine, according to the attack object identifier, a target interaction relationship between the target object and the attack object in the interaction relationship; and plugging the interaction path between the target object and the interaction object in the network interaction platform based on the target interaction relationship. When the target interaction relationship comprises a bilateral interaction relationship, releasing the bilateral interaction relationship in the network interaction platform so as to cut off the interaction path of the attack object and the target object on the network interaction platform; or, the bilateral interaction relation is adjusted to be a unilateral interaction relation, and the interaction direction of the unilateral interaction relation is designated as the target object to point to the attack object.
In the implementation, each unit may be implemented as an independent entity, or may be implemented as the same entity or several entities in any combination, and the implementation of each unit may be referred to the foregoing method embodiment, which is not described herein again.
As can be seen from the above, in the embodiment of the present application, after the obtaining unit 301 obtains the inlet flow data of the target object on the network interaction platform, the identifying unit 302 performs risk identification on the inlet flow data to obtain an identification result; when the identification result indicates that the inlet flow data has risk, the determining unit 303 determines an attack object identifier in the inlet flow data; and then, the plugging unit 304 plugs the interaction path between the target object and the interaction object in the network interaction platform according to the attack object identification and the interaction relationship. According to the scheme, under the scene that various interaction relations exist between the target object and other objects on the network interaction platform, the abnormal identification is carried out on the inlet flow data of the target object, the attack object identification is extracted from the abnormal inlet flow data, and after the attack object identification is determined, the network can be carried out on attacks related to the target object under different interaction relations, so that the comprehensive protection of attack risks existing under different interaction relations is realized, the influence of network attack on the target object through various interaction paths is reduced, and the protection effect is improved.
The embodiment of the invention also provides an electronic device, as shown in fig. 8, which shows a schematic structural diagram of the electronic device according to the embodiment of the invention, specifically:
The electronic device may include one or more processing cores 'processors 401, one or more computer-readable storage media's memory 402, power supply 403, and input unit 404, among other components. It will be appreciated by those skilled in the art that the electronic device structure shown in fig. 8 is not limiting of the electronic device and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components. Wherein:
the processor 401 is a control center of the electronic device, connects various parts of the entire electronic device using various interfaces and lines, and performs various functions of the electronic device and processes data by running or executing software programs and/or modules stored in the memory 402, and calling data stored in the memory 402. Optionally, processor 401 may include one or more processing cores; preferably, the processor 401 may integrate an application processor and a modem processor, wherein the application processor mainly processes an operating system, a user interface, an application program, etc., and the modem processor mainly processes wireless communication. It will be appreciated that the modem processor described above may not be integrated into the processor 401.
The memory 402 may be used to store software programs and modules, and the processor 401 executes various functional applications and data processing by executing the software programs and modules stored in the memory 402. The memory 402 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program (such as a sound playing function, an image playing function, etc.) required for at least one function, and the like; the storage data area may store data created according to the use of the electronic device, etc. In addition, memory 402 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device. Accordingly, the memory 402 may also include a memory controller to provide the processor 401 with access to the memory 402.
The electronic device further comprises a power supply 403 for supplying power to the various components, preferably the power supply 403 may be logically connected to the processor 401 by a power management system, so that functions of managing charging, discharging, and power consumption are performed by the power management system. The power supply 403 may also include one or more of any of a direct current or alternating current power supply, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
The electronic device may further comprise an input unit 404, which input unit 404 may be used for receiving input digital or character information and generating keyboard, mouse, joystick, optical or trackball signal inputs in connection with user settings and function control.
Although not shown, the electronic device may further include a display unit or the like, which is not described herein. In particular, in this embodiment, the processor 401 in the electronic device loads executable files corresponding to the processes of one or more application programs into the memory 402 according to the following instructions, and the processor 401 executes the application programs stored in the memory 402, so as to implement various functions as follows:
acquiring inlet flow data of a target object in a network interaction platform, wherein the network interaction platform comprises the target object and at least one interaction object corresponding to the target object, and at least one interaction relation is arranged between the target object and the interaction object; performing risk identification on the inlet flow data to obtain an identification result; when the identification result indicates that the inlet flow data has risk, determining an attack object identifier in the inlet flow data, wherein the attack object identifier indicates an attack object for attacking the target object in the interaction object; and plugging the interaction path between the target object and the interaction object in the network interaction platform according to the attack object identification and the interaction relationship.
For example, the electronic device may obtain ingress traffic data of the target object at the network interaction platform; carrying out data drainage on the inlet flow data to obtain inlet flow data copies; performing risk identification on the inlet flow data copy; when the identification result indicates that the inlet flow data has risk, determining an attack object identification in the inlet flow data; according to the attack object identification, determining a target interaction relation between the target object and the attack object in the interaction relation; and plugging the interaction path between the target object and the interaction object in the network interaction platform based on the target interaction relationship. When the target interaction relationship comprises a bilateral interaction relationship, releasing the bilateral interaction relationship in the network interaction platform so as to cut off the interaction path of the attack object and the target object on the network interaction platform; or, adjusting the bilateral interaction relation into a unilateral interaction relation, and designating the interaction direction of the unilateral interaction relation as a target object to point to an attack object, and the like.
The specific implementation of each operation may be referred to the previous embodiments, and will not be described herein.
As can be seen from the above, in the embodiment of the present invention, after obtaining the inlet flow data of the target object on the network interaction platform, risk identification is performed on the inlet flow data, so as to obtain an identification result; when the identification result indicates that the inlet flow data has risk, determining an attack object identification in the inlet flow data; and then, according to the attack object identification and the interaction relation, plugging the interaction path between the target object and the interaction object in the network interaction platform. According to the scheme, under the scene that various interaction relations exist between the target object and other objects on the network interaction platform, the abnormal identification is carried out on the inlet flow data of the target object, the attack object identification is extracted from the abnormal inlet flow data, and after the attack object identification is determined, the network can be carried out on attacks related to the target object under different interaction relations, so that the comprehensive protection of attack risks existing under different interaction relations is realized, the influence of network attack on the target object through various interaction paths is reduced, and the protection effect is improved.
Those of ordinary skill in the art will appreciate that all or a portion of the steps of the various methods of the above embodiments may be performed by instructions, or by instructions controlling associated hardware, which may be stored in a computer-readable storage medium and loaded and executed by a processor.
To this end, embodiments of the present invention provide a computer readable storage medium having stored therein a plurality of instructions capable of being loaded by a processor to perform the steps of any of the attack protection methods provided by the embodiments of the present invention. For example, the instructions may perform the steps of:
acquiring inlet flow data of a target object in a network interaction platform, wherein the network interaction platform comprises the target object and at least one interaction object corresponding to the target object, and the target object and the interaction object comprise at least one interaction relation; performing risk identification on the inlet flow data to obtain an identification result; when the identification result indicates that the inlet flow data has risk, determining an attack object identifier in the inlet flow data, wherein the attack object identifier indicates an attack object for attacking the target object in the interaction object; and plugging the interaction path between the target object and the interaction object in the network interaction platform according to the attack object identification and the interaction relationship.
For example, acquiring inlet flow data of a target object on a network interaction platform; carrying out data drainage on the inlet flow data to obtain inlet flow data copies; performing risk identification on the inlet flow data copy; when the identification result indicates that the inlet flow data has risk, determining an attack object identification in the inlet flow data; according to the attack object identification, determining a target interaction relation between the target object and the attack object in the interaction relation; and plugging the interaction path between the target object and the interaction object in the network interaction platform based on the target interaction relationship. When the target interaction relationship comprises a bilateral interaction relationship, releasing the bilateral interaction relationship in the network interaction platform so as to cut off the interaction path of the attack object and the target object on the network interaction platform; or, adjusting the bilateral interaction relation into a unilateral interaction relation, and designating the interaction direction of the unilateral interaction relation as a target object to point to an attack object, and the like.
The specific implementation of each operation above may be referred to the previous embodiments, and will not be described herein.
Wherein the computer-readable storage medium may comprise: read Only Memory (ROM), random access Memory (RAM, random Access Memory), magnetic or optical disk, and the like.
Because the instructions stored in the computer readable storage medium may execute the steps in any of the attack protection methods provided by the embodiments of the present invention, the beneficial effects that any of the attack protection methods provided by the embodiments of the present invention can be achieved, which are detailed in the previous embodiments and are not described herein.
Among other things, according to one aspect of the present application, a computer program product or computer program is provided that includes computer instructions stored in a computer readable storage medium. The computer instructions are read from a computer-readable storage medium by a processor of an electronic device, which executes the computer instructions, causing the electronic device to perform the methods provided in the various alternative implementations of the attack protection aspects described above.
The foregoing has described in detail the methods, apparatuses and computer readable storage medium for attack protection provided by the embodiments of the present invention, and specific examples have been applied to illustrate the principles and implementations of the present invention, and the description of the foregoing embodiments is only for aiding in the understanding of the methods and core ideas of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in light of the ideas of the present invention, the present description should not be construed as limiting the present invention.

Claims (15)

1. An attack protection method, comprising:
acquiring inlet flow data of a target object in a network interaction platform, wherein the network interaction platform comprises the target object and at least one interaction object corresponding to the target object, at least one interaction relation is arranged between the target object and the interaction object, and the interaction relation comprises at least one of a polygonal interaction relation, a bilateral interaction relation and a unilateral interaction relation;
performing risk identification on the inlet flow data to obtain an identification result;
when the identification result indicates that the inlet flow data has risk, determining an attack object identifier in the inlet flow data, wherein the attack object identifier indicates an attack object for attacking the target object in the interaction object;
according to the attack object identification and the interaction relation, plugging the interaction path between the target object and the interaction object in the network interaction platform, wherein the method comprises the following steps: determining a target interaction relation between the target object and the attack object in the interaction relation according to the attack object identification,
and when the target interaction relationship does not comprise the bilateral interaction relationship, determining a blocking object according to the type of the target interaction relationship, and performing network blocking on the blocking object on the network interaction platform.
2. The attack protection method according to claim 1, wherein the determining, according to the attack object identification, a target interaction relationship between the target object and the attack object in the interaction relationship includes:
acquiring an interaction relation list corresponding to the target object;
searching the interactive relation corresponding to the attack object identifier from the interactive relation list, and taking the searched interactive relation as the target interactive relation between the target object and the attack object.
3. The attack protection method according to claim 1, wherein at least the attack object is plugged by a network on the network interaction platform, including:
the bilateral interaction relation is adjusted to be a unilateral interaction relation, and the interaction direction of the unilateral interaction relation is designated to be the direction of the target object to the attack object;
and limiting the interaction authority between the attack object and the target object on the network interaction platform based on the adjusted unilateral interaction relationship.
4. The attack protection method according to claim 1, wherein at least the attack object is plugged by a network on the network interaction platform, further comprising:
And releasing the bilateral interaction relation in the network interaction platform so as to cut off the interaction path of the attack object and the target object on the network interaction platform.
5. The attack protection method according to any one of claims 3 or 4, wherein when the target interaction relationship includes the bilateral interaction relationship, at least the attack object is network blocked on the network interaction platform, further comprising:
when the target interaction relationship further comprises a polygonal interaction relationship, a target object identification of the target object is obtained;
carrying out attack risk marking on the target object identifier to obtain an attack object identifier;
and sending the attacked object identifier to an interactive object so that the interactive object can adjust a data sending path between the interactive object and the target object after receiving the attacked object identifier.
6. The attack protection method according to claim 5, wherein the sending the attacked object identification to an interactive object comprises:
acquiring an address of a routing server associated with the target object on the network interaction platform;
and sending the attacked object identifier to the routing server based on the address of the routing server, so that the routing server announces the attacked object identifier to all interaction objects in the network interaction platform.
7. The attack protection method according to claim 1, wherein when the target interaction relationship does not include the bilateral interaction relationship, determining a blocking object according to a type of the target interaction relationship, and performing network blocking on the blocking object at the network interaction platform includes:
when the target interaction relationship comprises a unilateral interaction relationship, determining an interaction direction of the unilateral interaction relationship;
when the interaction direction is that the attack object points to the target object, determining that the blocking object comprises the attack object;
and reversely adjusting the interaction direction or releasing the unilateral interaction relationship.
8. The attack protection method according to claim 1, wherein when the target interaction relationship does not include the bilateral interaction relationship, determining a blocking object according to a type of the target interaction relationship, and performing network blocking on the blocking object at the network interaction platform, further comprising:
when the target interaction relationship further comprises a polygonal interaction relationship, determining that the blocking object comprises the target object;
acquiring a target object identifier of the target object;
carrying out attack risk marking on the target object identifier to obtain an attack object identifier;
And sending the attacked object identifier to an interactive object so that the interactive object can adjust a data sending path between the interactive object and the target object after receiving the attacked object identifier.
9. The attack protection method according to claim 1, further comprising, after the blocking of the interaction path between the target object and the interaction object in the network interaction platform according to the attack object identification and the interaction relationship:
carrying out attack anomaly marking on the attack object identifier to obtain an anomaly object identifier;
and sending the abnormal object identification to an interactive object except the attack object so that the interactive object carries out risk pre-control on the attack object.
10. The attack protection method according to claim 1, wherein the risk identification of the ingress traffic data includes:
performing data drainage on the inlet flow data to obtain inlet flow data copies;
and carrying out risk identification on the inlet flow data copy.
11. The attack protection method according to claim 10, wherein the risk identification of the copy of the ingress traffic data comprises:
Extracting the characteristics of the inlet flow data copy to obtain inlet flow characteristics;
an anomaly of the inlet flow data is determined based on the inlet flow characteristics.
12. An attack protection device, comprising:
the network interaction platform comprises the target object and at least one interaction object corresponding to the target object, wherein the target object and the interaction object comprise at least one interaction relationship, and the interaction relationship comprises at least one of a polygonal interaction relationship, a bilateral interaction relationship and a unilateral interaction relationship;
the identification unit is used for carrying out risk identification on the inlet flow data to obtain an identification result;
the determining unit is used for determining an attack object identifier in the inlet flow data when the identification result indicates that the inlet flow data has risk, wherein the attack object identifier indicates an attack object which attacks the target object in the interaction object;
the blocking unit is configured to block, in the network interaction platform, an interaction path between the target object and the interaction object according to the attack object identifier and the interaction relationship, and includes: and according to the attack object identification, determining a target interaction relation between the target object and the attack object in the interaction relation, when the target interaction relation comprises the bilateral interaction relation, performing network blocking on at least the attack object on the network interaction platform, and when the target interaction relation does not comprise the bilateral interaction relation, determining a blocking object according to the type of the target interaction relation, and performing network blocking on the blocking object on the network interaction platform.
13. An electronic device comprising a processor and a memory, the memory storing an application, the processor configured to run the application in the memory to perform the steps in the attack protection method according to any of claims 1-11.
14. A computer program product comprising computer programs/instructions which when executed by a processor implement the steps of the attack protection method according to any of claims 1 to 11.
15. A computer readable storage medium storing a plurality of instructions adapted to be loaded by a processor to perform the steps of the attack protection method according to any of claims 1-11.
CN202410033115.4A 2024-01-10 2024-01-10 Attack protection method, apparatus, electronic device and computer readable storage medium Active CN117544429B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410033115.4A CN117544429B (en) 2024-01-10 2024-01-10 Attack protection method, apparatus, electronic device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410033115.4A CN117544429B (en) 2024-01-10 2024-01-10 Attack protection method, apparatus, electronic device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN117544429A CN117544429A (en) 2024-02-09
CN117544429B true CN117544429B (en) 2024-03-26

Family

ID=89786598

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410033115.4A Active CN117544429B (en) 2024-01-10 2024-01-10 Attack protection method, apparatus, electronic device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN117544429B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234404A (en) * 2016-12-15 2018-06-29 腾讯科技(深圳)有限公司 A kind of defence method of ddos attack, system and relevant device
CN112671807A (en) * 2021-03-15 2021-04-16 中国电子信息产业集团有限公司第六研究所 Threat processing method, threat processing device, electronic equipment and computer readable storage medium
CN113726790A (en) * 2021-09-01 2021-11-30 中国移动通信集团广西有限公司 Network attack source identification and blocking method, system, device and medium
CN116260618A (en) * 2022-12-23 2023-06-13 中国联合网络通信集团有限公司 Method and device for blocking IP address, electronic equipment and storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9621577B2 (en) * 2015-05-28 2017-04-11 Microsoft Technology Licensing, Llc Mitigation of computer network attacks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234404A (en) * 2016-12-15 2018-06-29 腾讯科技(深圳)有限公司 A kind of defence method of ddos attack, system and relevant device
CN112671807A (en) * 2021-03-15 2021-04-16 中国电子信息产业集团有限公司第六研究所 Threat processing method, threat processing device, electronic equipment and computer readable storage medium
CN113726790A (en) * 2021-09-01 2021-11-30 中国移动通信集团广西有限公司 Network attack source identification and blocking method, system, device and medium
CN116260618A (en) * 2022-12-23 2023-06-13 中国联合网络通信集团有限公司 Method and device for blocking IP address, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN117544429A (en) 2024-02-09

Similar Documents

Publication Publication Date Title
US10951659B2 (en) System and method for providing network and computer firewall protection with dynamic address isolation to a device
CN101496025B (en) System and method for providing network security to mobile devices
CN111193719A (en) Network intrusion protection system
WO2021082834A1 (en) Message processing method, device and apparatus as well as computer readable storage medium
Kumar et al. DDOS prevention in IoT
CN111565203B (en) Method, device and system for protecting service request and computer equipment
CN115051836B (en) SDN-based APT attack dynamic defense method and system
Jeyanthi Internet of things (iot) as interconnection of threats (iot)
Sahri et al. Protecting DNS services from IP spoofing: SDN collaborative authentication approach
Nehra et al. TILAK: A token‐based prevention approach for topology discovery threats in SDN
CN112350939B (en) Bypass blocking method, system, device, computer equipment and storage medium
US11784993B2 (en) Cross site request forgery (CSRF) protection for web browsers
US10021070B2 (en) Method and apparatus for federated firewall security
CN110868392A (en) Block chain safety control method and device based on SDN and block chain network
CN117544429B (en) Attack protection method, apparatus, electronic device and computer readable storage medium
CN110198298B (en) Information processing method, device and storage medium
CN114745142B (en) Abnormal flow processing method and device, computer equipment and storage medium
CN113206852B (en) Safety protection method, device, equipment and storage medium
Singh et al. Performance analysis of emm an edos mitigation technique in cloud computing environment
CN114553452B (en) Attack defense method and protection equipment
CN114143077B (en) Terminal safety protection method and device
CN114650210B (en) Alarm processing method and protection equipment
Sharma et al. A survey of intrusion detection system for denial of service attack in cloud
Al-Begain et al. Security of the Cloud
CN115694853A (en) Attack protection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant