CN106790291B - Intrusion detection prompting method and device - Google Patents

Intrusion detection prompting method and device Download PDF

Info

Publication number
CN106790291B
CN106790291B CN201710139153.8A CN201710139153A CN106790291B CN 106790291 B CN106790291 B CN 106790291B CN 201710139153 A CN201710139153 A CN 201710139153A CN 106790291 B CN106790291 B CN 106790291B
Authority
CN
China
Prior art keywords
service request
virtual network
network card
service
docker container
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710139153.8A
Other languages
Chinese (zh)
Other versions
CN106790291A (en
Inventor
刘剑
关义春
龙凡
刘雷
郑江林
卞合振
王少游
李大伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201710139153.8A priority Critical patent/CN106790291B/en
Publication of CN106790291A publication Critical patent/CN106790291A/en
Application granted granted Critical
Publication of CN106790291B publication Critical patent/CN106790291B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The embodiment of the invention discloses an intrusion detection method and a device, wherein the method comprises the following steps: receiving a service request for accessing a service Docker container, which is sent by a first virtual network card corresponding to the service Docker container, wherein the service request carries a terminal identifier of a user terminal sending the service request; analyzing the service request to determine the data characteristics of the service request; and if the data characteristics meet preset intrusion conditions, sending a transmission stopping command to the first virtual network card, wherein the transmission stopping command is used for indicating the first virtual network card to stop transmitting response data corresponding to the service request fed back by the service Docker container. By adopting the invention, the service request in the service Docker container can be timely detected and fed back, and the intrusion detection efficiency is improved.

Description

Intrusion detection prompting method and device
Technical Field
The invention relates to the technical field of computers, in particular to an intrusion detection prompting method and device.
Background
With the development of Internet technology, Internet Data Centers (IDCs) have become an indispensable part of the Internet industry. The IDC not only needs to provide a service of required data for a user, but also needs to monitor network data to ensure normal operation of the server, for example, an Intrusion Detection System (IDS) is deployed, specifically, a physical device splitter (or a switch mirror) is deployed at an entrance of the network data of the IDC, and an access request sent by a user terminal can be sent to a corresponding server and the same access request is sent to an Intrusion detection device, so that the Intrusion detection device detects the access requests one by one.
However, when the number of servers in the IDC is large and the number of access requests is large, the intrusion detection device needs to detect each access request of each server, so that the detection workload is large, the processing period is long, and the detection result cannot be fed back to the server in time. Once there is an aggressive access request, it is very likely that a legitimate access request cannot be normally responded to, thereby causing the server to crash, and thus reducing the intrusion detection efficiency.
Disclosure of Invention
The technical problem to be solved by the embodiments of the present invention is to provide an intrusion detection method and apparatus, which can implement timely detection and feedback of a service request in a service Docker container, and improve intrusion detection efficiency.
In a first aspect, an embodiment of the present invention provides an intrusion detection method, where the method includes:
receiving a service request for accessing a service Docker container, which is sent by a first virtual network card corresponding to the service Docker container, wherein the service request carries a terminal identifier of a user terminal sending the service request;
analyzing the service request to determine the data characteristics of the service request;
and if the data characteristics meet preset intrusion conditions, sending a transmission stopping command to the first virtual network card, wherein the transmission stopping command is used for indicating the first virtual network card to stop transmitting response data corresponding to the service request fed back by the service Docker container.
In a second aspect, an embodiment of the present invention further provides an intrusion detection apparatus, where the apparatus includes:
the request receiving module is used for receiving a service request for accessing the service Docker container, which is sent by a first virtual network card corresponding to the service Docker container, and the service request carries a terminal identifier of a user terminal sending the service request;
the characteristic determining module is used for analyzing the service request to determine the data characteristic of the service request;
and the command sending module is used for sending a transmission stopping command to the first virtual network card if the data characteristics meet a preset intrusion condition, wherein the transmission stopping command is used for indicating the first virtual network card to stop transmitting response data corresponding to the service request fed back by the service Docker container.
In the embodiment of the invention, a service request for accessing the service Docker container is sent by receiving a first virtual network card corresponding to the service Docker container; and then analyzing the service request to determine the data characteristics of the service request, if the data characteristics meet preset intrusion conditions, sending a transmission stopping command to the first virtual network card, wherein the transmission stopping command is used for indicating the first virtual network card to stop transmitting response data corresponding to the service request fed back by the service Docker container. By receiving the service request sent by the first virtual network card, the real-time detection of the service request and the feedback of the detection result are realized, and the intrusion detection efficiency is further improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a possible physical host according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of an intrusion detection method according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of another intrusion detection method according to an embodiment of the present invention;
FIG. 4 is a system architecture diagram of a possible intrusion detection system provided by an embodiment of the present invention;
FIG. 5 is a flow chart of another intrusion detection method according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an intrusion detection device according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of another intrusion detection device according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of another intrusion detection device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "including" and "having," and any variations thereof, in the description and claims of this invention and the above-described drawings are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
Referring to fig. 1, a schematic structural diagram of a possible physical host is provided for the embodiment of the present invention. The physical host shown in fig. 1 deploys a plurality of Docker containers on the basis of installing dockers, where the Docker containers include a plurality of service Docker containers and IDS Docker containers, where the Docker containers may be set to use a fixed hardware resource, such as a Central Processing Unit (CPU) resource, a memory resource, and the like, and the physical host is a server providing applications or services. Further, a Network Interface Card (NIC) of the physical host is virtualized into a plurality of virtual Network cards by a Single Root I/O Virtualization (SR-IOV) technology, each Docker container corresponds to one virtual Network Card, for example, a virtual Network Card 1 corresponds to a service Docker container 1, a virtual Network Card 2 corresponds to a service Docker container 2, a virtual Network Card 10 corresponds to an IDS Docker container 10, and the like.
Taking the example that the virtual network card 1 corresponds to the service Docker container 1, when the virtual network card 1 receives a service request for accessing the service Docker container 1, the virtual network card 1 sends the service request to the service Docker container 1 and sends the service request to the IDS Docker container, wherein the service request carries a terminal identifier of a user terminal sending the service request; correspondingly, the IDS Docker container 10 receives a service request sent by the virtual network card 1 to access the service Docker container 1, and analyzes the service request to determine a data characteristic of the service request, if the data characteristic satisfies a preset intrusion condition, the IDS Docker container 10 sends a transmission stop command to the virtual network card 1, where the transmission stop command is used to instruct the virtual network card 1 to stop transmitting response data corresponding to the service request fed back by the service Docker container 1. The IDS Docker container is deployed in an independent physical host, so that the service request of the service Docker container in the physical host can be detected in time, the intrusion detection efficiency is improved, and in addition, the normal operation of the service Docker container can not be influenced while the intrusion detection function is realized by setting the IDS Docker container to use fixed hardware resources.
In the network architecture shown in fig. 1, the user terminal concerned may be a device having display and communication functions, for example: tablet computers, mobile phones, electronic readers, Personal Computers (PCs), notebook computers, vehicle-mounted devices, network televisions, wearable devices, and the like.
Based on the schematic structural diagram of the physical host shown in fig. 1, the intrusion detection method provided by the embodiment of the present invention will be described in detail below with reference to fig. 2 to 5.
Referring to fig. 2, a flow chart of an intrusion detection method according to an embodiment of the present invention is shown. As shown in fig. 2, the method of the embodiment of the present invention may include the following steps S101 to S103.
S101, receiving a service request for accessing the service Docker container, which is sent by a first virtual network card corresponding to the service Docker container.
Specifically, when a first virtual network card receives a service request for accessing a service Docker container, the first virtual network card sends the service request to the service Docker container and sends the service request to an IDSDocker container, where the service request carries a terminal identifier of a user terminal that sent the service request. Correspondingly, the service Docker container receives the service request and processes the service request to generate response data aiming at the service request; the intrusion detection device receives the Service request to detect whether the Service request may cause an attack on a physical host where the intrusion detection device is located, for example, a Distributed Denial of Service (DDoS) attack.
Optionally, the terminal identifier of the user terminal may include, but is not limited to, an Internet Protocol (IP) address, a login user name, and the like of the user terminal.
S102, analyzing the service request to determine the data characteristics of the service request.
Specifically, the intrusion detection device analyzes the service request to determine a data characteristic of the service request, for example, the data characteristic may be carried in a header field of the service request, for example, the service request may be a hypertext Transfer Protocol (Http) request, and the data characteristic of the service request may be a Uniform Resource Locator (URL) used by the service request.
And S103, if the data characteristics meet the preset intrusion condition, sending a transmission stopping command to the first virtual network card.
Specifically, if the intrusion detection device detects that the data characteristics meet the preset intrusion condition, the intrusion detection device sends a transmission stop command to the first virtual network card. The transmission stopping command is used for instructing the first virtual network card to stop transmitting response data corresponding to the service request fed back by the service Docker container.
Since the first virtual network card sends the service request to the service Docker container, in order to enable the service Docker container to feed back response data, when the service Docker container has fed back the response data to the first virtual network card, if the first virtual network card has not started sending the response data to the user terminal or if the first virtual network card has not completed transmission of the response data, the first virtual network card interrupts transmission of the response data once receiving a transmission stop command sent by the intrusion detection device.
Optionally, the transmission stop command is further configured to instruct the first virtual network card to stop transmitting other response data sent to the user terminal. For example, if the first virtual network card receives another service request for the user terminal to access the service Docker container, the first virtual network card does not execute sending the service request to the service Docker container; or, the first virtual network card sends the service request to the service Docker container, but does not feed back response data sent by the service Docker container and fed back by aiming at other service requests to the user terminal. Wherein the intrusion detection device may mark the user terminal according to the terminal identification.
Optionally, the data feature meeting the preset intrusion condition may mean that the data feature is matched with an attack feature in a preset attack feature set consistently.
In the embodiment of the invention, a service request for accessing the service Docker container is sent by receiving a first virtual network card corresponding to the service Docker container; and then analyzing the service request to determine the data characteristics of the service request, if the data characteristics meet preset intrusion conditions, sending a transmission stopping command to the first virtual network card, wherein the transmission stopping command is used for indicating the first virtual network card to stop transmitting response data corresponding to the service request fed back by the service Docker container. By receiving the service request sent by the first virtual network card, the real-time detection of the service request and the feedback of the detection result are realized, and the intrusion detection efficiency is further improved.
Referring to fig. 3, a flow chart of another intrusion detection method according to an embodiment of the present invention is shown. As shown in fig. 3, the method of the embodiment of the present invention may include the following steps S201 to S207.
S201, receiving a service request for accessing the service Docker container, which is sent by a first virtual network card corresponding to the service Docker container.
Specifically, when a first virtual network card receives a service request for accessing a service Docker container, the first virtual network card sends the service request to the service Docker container and sends the service request to an IDSDocker container, where the service request carries a terminal identifier of a user terminal that sent the service request. Correspondingly, the service Docker container receives the service request and processes the service request to generate response data aiming at the service request; and the intrusion detection device receives the service request to detect whether the service request can cause an attack, such as a DDoS attack and the like, on a physical host where the intrusion detection device is located.
Optionally, the terminal identifier of the user terminal may include, but is not limited to, an IP address, a login user name, and the like of the user terminal.
S202, analyzing the service request to determine the data characteristics of the service request.
Specifically, the intrusion detection device analyzes the service request to determine a data characteristic of the service request, for example, the data characteristic may be carried in a header field of the service request, for example, the service request may be an Http request, and the data characteristic of the service request may be a URL used by the service request.
S203, detecting whether the attack characteristics which are matched with the data characteristics are consistent in the pre-stored attack characteristic set or not.
Specifically, the intrusion detection device detects whether an attack feature which is consistent with the data feature in a pre-stored attack feature set exists or not; if the attack characteristics which are matched with the data characteristics are consistent, executing a step S204; if there is no attack feature matching the data feature, step S205 is executed.
Optionally, the pre-stored attack signature set includes a plurality of attack signatures for detecting an access request. Optionally, the intrusion detection apparatus may modify, delete, add, etc. the attack features in the attack feature set, so as to perfect the attack features stored in the attack feature set and improve the effectiveness of intrusion detection.
For example, for the URL of which the data feature is the service request, if the URL in the service request accessing the service Docker container is http:// www.qq.com/, since the URL of the service Docker container is normally accessed is http:// www.qq.com/, the intrusion detection apparatus may further detect ". star", and determine that the data feature satisfies the predetermined intrusion condition by determining that ". star" exists in the pre-stored attack feature set.
And S204, if yes, sending a transmission stopping command to the first virtual network card.
Specifically, if there is an attack feature that matches the data feature, the intrusion detection device determines that the data feature satisfies a preset intrusion condition. And if the data characteristics meet preset intrusion conditions, the intrusion detection device sends a transmission stopping command to the first virtual network card, wherein the transmission stopping command is used for indicating the first virtual network card to stop transmitting response data corresponding to the service request fed back by the service Docker container.
Since the first virtual network card sends the service request to the service Docker container, in order to enable the service Docker container to feed back response data, when the service Docker container has fed back the response data to the first virtual network card, if the first virtual network card has not started sending the response data to the user terminal or if the first virtual network card has not completed transmission of the response data, the first virtual network card interrupts transmission of the response data once receiving a transmission stop command sent by the intrusion detection device.
Optionally, the transmission stop command is further configured to instruct the first virtual network card to stop transmitting other response data sent to the user terminal. For example, if the first virtual network card receives another service request for the user terminal to access the service Docker container, the first virtual network card does not execute sending the service request to the service Docker container; or, the first virtual network card sends the service request to the service Docker container, but does not feed back response data sent by the service Docker container and fed back by aiming at other service requests to the user terminal. Wherein the intrusion detection device may mark the user terminal according to the terminal identification.
And S205, reporting the service request to a security server through a second virtual network card which is pre-allocated.
Specifically, the intrusion detection device reports the service request to a security server through a second virtual network card allocated in advance, so that the security server further detects the service request. Optionally, the security server may be connected to a plurality of intrusion detection devices, so that the security server may analyze and sort the service requests sent by different intrusion detection devices, and further obtain more accurate judgment on the service requests, thereby improving the accuracy of intrusion detection. It can be understood that the first virtual network card and the second virtual network card are two different virtual network cards virtualized by an NIC of a physical host, where the first virtual network card is specifically a virtual network card corresponding to a service Docker container, and the second virtual network card is specifically a virtual network card corresponding to an IDS Docker container.
It should be noted that, in the embodiment of the present invention, after step S204, or if there is no attack feature in the pre-stored attack feature set that matches the data feature, the intrusion detection device reports the service request to the security server. Optionally, the intrusion detection device may report the service request to the security server after receiving the service request sent by the first virtual network card; or, the intrusion detection device may also package the service request received within a current period of time and report the service request to the security server; or, the intrusion detection device may also package a certain number of service requests and report the packaged service requests to the security server, and the time for reporting to the security server, the independent reporting mode, or the packaged reporting mode in the embodiments of the present invention are not limited.
And S206, receiving the security policy corresponding to the service request sent by the security server through the second virtual network card.
Specifically, after the security server deeply analyzes the service request and determines the security policy corresponding to the service request, the security policy is sent to the intrusion detection device through the second virtual network card. Correspondingly, the intrusion detection device receives the security policy corresponding to the service request sent by the security server through the second virtual network card. The security policy is used for indicating whether the first virtual network card allows the user terminal to access the service Docker container.
Optionally, the security server may obtain a correspondence between the data feature corresponding to the service request and the security policy through records of data features and intrusion detection results in historical access.
And S207, notifying the first virtual network card to process the access connection sent by the user terminal according to the security policy.
Specifically, the intrusion detection device notifies the first virtual network card to process the access connection sent by the user terminal according to the security policy. For example, if the security policy is that the user terminal is not allowed to access the service Docker container, the intrusion detection device notifies the first virtual network card to reject access connection sent by the user terminal. And if the security policy is to allow the user terminal to access the service Docker container, the intrusion detection device does not send a notification message to the first virtual network card or sends a notification message to allow the user terminal to continue to access the service Docker.
It should be noted that the intrusion detection apparatus in the embodiment of the present invention may be deployed in an IDS Docker container in one physical host, and allocate a certain amount of hardware resources, such as CPU resources, memory resources, and the like, to the IDS Docker container in advance. By setting the intrusion detection device to use fixed hardware resources, the normal operation of other service Docker containers can not be influenced while the intrusion detection function is realized.
In the embodiment of the invention, a service request for accessing the service Docker container is sent by receiving a first virtual network card corresponding to the service Docker container; and then analyzing the service request to determine the data characteristics of the service request, if the data characteristics meet preset intrusion conditions, sending a transmission stopping command to the first virtual network card, wherein the transmission stopping command is used for indicating the first virtual network card to stop transmitting response data corresponding to the service request fed back by the service Docker container. Therefore, the intrusion detection device can detect the network data of other service Docker containers in time, the intrusion detection efficiency is improved, and in addition, the accuracy of intrusion detection can be improved through further detection of the security server.
Referring to fig. 4, a possible intrusion detection system architecture diagram is provided according to an embodiment of the present invention. As shown in fig. 4, the intrusion detection system includes a security server and a plurality of physical hosts, such as physical host 1, physical host 2, … …, physical host N. Each physical host may refer to the block diagram of the physical host shown in fig. 1. Referring to fig. 5 together based on the intrusion detection system architecture diagram shown in fig. 4, a schematic flow chart of another intrusion detection method according to an embodiment of the present invention is provided. The intrusion detection method of the embodiment of the invention is executed by the user terminal, the physical host and the security server together, wherein the physical host takes the physical host 1 as an example for explanation. The physical host 1 is illustrated by taking a virtual network card 1, a service Docker container 1, and an IDS Docker container 10 as examples. For a specific implementation, please refer to the following description.
S301, the user terminal sends a service request for accessing the service Docker container 1 to the physical host 1. And the service request carries the terminal identification of the user terminal.
S302, the virtual network card 1 of the physical host 1 sends the service request to the service Docker container 1.
S303, the virtual network card 1 of the physical host 1 sends the service request to the IDS Docker container 10.
The embodiment of the present invention does not limit the time sequence of the virtual network card 1 executing step 302 and step 303.
S304, after the service Docker container 1 receives the service request, processing the service request, determining response data corresponding to the service request, and sending the response data corresponding to the service request to the virtual network card 1.
S305, the virtual network card 1 receives the response data sent by the service Docker container 1, and sends the response data received from the service Docker container 1 to the user terminal.
S306, the IDS Docker container 10 receives the service request sent by the virtual network card 1, and the IDS Docker container 10 analyzes the service request to determine the data characteristics of the service request.
S307, the IDS Docker container 10 detects whether attack features consistent with the data features exist in a pre-stored attack feature set or not.
S308, if the IDS Docker container 10 detects that there is an attack feature matching with the data feature in the attack feature set, the IDS Docker container 10 sends a transmission stop command to the virtual network card 1. The transmission stopping command is used for instructing the virtual network card 1 to stop transmitting the response data corresponding to the service request fed back by the service Docker container 1. Optionally, the transmission stop command is further configured to instruct the virtual network card 1 to stop transmitting other response data sent to the user terminal.
It should be noted that, the service Docker container 1 and the IDS Docker container 10 respectively execute a service request receiving process, and further, there is no chronological order between the steps executed by the service Docker container 1 and the IDS Docker container 10.
S309, the IDS Docker container 10 may further send the service request to a security server, so that the security server further detects the service request, so as to improve accuracy of intrusion detection.
S310, after the security server detects the service request, send the security policy to the IDS Docker container 10, where the security policy is used to indicate whether the first virtual network card allows the user terminal to access the service Docker container.
S311, after receiving the security policy corresponding to the service request sent by the security server, the IDS Docker container 10 notifies the first virtual network card to process the access connection sent by the user terminal according to the security policy.
It should be noted that the communication between the IDS Docker container 10 and the security server is implemented by the virtual network card 10 corresponding to the IDS Docker container 10, for example, the security server sends the security policy to the virtual network card 10, and the virtual network card 10 sends the security policy to the IDS Docker container 10.
It should be noted that, for specific implementation manners of steps S301 to S311 and technical effects brought by the implementation manners in the embodiment of the present invention, reference may be made to specific descriptions of the embodiments shown in fig. 2 or fig. 3, and details are not described herein again.
Based on the schematic structural diagram of the physical host shown in fig. 1 and the system architecture diagram of the intrusion detection system shown in fig. 4, the intrusion detection device provided by the embodiment of the present invention will be described in detail below with reference to fig. 6 to 8. It should be noted that the intrusion detection device shown in fig. 6 to 8 is used for executing the method of the embodiments shown in fig. 2 to 5 of the present invention. The intrusion detection devices shown in fig. 6-8 may be intrusion detection modules in IDS Docker containers in the physical hosts shown in fig. 1. For convenience of explanation, only the relevant portions of the embodiments of the present invention are shown, and details of the detailed description are not disclosed, please refer to the embodiments of the present invention shown in fig. 2 to 5.
Fig. 6 is a schematic structural diagram of an intrusion detection device according to an embodiment of the present invention. As shown in fig. 6, the intrusion detection device 1 according to an embodiment of the present invention may include: a request receiving module 11, a characteristic determining module 12 and a command sending module 13.
The request receiving module 11 is configured to receive a service request for accessing a service Docker container, where the service request is sent by a first virtual network card corresponding to the service Docker container, and the service request carries a terminal identifier of a user terminal that sends the service request.
Specifically, when a first virtual network card receives a service request for accessing a service Docker container, the first virtual network card sends the service request to the service Docker container and sends the service request to an IDSDocker container, where the service request carries a terminal identifier of a user terminal that sent the service request. Correspondingly, the service Docker container receives the service request and processes the service request to generate response data aiming at the service request; the request receiving module 11 receives the service request to detect whether the service request may cause an attack, for example, a DDoS attack, on a physical host where the intrusion detection apparatus 1 is located.
Optionally, the terminal identifier of the user terminal may include, but is not limited to, an IP address, a login user name, and the like of the user terminal.
A characteristic determining module 12, configured to parse the service request to determine a data characteristic of the service request.
Specifically, the characteristic determining module 12 analyzes the service request to determine a data characteristic of the service request, for example, the data characteristic may be carried in a header field of the service request, for example, the service request may be an Http request, and the data characteristic of the service request may be a URL used by the service request.
And the command sending module 13 is configured to send a transmission stop command to the first virtual network card if the data characteristics meet a preset intrusion condition, where the transmission stop command is used to instruct the first virtual network card to stop transmitting response data corresponding to the service request fed back by the service Docker container.
Specifically, if it is detected that the data characteristics satisfy the preset intrusion condition, the command sending module 13 sends a transmission stop command to the first virtual network card. The transmission stopping command is used for instructing the first virtual network card to stop transmitting response data corresponding to the service request fed back by the service Docker container.
Since the first virtual network card sends the service request to the service Docker container, in order to enable the service Docker container to feed back response data, when the service Docker container has fed back the response data to the first virtual network card, if the first virtual network card has not started sending the response data to the user terminal or if the first virtual network card has not completed transmission of the response data, the first virtual network card interrupts transmission of the response data once receiving a transmission stop command sent by the command sending module 13.
Optionally, the transmission stop command is further configured to instruct the first virtual network card to stop transmitting other response data sent to the user terminal. For example, if the first virtual network card receives another service request for the user terminal to access the service Docker container, the first virtual network card does not execute sending the service request to the service Docker container; or, the first virtual network card sends the service request to the service Docker container, but does not feed back response data sent by the service Docker container and fed back by aiming at other service requests to the user terminal. Wherein the command sending module 13 may mark the user terminal according to the terminal identifier.
Optionally, the data feature meeting the preset intrusion condition may mean that the data feature is matched with an attack feature in a preset attack feature set consistently.
In the embodiment of the invention, a service request for accessing the service Docker container is sent by receiving a first virtual network card corresponding to the service Docker container; and then analyzing the service request to determine the data characteristics of the service request, if the data characteristics meet preset intrusion conditions, sending a transmission stopping command to the first virtual network card, wherein the transmission stopping command is used for indicating the first virtual network card to stop transmitting response data corresponding to the service request fed back by the service Docker container. By receiving the service request sent by the first virtual network card, the real-time detection of the service request and the feedback of the detection result are realized, and the intrusion detection efficiency is further improved.
Fig. 7 is a schematic structural diagram of another intrusion detection device according to an embodiment of the present invention. As shown in fig. 7, the intrusion detection device 1 according to an embodiment of the present invention may include: the system comprises a request receiving module 11, a characteristic determining module 12, a command sending module 13, a characteristic detecting module 14, an intrusion determining module 15, a request reporting module 16, a strategy receiving module 17 and an access processing module 18.
The request receiving module 11 is configured to receive a service request for accessing a service Docker container, where the service request is sent by a first virtual network card corresponding to the service Docker container, and the service request carries a terminal identifier of a user terminal that sends the service request.
Specifically, when a first virtual network card receives a service request for accessing a service Docker container, the first virtual network card sends the service request to the service Docker container and sends the service request to an IDSDocker container, where the service request carries a terminal identifier of a user terminal that sent the service request. Correspondingly, the service Docker container receives the service request and processes the service request to generate response data aiming at the service request; the request receiving module 11 receives the service request to detect whether the service request may cause an attack, for example, a DDoS attack, on a physical host where the intrusion detection apparatus 1 is located.
Optionally, the terminal identifier of the user terminal may include, but is not limited to, an IP address, a login user name, and the like of the user terminal.
A characteristic determining module 12, configured to parse the service request to determine a data characteristic of the service request.
Specifically, the characteristic determining module 12 analyzes the service request to determine a data characteristic of the service request, for example, the data characteristic may be carried in a header field of the service request, for example, the service request may be an Http request, and the data characteristic of the service request may be a URL used by the service request.
And the characteristic detection module 14 is configured to detect whether an attack characteristic consistent with the data characteristic exists in a pre-stored attack characteristic set.
Specifically, the feature detection module 14 detects whether an attack feature consistent with the data feature matching exists in a pre-stored attack feature set; if there is an attack feature matching the data feature, notifying the intrusion determination module 15 to execute the steps; if there is no attack feature matching with the data feature, the request reporting module 16 is notified to execute the steps.
Optionally, the pre-stored attack signature set includes a plurality of attack signatures for detecting an access request. Optionally, the intrusion detection apparatus 1 may modify an attack characteristic, delete the attack characteristic, add the attack characteristic, and the like in the attack characteristic set, so as to perfect the attack characteristic stored in the attack characteristic set, and improve the effectiveness of intrusion detection.
And the intrusion determining module 15 is configured to determine that the data feature meets a preset intrusion condition if the detection result of the feature detecting module is yes.
Specifically, if there is an attack feature that matches the data feature, the intrusion determination module 15 determines that the data feature satisfies a preset intrusion condition. And if the data characteristics meet the preset intrusion condition.
For example, for the URL of which the data feature is the service request, if the URL in the service request accessing the service Docker container is http:// www.qq.com/, since the URL of the service Docker container is normally accessed is http:// www.qq.com/, the intrusion detection apparatus 1 may further detect "×", and determine that the data feature satisfies the predetermined intrusion condition by determining that "×" exists in the pre-stored attack feature set.
And the command sending module 13 is configured to send a transmission stop command to the first virtual network card if the data characteristics meet a preset intrusion condition, where the transmission stop command is used to instruct the first virtual network card to stop transmitting response data corresponding to the service request fed back by the service Docker container.
Specifically, the command sending module 13 sends a transmission stop command to the first virtual network card, where the transmission stop command is used to instruct the first virtual network card to stop transmitting response data corresponding to the service request fed back by the service Docker container.
Since the first virtual network card sends the service request to the service Docker container, in order to enable the service Docker container to feed back response data, when the service Docker container has fed back the response data to the first virtual network card, if the first virtual network card has not started sending the response data to the user terminal or if the first virtual network card has not completed transmission of the response data, the first virtual network card interrupts transmission of the response data once receiving a transmission stop command sent by the command sending module 13.
Optionally, the transmission stop command is further configured to instruct the first virtual network card to stop transmitting other response data sent to the user terminal. For example, if the first virtual network card receives another service request for the user terminal to access the service Docker container, the first virtual network card does not execute sending the service request to the service Docker container; or, the first virtual network card sends the service request to the service Docker container, but does not feed back response data sent by the service Docker container and fed back by aiming at other service requests to the user terminal. Wherein the command sending module 13 may mark the user terminal according to the terminal identifier.
And a request reporting module 16, configured to report the service request to the security server through a pre-allocated second virtual network card.
Specifically, the request reporting module 16 reports the service request to a security server through a second virtual network card allocated in advance, so that the security server further detects the service request. Optionally, the security server may be connected to a plurality of intrusion detection devices, so that the security server may analyze and sort the service requests sent by different intrusion detection devices, and further obtain more accurate judgment on the service requests, thereby improving the accuracy of intrusion detection.
It should be noted that, in the embodiment of the present invention, after the command sending module 13 is executed, or if there is no attack feature matching with the data feature in the pre-stored attack feature set, the request reporting module 16 reports the service request to the security server. Optionally, the request reporting module 16 may report the service request to the security server after receiving the service request sent by the first virtual network card; or, the request reporting module 16 may also report the service request received within a current period of time to the security server after packing the service request; or, the request reporting module 16 may also report a certain number of service requests to the security server after packaging, and the time for reporting to the security server, the independent reporting mode, or the packaging reporting mode in the embodiment of the present invention is not limited.
A policy receiving module 17, configured to receive, through the second virtual network card, a security policy corresponding to the service request sent by the security server, where the security policy is used to indicate whether the first virtual network card allows the user terminal to access the service Docker container.
Specifically, after the security server deeply analyzes the service request and determines the security policy corresponding to the service request, the security policy is sent to the intrusion detection device through the second virtual network card. Correspondingly, the policy receiving module 17 receives, through the second virtual network card, the security policy corresponding to the service request sent by the security server. The security policy is used for indicating whether the first virtual network card allows the user terminal to access the service Docker container.
Optionally, the security server may obtain a correspondence between the data feature corresponding to the service request and the security policy through records of data features and intrusion detection results in historical access.
And the access processing module 18 is configured to notify the first virtual network card to process the access connection sent by the user terminal according to the security policy.
Specifically, the access processing module 18 notifies the first virtual network card to process the access connection sent by the user terminal according to the security policy. For example, if the security policy is that the user terminal is not allowed to access the service Docker container, the access processing module 18 notifies the first virtual network card to reject the access connection sent by the user terminal. If the security policy is to allow the user terminal to access the service Docker container, the access processing module 18 does not send a notification message to the first virtual network card, or sends a notification message to allow the user terminal to continue accessing the service Docker.
It should be noted that the intrusion detection apparatus in the embodiment of the present invention may be deployed in an IDS Docker container in one physical host, and allocate a certain amount of hardware resources, such as CPU resources, memory resources, and the like, to the IDS Docker container in advance. By setting the intrusion detection device to use fixed hardware resources, the normal operation of other service Docker containers can not be influenced while the intrusion detection function is realized.
In the embodiment of the invention, a service request for accessing the service Docker container is sent by receiving a first virtual network card corresponding to the service Docker container; and then analyzing the service request to determine the data characteristics of the service request, if the data characteristics meet preset intrusion conditions, sending a transmission stopping command to the first virtual network card, wherein the transmission stopping command is used for indicating the first virtual network card to stop transmitting response data corresponding to the service request fed back by the service Docker container. Therefore, the intrusion detection device can detect the network data of other service Docker containers in time, the intrusion detection efficiency is improved, and in addition, the accuracy of intrusion detection can be improved through further detection of the security server.
Referring to fig. 8, a schematic structural diagram of another intrusion detection device according to an embodiment of the present invention is provided. As shown in fig. 8, the intrusion detection device 1000 may include: at least one processor 1001, such as a CPU, at least one network interface 1004, memory 1005, at least one communication bus 1002. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one disk memory. The memory 1005 may optionally be at least one memory device located remotely from the processor 1001. Wherein a communication bus 1002 is used to enable connective communication between these components. Optionally, the intrusion detection apparatus 1000 includes a user interface 1003, wherein optionally, the user interface 1003 may include a Display screen (Display) and a Keyboard (Keyboard). As shown in fig. 8, a memory 1005, which is one type of computer storage medium, may include an operating system, a network communication module, a user interface module, and an intrusion detection application program.
In the intrusion detection device 1000 shown in fig. 8, the processor 1001 may be configured to call an intrusion detection application program stored in the memory 1005, and specifically perform the following operations:
receiving a service request for accessing a service Docker container, which is sent by a first virtual network card corresponding to the service Docker container, wherein the service request carries a terminal identifier of a user terminal sending the service request;
analyzing the service request to determine the data characteristics of the service request;
and if the data characteristics meet preset intrusion conditions, sending a transmission stopping command to the first virtual network card, wherein the transmission stopping command is used for indicating the first virtual network card to stop transmitting response data corresponding to the service request fed back by the service Docker container.
In a possible embodiment, the transmission stop command is further configured to instruct the first virtual network card to stop transmitting other response data sent to the user terminal.
In a possible embodiment, before the processor 1001 executes that, if the data characteristic satisfies a preset intrusion condition, the processor 1001 sends a transmission stop command to the first virtual network card, the processor 1001 further executes:
detecting whether attack features which are matched with the data features in a pre-stored attack feature set exist or not;
and if so, determining that the data characteristics meet a preset intrusion condition.
In one possible embodiment, the processor 1001 further performs:
reporting the service request to a security server through a second virtual network card which is allocated in advance;
receiving, by the second virtual network card, a security policy corresponding to the service request sent by the security server, where the security policy is used to indicate whether the first virtual network card allows the user terminal to access the service Docker container;
and informing the first virtual network card to process the access connection sent by the user terminal according to the security policy.
In a possible embodiment, the processor 1001 notifies the first virtual network card to process the access connection sent by the user terminal according to the security policy, and specifically notifies the first virtual network card to reject the access connection sent by the user terminal when the security policy is that the user terminal is not allowed to access the service Docker container.
It should be noted that the processor 1001 shown in the embodiment of the present invention may be configured to execute actions or steps of the intrusion detection device in any one of the embodiments shown in fig. 2 to fig. 5, and specific implementation manners and technical effects of the content executed by the processor 1001 are described in detail in the corresponding method embodiment and are not described herein again.
It should be noted that, for simplicity of description, the above-mentioned embodiments of the method are described as a series of acts or combinations, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present invention, and it is therefore to be understood that the invention is not limited by the scope of the appended claims.

Claims (10)

1. An intrusion detection method, comprising:
receiving a service request for accessing a service Docker container, which is sent by a first virtual network card corresponding to the service Docker container, wherein the service request carries a terminal identifier of a user terminal sending the service request;
analyzing the service request to determine the data characteristics of the service request;
if the data characteristics meet preset intrusion conditions, sending a transmission stopping command to the first virtual network card, wherein the transmission stopping command is used for indicating the first virtual network card to stop transmitting response data corresponding to the service request fed back by the service Docker container;
reporting the service request to a security server through a second virtual network card which is allocated in advance;
receiving, by the second virtual network card, a security policy corresponding to the service request sent by the security server, where the security policy is used to indicate whether the first virtual network card allows the user terminal to access the service Docker container;
and informing the first virtual network card to process the access connection sent by the user terminal according to the security policy.
2. The method according to claim 1, wherein the stop transmission command is further used to instruct the first virtual network card to stop transmitting other response data sent to the user terminal.
3. The method according to claim 1, wherein before sending the transmission stop command to the first virtual network card if the data characteristics satisfy the predetermined intrusion condition, the method further comprises:
detecting whether attack features which are matched with the data features in a pre-stored attack feature set exist or not;
and if so, determining that the data characteristics meet a preset intrusion condition.
4. The method according to claim 1, wherein the notifying the first virtual network card to process the access connection sent by the user terminal according to the security policy comprises:
and when the security policy is that the user terminal is not allowed to access the service Docker container, notifying the first virtual network card to reject the access connection sent by the user terminal.
5. An intrusion detection device, comprising:
the request receiving module is used for receiving a service request for accessing the service Docker container, which is sent by a first virtual network card corresponding to the service Docker container, and the service request carries a terminal identifier of a user terminal sending the service request;
the characteristic determining module is used for analyzing the service request to determine the data characteristic of the service request;
a command sending module, configured to send a transmission stop command to the first virtual network card if the data characteristics meet a preset intrusion condition, where the transmission stop command is used to instruct the first virtual network card to stop transmitting response data corresponding to the service request fed back by the service Docker container;
the request reporting module is used for reporting the service request to the security server through a second virtual network card which is distributed in advance;
a policy receiving module, configured to receive, through the second virtual network card, a security policy corresponding to the service request sent by the security server, where the security policy is used to indicate whether the first virtual network card allows the user terminal to access the service Docker container;
and the access processing module is used for informing the first virtual network card to process the access connection sent by the user terminal according to the security policy.
6. The apparatus according to claim 5, wherein the stop transmission command is further used to instruct the first virtual network card to stop transmitting other response data sent to the user terminal.
7. The apparatus of claim 5, further comprising:
the characteristic detection module is used for detecting whether attack characteristics which are matched with the data characteristics in a pre-stored attack characteristic set exist or not;
and the intrusion determining module is used for determining that the data characteristics meet the preset intrusion condition if the detection result of the characteristic detecting module is positive.
8. The apparatus of claim 5,
the access processing module is specifically configured to notify the first virtual network card to reject the access connection sent by the user terminal when the security policy is that the user terminal is not allowed to access the service Docker container.
9. An intrusion detection device, comprising: a processor and a memory;
the memory stores a computer program which, when executed by the processor, causes the processor to perform the steps of the method of any one of claims 1 to 4.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions which, when executed by a processor, perform the method of any of claims 1 to 4.
CN201710139153.8A 2017-03-09 2017-03-09 Intrusion detection prompting method and device Active CN106790291B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710139153.8A CN106790291B (en) 2017-03-09 2017-03-09 Intrusion detection prompting method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710139153.8A CN106790291B (en) 2017-03-09 2017-03-09 Intrusion detection prompting method and device

Publications (2)

Publication Number Publication Date
CN106790291A CN106790291A (en) 2017-05-31
CN106790291B true CN106790291B (en) 2020-04-03

Family

ID=58961839

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710139153.8A Active CN106790291B (en) 2017-03-09 2017-03-09 Intrusion detection prompting method and device

Country Status (1)

Country Link
CN (1) CN106790291B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108282376B (en) * 2018-04-20 2021-06-08 江南大学 LDDoS simulation method based on lightweight virtualization
CN110086881A (en) * 2019-05-07 2019-08-02 网易(杭州)网络有限公司 Method for processing business, device and equipment
CN110138776B (en) * 2019-05-14 2020-04-28 重庆天蓬网络有限公司 Docker intrusion detection method, device and medium based on command monitoring
US11580199B2 (en) 2019-09-20 2023-02-14 International Business Machines Corporation Correspondence of external operations to containers and mutation events
CN113364723A (en) * 2020-03-05 2021-09-07 奇安信科技集团股份有限公司 DDoS attack monitoring method and device, storage medium and computer equipment
CN112182573A (en) * 2020-09-10 2021-01-05 青岛海尔科技有限公司 Method, device and equipment for intrusion detection
CN112153049B (en) * 2020-09-24 2023-01-17 绿盟科技集团股份有限公司 Intrusion detection method, device, electronic equipment and computer readable medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101465770A (en) * 2009-01-06 2009-06-24 北京航空航天大学 Method for disposing inbreak detection system
CN104135490A (en) * 2014-08-14 2014-11-05 浪潮(北京)电子信息产业有限公司 Intrusion detection system (IDS) analysis method and intrusion detection system
CN105072115A (en) * 2015-08-12 2015-11-18 国家电网公司 Information system invasion detection method based on Docker virtualization

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9652612B2 (en) * 2015-03-25 2017-05-16 International Business Machines Corporation Security within a software-defined infrastructure

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101465770A (en) * 2009-01-06 2009-06-24 北京航空航天大学 Method for disposing inbreak detection system
CN104135490A (en) * 2014-08-14 2014-11-05 浪潮(北京)电子信息产业有限公司 Intrusion detection system (IDS) analysis method and intrusion detection system
CN105072115A (en) * 2015-08-12 2015-11-18 国家电网公司 Information system invasion detection method based on Docker virtualization

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
云计算中使用容器技术的信息安全风险与对策;张楠;《第30次全国计算机安全学术交流会论文集》;20150930;第278-282页 *

Also Published As

Publication number Publication date
CN106790291A (en) 2017-05-31

Similar Documents

Publication Publication Date Title
CN106790291B (en) Intrusion detection prompting method and device
US10148693B2 (en) Exploit detection system
CN110417778B (en) Access request processing method and device
US10419431B2 (en) Preventing cross-site request forgery using environment fingerprints of a client device
EP3476101B1 (en) Method, device and system for network security
CN110474903B (en) Trusted data acquisition method and device and block link point
CN109547449B (en) Safety detection method and related device
US20180183819A1 (en) System to detect machine-initiated events in time series data
CN115277566A (en) Load balancing method and device for data access, computer equipment and medium
CN114095567A (en) Data access request processing method and device, computer equipment and medium
US10474810B2 (en) Controlling access to web resources
WO2016008212A1 (en) Terminal as well as method for detecting security of terminal data interaction, and storage medium
CN109347876B (en) Security defense method and related device
CN112087455B (en) WAF site protection rule generation method, system, equipment and medium
CN113242301A (en) Method and device for selecting real server, computer equipment and storage medium
CN113259429A (en) Session keeping control method, device, computer equipment and medium
JP2019152912A (en) Unauthorized communication handling system and method
CN113709136B (en) Access request verification method and device
CN107766232B (en) Plug-in management method and device
CN106790343B (en) Resource downloading method and server
CN112231566B (en) Information pushing method, device, system and readable storage medium
CN111385293B (en) Network risk detection method and device
CN113656169A (en) Task request processing method and device, management server and storage medium
WO2017131777A1 (en) Application aware cluster monitoring
CN113923008B (en) Malicious website interception method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant