CN110138731B - Network anti-attack method based on big data - Google Patents
Network anti-attack method based on big data Download PDFInfo
- Publication number
- CN110138731B CN110138731B CN201910267036.9A CN201910267036A CN110138731B CN 110138731 B CN110138731 B CN 110138731B CN 201910267036 A CN201910267036 A CN 201910267036A CN 110138731 B CN110138731 B CN 110138731B
- Authority
- CN
- China
- Prior art keywords
- detection
- data
- node server
- node
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The invention discloses a network anti-attack method based on big data, and belongs to the technical field of network security and big data information. The method comprises the following steps: the first detection node receives a detection request from a user, detects equipment where the first detection node is located to obtain detection data, analyzes the detection data, and generates alarm data according to the detection data and sends the alarm data to the first node server when the analysis result shows that the equipment where the first detection node is located has network attack behavior; the first node server verifies the received alarm data and sends the alarm data to each second node server when the verification is passed; the second node server performs consensus verification on the received alarm data and sends an attack blocking command to a corresponding second detection node when the verification is passed; and the second detection node performs attack blocking on the equipment where the second detection node is according to the attack blocking command. In the invention, the information sharing is realized by applying the big data information, thereby reducing the infringement range of network attack and ensuring the safety of more equipment to a certain extent.
Description
Technical Field
The invention relates to the technical field of network security and big data information, in particular to a network anti-attack method.
Background
With the rapid development of internet technology, the life style of people is greatly changed, and people browse news, shop on the internet, work on the internet, so to speak, gather tens of thousands of devices and immeasurable information in the network. Along with this, network security is also a matter of great concern, and in recent years, network attack events such as virus trojan horse and the like occur occasionally, and when some devices discover or suffer from network attack, because the devices are isolated from most devices in the society, the devices discovering or suffering from network attack cannot transmit network attack information to more devices in time, so that the range of network attack is gradually increased, and certain loss is caused.
Disclosure of Invention
The purpose of the invention is realized by the following technical scheme.
In a first aspect, the present invention provides a network anti-attack method based on big data, including:
the first detection node receives a detection request from a user, and detects equipment where the first detection node is located to obtain detection data;
and the first detection node analyzes the detection data, and when the analysis result shows that the equipment has network attack behavior, alarm data is generated according to the detection data and is sent to the first node server so that the first node server can transmit the alarm data in the big data information network.
Optionally, when the device where the detection device is located obtains the detection data, the method further includes: recording a detection timestamp;
the generating alarm data from the detection data comprises:
generating a detection data abstract according to the detection data;
encrypting the detection data by using a private key to obtain a detection data ciphertext;
and generating alarm data in a preset format according to the detection data abstract, the detection data ciphertext, the detection timestamp and the first equipment identifier of the equipment.
In a second aspect, the present invention provides a network anti-attack method based on big data, including:
the first node server receiving alarm data from the first detection node;
and the first node server verifies the alarm data and sends the alarm data to each second node server when the alarm data passes the verification so as to allow each second node server to carry out consensus verification.
Optionally, the verifying, by the first node server, the alarm data includes:
the first node server analyzes the alarm data to obtain a detection data abstract, a detection data ciphertext, a detection timestamp and a first equipment identifier;
the first node server acquires a corresponding public key according to the equipment identifier, and decrypts the detection data ciphertext according to the public key to obtain a detection data plaintext;
calculating the abstract of the plaintext of the detection data, judging whether the calculated abstract is consistent with the abstract of the detection data obtained by analysis, and judging that the verification is passed if the calculated abstract is consistent with the abstract of the detection data obtained by analysis; otherwise, judging that the verification is not passed.
Optionally, before sending the alarm data to each second node server, the method further includes: and saving the alarm data.
Optionally, the saving the alarm data includes:
storing the plaintext of the detection data to a local database;
storing the detection data abstract, the detection timestamp, the first equipment identification and the second equipment identification of the first equipment identification to a big data information base;
the sending of the alarm data to each second node server specifically includes: and sending the detection data abstract, the detection timestamp, the first equipment identification and the second equipment identification of the first equipment identification to each second node server.
In a third aspect, the present invention provides a network anti-attack method based on big data, including:
the second node server receives the alarm data sent by the first node server;
and the second node server performs consensus verification on the alarm data and sends an attack blocking command to a corresponding second detection node when the verification is passed.
Optionally, the receiving, by the second node server, the alarm data sent by the first node server specifically includes: the second node server receives the detection data abstract, the detection timestamp, the first equipment identification and the second equipment identification which are sent by the first node server;
correspondingly, the second node server performs consensus verification on the alarm data, specifically: verifying whether the second equipment identifier is a valid equipment identifier, and if so, judging that the verification is passed; otherwise, judging that the verification is not passed.
Optionally, the sending of the attack blocking command to the corresponding second detection node when the verification passes includes: and when the verification is passed, sending an attack blocking command to the corresponding second detection node.
Optionally, the method further includes, when the verification passes: and storing the alarm data to a big data information base.
In a fourth aspect, the present invention provides a network anti-attack method based on big data, including:
the second detection node receives an attack blocking command from a second node server;
and the second detection node performs attack blocking on the equipment where the second detection node is located according to the attack blocking command.
Optionally, the blocking of the attack on the device where the device is located specifically includes: and detecting the equipment in which the equipment is positioned and/or updating the black-white list library.
The invention has the advantages that:
in the invention, all servers of all enterprises in all areas are interconnected to form a alliance chain, and all servers are in data communication with detection nodes in corresponding equipment (such as computers); when the first detection node detects that the equipment in which the first detection node is located has network attack behaviors, the first node server transmits network attack information through the big data information network by sending corresponding alarm data to the corresponding first node server, and then each second detection node in the big data information network sends an attack blocking command to the corresponding second detection node, and the second detection node performs attack blocking operation. In the method, firstly, a big data information technology is applied, so that an information isolated island is effectively avoided, and large-scale transmission of network attack information is realized through information sharing; secondly, the first node server verifies the alarm data, and the second node server verifies the consensus, so that the safety and the effectiveness of the alarm data are effectively guaranteed through double verification; thirdly, a contract system of big data information is fully utilized, so that when network attack occurs, related information of the network attack is rapidly and automatically transmitted to each second detection node, and each second detection node performs attack blocking, so that the invasion range of the network attack is effectively reduced, and the safety of more devices is guaranteed to a great extent; finally, the anti-tampering and traceability characteristics of the big data information are fully utilized, and the traceability and query of the network attack event are ensured by writing the relevant information of the network attack into the big data information, so that an accurate data basis is provided for subsequent network attack analysis, equipment system vulnerability analysis and other work.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a flowchart of a network anti-attack method applied to a first detection node according to an embodiment of the present invention;
fig. 2 is a flowchart of a network anti-attack method applied to a first node server according to an embodiment of the present invention;
fig. 3 is a flowchart of a network anti-attack method applied to a second node server according to an embodiment of the present invention;
FIG. 4 is a flowchart of a network anti-attack method according to an embodiment of the present invention
FIG. 5 is a block diagram illustrating a first network anti-attack device according to an embodiment of the present invention;
FIG. 6 is a block diagram of a second network anti-attack device module according to an embodiment of the present invention;
fig. 7 is a block diagram of a third network anti-attack device module according to an embodiment of the present invention;
fig. 8 is a block diagram illustrating a fourth module of a network attack prevention apparatus according to an embodiment of the present invention;
fig. 9 is a block diagram of a fifth network anti-attack device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
In the invention, all servers of all enterprises in all places are used as big data information nodes, so that all servers are interconnected to form a alliance chain; meanwhile, each server and a detection node (an application which is installed in the equipment and has an equipment detection function, such as a security guard) in corresponding equipment (such as a computer) carry out data communication, and when network attack information sent by the corresponding detection node is received, the network attack information is transmitted to other servers through a big data information network, so that other servers send attack blocking commands to the corresponding detection node in time, and the invasion range of the network attack is reduced; namely, the invention can quickly and effectively transmit the network attack information, solve the trust problem among enterprises, realize information sharing and improve the utilization rate of the information by forming the distributed network anti-attack system.
Furthermore, in order to facilitate the distinction, in the invention, a detection node which detects a network attack behavior is marked as a first detection node, a server corresponding to the first detection node is marked as a first node server, other servers except the first node server in the big data information network are marked as second node servers, and detection nodes corresponding to the second node servers are marked as second detection nodes; the network anti-attack method in the present invention is described in detail below.
Example one
According to an embodiment of the present invention, a network anti-attack method applied to a first detection node is provided, as shown in fig. 1, including:
step 101: the first detection node receives a detection request from a user, and detects equipment where the first detection node is located to obtain detection data;
specifically, the first detection node receives a detection request from a user, detects the safety state of the device where the first detection node is located to obtain detection data, and records a detection timestamp.
Step 102: and when the analysis result shows that the equipment has network attack behavior, the first detection node generates alarm data according to the obtained detection data and sends the alarm data to the first node server so that the first node server can transmit the alarm data in the big data information network.
According to an embodiment of the present invention, generating alarm data from the obtained detection data includes:
step A1: generating a detection data abstract according to the detection data;
step A2: encrypting the detection data by using a private key to obtain a detection data ciphertext;
step A3: and generating alarm data in a preset format according to the detection data abstract, the detection data ciphertext, the recorded detection timestamp and the first equipment identifier of the equipment.
The preset format can be set according to the requirement, for example, the preset format is formed by sequentially splicing the detection data abstract, the detection data ciphertext, the recorded detection timestamp and the first device identifier of the device where the detection data timestamp is located by the hyphen character "-".
Further, the specific process of analyzing the obtained detection data in step 102 may be any practicable analysis method in the prior art, and the present invention is not limited thereto.
In this embodiment, when the first detection node detects a network attack behavior, the corresponding alarm data is sent to the first node server, so that the network attack information is quickly and effectively transmitted through the big data information network.
Example two
According to an embodiment of the present invention, a network anti-attack method applied to a first node server is provided, as shown in fig. 2, including:
step 201: the first node server receiving alarm data from the first detection node;
step 202: and the first node server verifies the received alarm data and sends the alarm data to each second node server when the received alarm data passes the verification so as to enable each second node server to carry out consensus verification.
According to an embodiment of the present invention, the first node server verifies the alarm data in step 202, including:
step B1: the first node server analyzes the received alarm data to obtain a detection data abstract, a detection data ciphertext, a detection timestamp and a first equipment identifier;
specifically, a detection data abstract, a detection data ciphertext, a detection timestamp and a first device identifier in the alarm data are read according to a preset format.
Step B2: the first node server acquires a corresponding public key according to the acquired equipment identifier, and decrypts the acquired detection data ciphertext by using the public key to acquire a detection data plaintext;
specifically, the first node server searches the obtained device identifier in the local database, reads the public key corresponding to the searched device identifier, and decrypts the obtained detection data ciphertext by using the read public key to obtain the detection data plaintext.
Step B3: calculating the abstract of the plaintext of the obtained detection data, judging whether the calculated abstract is consistent with the abstract of the detection data obtained by analysis, and judging that the verification is passed if the calculated abstract is consistent with the abstract of the detection data obtained by analysis; otherwise, judging that the verification is not passed.
According to the invention, the received alarm data is verified by the first node server, so that the safety and the effectiveness of the alarm data are effectively guaranteed, the condition that an attack behavior initiator sends a malicious message to the first node server by using the first detection node after equipment corresponding to the first detection node is attacked is avoided, and the malicious message is further prevented from being spread in a big data information network.
According to an embodiment of the present invention, before sending the alarm data to each second node server in step 202, the method further includes: and saving the alarm data.
Specifically, the plaintext of the detection data is stored in a local database, and the abstract of the detection data, the detection timestamp, the first equipment identifier and the second equipment identifier of the first equipment identifier are stored in a big data information base;
correspondingly, the step 202 of sending the alarm data to each second node server specifically includes: and sending the detection data abstract, the detection timestamp, the first equipment identification and the second equipment identification of the first equipment identification to each second node server.
In the invention, as the detection data plaintext needs to occupy a larger storage space, only the detection data abstract is stored in the big data information base, and the detection data plaintext is stored locally in the first node server, so that the network attack event can be traced and inquired through the data in the big data information in the following process; and the server can locally look up details of virus trojans and the like, and the utilization rate of the storage space of the big data information is improved.
In this embodiment, after receiving the alarm data sent by the first detection node, the second node server verifies the alarm data, so that the alarm data is sent to each second node server in the big data information network on the premise of ensuring the safety and effectiveness of the alarm data, thereby not only avoiding the risk of spreading malicious messages in the big data information network due to the attack of the first detection node, but also realizing the rapid and effective transmission of network attack information.
EXAMPLE III
According to an embodiment of the present invention, a network anti-attack method applied to a second node server is provided, as shown in fig. 3, including:
step 301: the second node server receives the alarm data sent by the first node server;
specifically, the second node server receives the detection data digest, the detection timestamp, the first device identifier and the second device identifier sent by the first node server.
Step 302: and the second node server performs consensus verification on the received alarm data and sends an attack blocking command to the corresponding second detection node when the verification is passed.
According to the embodiment of the present invention, in step 302, the second node server performs consensus verification on the received alarm data, specifically: verifying whether the received second equipment identifier is a valid equipment identifier, and if so, judging that the verification is passed; otherwise, judging that the verification is not passed.
More specifically, the second node server determines whether the device identifier stored in the second node server contains the received second device identifier, and if yes, determines that the received second device identifier is a valid device identifier; otherwise, the received second device identification is judged not to be the effective device identification.
In the invention, the second node server performs consensus verification on the received second equipment identifier so as to ensure that the corresponding first node server is an effective server in the big data information network, thereby ensuring the accuracy of the received data.
According to the embodiment of the present invention, in step 302, when the verification passes, an attack blocking command is sent to the corresponding second detection node, specifically: and when the verification is passed, sending an attack blocking command to the corresponding second detection node.
In the invention, protocols for sending attack blocking commands are deployed in each node server in advance, the number of the protocols can be one or more, and the protocols can be set according to requirements.
Further, according to the embodiment of the present invention, when the verification is passed in step 302, the method further includes: and storing the received alarm data to a big data information base.
Specifically, the received detection data summary, the detection timestamp, the first device identifier and the second device identifier are converted into big data information.
According to the invention, the network attack related information is written into the big data information, so that traceability and enquiry of the network attack event are ensured, and an accurate data basis is provided for subsequent network attack analysis, equipment system vulnerability analysis and other work.
In this embodiment, when each second detection node verifies the received alarm data, an attack blocking command is sent to the corresponding second detection node, so that each second detection node performs attack blocking, and the method is fast and effective.
Example four
According to an embodiment of the present invention, a network anti-attack method applied to a second detection node is provided, as shown in fig. 4, including:
step 401: the second detection node receives an attack blocking command from a second node server;
step 402: and the second detection node performs attack blocking on the equipment where the second detection node is located according to the received attack blocking command.
Wherein, attack the blocking to the equipment that self belongs to, specifically do: and detecting the equipment in which the equipment is positioned and/or updating the black-white list library.
In the invention, when the second detection node receives the attack blocking command, the environment safety condition of the equipment where the second detection node is located is automatically detected, and operations such as bug fixing or patch installation are carried out to effectively avoid network attack; and/or updating the local black and white list library according to the relevant information of the network attack behavior contained in the attack blocking command so as to block the invasion of the network attack.
In this embodiment, when receiving the attack blocking command, each second detection node automatically blocks the attack of the device in which the second detection node is located, thereby effectively reducing the scope of attack of the network attack.
EXAMPLE five
According to an embodiment of the present invention, a network anti-attack method is provided, as shown in fig. 5, including:
step 501: the first detection node receives a detection request from a user, and detects equipment where the first detection node is located to obtain detection data;
step 502: the first detection node analyzes the obtained detection data, and when the analysis result shows that the equipment has network attack behavior, alarm data is generated according to the obtained detection data and is sent to the first node server;
the process of generating alarm data according to the obtained detection data is the same as the method described in step a 1-step A3 in the first embodiment, and is not described herein again.
Step 503: the first node server verifies the received alarm data and sends the alarm data to each second node server when the verification is passed;
the process of verifying the received alarm data by the first node server is the same as the method described in step B1-step 3 in the second embodiment, and is not described herein again.
Step 504: the second node server performs consensus verification on the received alarm data and sends an attack blocking command to a corresponding second detection node when the verification is passed;
the process of performing consensus verification on the received alarm data by the second node server is the same as the process of performing consensus verification on the received alarm data by the second node server in the third step 302 of the embodiment, and is not described herein again.
Step 505: and the second detection node performs attack blocking on the equipment where the second detection node is located according to the received attack blocking command.
Wherein, attack the blocking to the equipment that self belongs to, specifically do: and detecting the equipment in which the equipment is positioned and/or updating the black-white list library.
In the embodiment, based on the big data information, the quick and effective transmission of the network attack related information is realized, and then the attack blocking operation is executed to reduce the invasion range of the network attack.
EXAMPLE six
According to an embodiment of the present invention, there is provided a network attack prevention apparatus, as shown in fig. 6, including:
a first receiving module 601, configured to receive a detection request from a user;
a detection module 602, configured to detect, when the first receiving module 601 receives a detection request from a user, a device in which the first receiving module is located to obtain detection data;
an analysis module 603, configured to analyze the detection data obtained by the detection module 602;
a generating module 604, configured to generate alarm data according to the detection data obtained by the detecting module 602 when the analysis result of the analyzing module 603 indicates that the device has a network attack behavior;
and a first sending module 605, configured to send the alarm data generated by the generating module 604 to the first node server, so that the first node server can propagate in the big data information network.
According to an embodiment of the invention, the apparatus further comprises: a recording module;
and the recording module is used for recording the detection time stamp.
According to an embodiment of the invention, the generating module 604 comprises: a first generation submodule, an encryption submodule and a second generation submodule, wherein:
the first generation submodule is used for generating a detection data abstract according to the detection data obtained by the detection module 602;
the encryption submodule is used for encrypting the detection data obtained by the detection module 602 by using a private key to obtain a detection data ciphertext;
and the second generation submodule is used for generating alarm data in a preset format according to the detection data abstract generated by the first generation submodule, the detection data ciphertext obtained by the encryption submodule, the detection timestamp recorded by the recording module and the first equipment identification of the equipment.
EXAMPLE seven
According to an embodiment of the present invention, there is provided a network attack prevention apparatus, as shown in fig. 7, including:
a second receiving module 701, configured to receive alarm data from the first detection node;
a first verification module 702 for verifying the alarm data received by the second receiving module 701;
the second sending module 703 is configured to send the alarm data received by the second receiving module 701 to each second node server when the first verification module 702 passes the verification, so that the second node servers perform consensus verification.
According to an embodiment of the present invention, the first authentication module 702 includes: the device comprises an analysis submodule, an acquisition submodule, a decryption submodule, a calculation submodule and a judgment submodule, wherein:
the analysis submodule is used for analyzing the alarm data received by the second receiving module 701 to obtain a detection data abstract, a detection data ciphertext, a detection timestamp and a first device identifier;
the obtaining submodule is used for obtaining a corresponding public key according to the first equipment identifier obtained by the analyzing submodule;
the decryption submodule is used for decrypting the detection data ciphertext received by the second receiving module according to the public key acquired by the acquisition submodule to obtain a detection data plaintext;
the calculation submodule is used for calculating and analyzing the abstract of the plaintext of the detection data obtained by the submodule;
the judgment submodule is used for judging whether the abstract calculated by the calculation submodule is consistent with the detection data abstract analyzed by the analysis submodule, and if so, the verification is judged to be passed; otherwise, judging that the verification is not passed.
According to an embodiment of the invention, the apparatus further comprises: a first saving module;
the first storage module is used for storing the plaintext of the detection data obtained by the decryption submodule into a local database, and storing the summary of the detection data obtained by the analysis submodule, the detection timestamp, the first equipment identifier and the second equipment identifier of the device into a big data information base;
correspondingly, the second sending module 703 is specifically configured to: and sending the detection data abstract, the detection timestamp, the first equipment identification and the second equipment identification of the device obtained by the analysis submodule to each second node server.
Example eight
According to an embodiment of the present invention, there is provided a network attack prevention apparatus, as shown in fig. 8, including:
a third receiving module 801, configured to receive alarm data sent by the first node server;
a second verification module 802, configured to perform consensus verification on the alarm data received by the third receiving module 801;
a third sending module 803, configured to send an attack blocking command to a corresponding second detection node when the second verification module 802 passes the verification.
According to an embodiment of the present invention, the third receiving module 801 is specifically configured to: receiving a detection data abstract, a detection timestamp, a first equipment identifier and a second equipment identifier sent by a first node server;
correspondingly, the second verification module 802 is specifically configured to: verifying whether the second equipment identifier is a valid equipment identifier, and if so, judging that the verification is passed; otherwise, judging that the verification is not passed.
According to the embodiment of the present invention, the third sending module 803 is specifically configured to: and when the second verification module 802 passes the verification, sending an attack blocking command to the corresponding second detection node.
Further, the apparatus further comprises: a second saving module;
and the second storage module is used for storing the alarm data received by the third receiving module to the big data information base when the second verification module passes the verification.
Example nine
According to an embodiment of the present invention, a network attack-prevention device, as shown in fig. 9, includes:
a fourth receiving module 901, configured to receive an attack blocking command from the second node server;
the attack blocking module 902 is configured to block an attack to the device where the apparatus is located according to the attack blocking command received by the fourth receiving module 901.
According to an embodiment of the present invention, the attack blocking module 902 is specifically configured to: and detecting and/or updating the black-and-white list library of the equipment.
Example ten
According to an embodiment of the present invention, a network anti-attack system is provided, including: the apparatus of any one of embodiments six through nine.
EXAMPLE eleven
According to an embodiment of the present invention, a network attack prevention device is provided, including:
one or more processors, storage devices to store one or more programs;
the one or more programs, when executed by the one or more processors, implement the method of any of embodiments one-fourth.
In the invention, all servers of all enterprises in all areas are interconnected to form a alliance chain, and all servers are in data communication with detection nodes in corresponding equipment (such as computers); when the first detection node detects that the equipment in which the first detection node is located has network attack behaviors, the first node server transmits network attack information through the big data information network by sending corresponding alarm data to the corresponding first node server, and then each second detection node in the big data information network sends an attack blocking command to the corresponding second detection node, and the second detection node performs attack blocking operation. In the method, firstly, a big data information technology is applied, so that an information isolated island is effectively avoided, and large-scale transmission of network attack information is realized through information sharing; secondly, the first node server verifies the alarm data, and the second node server verifies the consensus, so that the safety and the effectiveness of the alarm data are effectively guaranteed through double verification; thirdly, a contract system of big data information is fully utilized, so that when network attack occurs, related information of the network attack is rapidly and automatically transmitted to each second detection node, and each second detection node performs attack blocking, so that the invasion range of the network attack is effectively reduced, and the safety of equipment is guaranteed to a great extent; finally, the anti-tampering and traceability characteristics of the big data information are fully utilized, and the traceability and query of the network attack event are ensured by writing the relevant information of the network attack into the big data information base, so that an accurate data base is provided for subsequent network attack analysis, equipment system vulnerability analysis and other work.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (4)
1. A network anti-attack method based on big data is characterized by comprising the following steps:
the first detection node receives a detection request from a user, and detects equipment where the first detection node is located to obtain detection data;
the first detection node analyzes the detection data, and when the analysis result shows that the equipment has network attack behavior, alarm data is generated according to the detection data and sent to a first node server so that the first node server can transmit the alarm data in the big data information network; wherein the content of the first and second substances,
when the equipment where the detection self is located obtains detection data, the method further comprises the following steps: recording a detection timestamp;
the generating alarm data from the detection data comprises:
generating a detection data abstract according to the detection data;
encrypting the detection data by using a private key to obtain a detection data ciphertext;
and generating alarm data in a preset format according to the detection data abstract, the detection data ciphertext, the detection timestamp and the first equipment identifier of the equipment.
2. A network anti-attack method is characterized by comprising the following steps:
the first node server receiving alarm data from the first detection node;
the first node server verifies the alarm data, and when the verification is passed, the first node server sends the alarm data to each second node server so as to carry out consensus verification on each second node server; wherein the content of the first and second substances,
the first node server validating the alert data, comprising:
the first node server analyzes the alarm data to obtain a detection data abstract, a detection data ciphertext, a detection timestamp and a first equipment identifier;
the first node server acquires a corresponding public key according to the equipment identifier, and decrypts the detection data ciphertext according to the public key to obtain a detection data plaintext;
calculating the abstract of the plaintext of the detection data, judging whether the calculated abstract is consistent with the abstract of the detection data obtained by analysis, and judging that the verification is passed if the calculated abstract is consistent with the abstract of the detection data obtained by analysis; otherwise, the verification is judged to be not passed, wherein,
further comprising saving the alert data, including:
storing the plaintext of the detection data to a local database;
storing the detection data abstract, the detection timestamp, the first equipment identification and the second equipment identification of the first equipment identification to a big data information base;
the sending of the alarm data to each second node server specifically includes: and sending the detection data abstract, the detection timestamp, the first equipment identification and the second equipment identification of the first equipment identification to each second node server.
3. A network anti-attack method based on big data is characterized by comprising the following steps:
the second node server receives the alarm data sent by the first node server;
the second node server performs consensus verification on the alarm data and sends an attack blocking command to a corresponding second detection node when the verification is passed; wherein the content of the first and second substances,
the second node server receives the detection data abstract, the detection timestamp, the first equipment identification and the second equipment identification which are sent by the first node server;
the second node server receives the alarm data sent by the first node server, and specifically includes: the second node server receives the detection data abstract, the detection timestamp, the first equipment identification and the second equipment identification which are sent by the first node server;
the second node server performs consensus verification on the alarm data, specifically: verifying whether the second equipment identifier is a valid equipment identifier, and if so, judging that the verification is passed; otherwise, judging that the verification is not passed; the sending of the attack blocking command to the corresponding second detection node when the verification is passed specifically includes: when the verification passes, sending an attack blocking command to the corresponding second detection node; when the verification is passed, the method further comprises the following steps: and storing the alarm data to a big data information base.
4. A network anti-attack method based on big data is characterized by comprising the following steps:
the first detection node receives a detection request from a user, and detects equipment where the first detection node is located to obtain detection data;
the first detection node analyzes the obtained detection data, and when the analysis result shows that the equipment has network attack behavior, alarm data is generated according to the obtained detection data and is sent to the first node server;
when the device where the detection device is located obtains detection data, the method further comprises the following steps: recording a detection timestamp;
the generating alarm data from the detection data comprises:
generating a detection data abstract according to the detection data;
encrypting the detection data by using a private key to obtain a detection data ciphertext;
generating alarm data in a preset format according to the detection data abstract, the detection data ciphertext, the detection timestamp and a first device identifier of the device;
the first node server verifies the received alarm data and sends the alarm data to each second node server when the verification is passed;
wherein the content of the first and second substances,
the first node server validating the alert data, comprising:
the first node server analyzes the alarm data to obtain a detection data abstract, a detection data ciphertext, a detection timestamp and a first equipment identifier;
the first node server acquires a corresponding public key according to the equipment identifier, and decrypts the detection data ciphertext according to the public key to obtain a detection data plaintext;
calculating the abstract of the plaintext of the detection data, judging whether the calculated abstract is consistent with the abstract of the detection data obtained by analysis, and judging that the verification is passed if the calculated abstract is consistent with the abstract of the detection data obtained by analysis; otherwise, the verification is judged to be not passed, wherein,
further comprising saving the alert data, including:
storing the plaintext of the detection data to a local database;
storing the detection data abstract, the detection timestamp, the first equipment identification and the second equipment identification of the first equipment identification to a big data information base;
the sending of the alarm data to each second node server specifically includes: sending the detection data abstract, the detection timestamp, the first equipment identification and the second equipment identification of the first equipment identification to each second node server;
the second node server performs consensus verification on the received alarm data and sends an attack blocking command to a corresponding second detection node when the verification is passed;
wherein the content of the first and second substances,
the second node server receives the detection data abstract, the detection timestamp, the first equipment identification and the second equipment identification which are sent by the first node server;
the second node server receives the alarm data sent by the first node server, and specifically includes: the second node server receives the detection data abstract, the detection timestamp, the first equipment identification and the second equipment identification which are sent by the first node server;
the second node server performs consensus verification on the alarm data, specifically: verifying whether the second equipment identifier is a valid equipment identifier, and if so, judging that the verification is passed; otherwise, judging that the verification is not passed; the sending of the attack blocking command to the corresponding second detection node when the verification is passed specifically includes: when the verification passes, sending an attack blocking command to the corresponding second detection node; when the verification is passed, the method further comprises the following steps: storing the alarm data to a big data information base;
the second detection node performs attack blocking on the equipment where the second detection node is located according to the received attack blocking command; wherein, attack the blocking to the equipment that self belongs to, specifically do: and detecting the equipment in which the equipment is positioned and/or updating the black-white list library.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910267036.9A CN110138731B (en) | 2019-04-03 | 2019-04-03 | Network anti-attack method based on big data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910267036.9A CN110138731B (en) | 2019-04-03 | 2019-04-03 | Network anti-attack method based on big data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110138731A CN110138731A (en) | 2019-08-16 |
| CN110138731B true CN110138731B (en) | 2020-02-14 |
Family
ID=67569076
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910267036.9A Active CN110138731B (en) | 2019-04-03 | 2019-04-03 | Network anti-attack method based on big data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110138731B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110505243A (en) * | 2019-09-18 | 2019-11-26 | 浙江大华技术股份有限公司 | The processing method and processing device of network attack, storage medium, electronic device |
| CN112732193B (en) * | 2021-01-12 | 2021-09-21 | 广东奥飞数据科技股份有限公司 | Information security storage system based on big data |
| CN113315752B (en) * | 2021-04-22 | 2022-02-25 | 深圳市腾云数据系统有限公司 | Intelligent medical attack tracing method based on block chain and medical big data system |
| CN115189912B (en) * | 2022-06-07 | 2024-01-12 | 广西双正工程监理服务有限公司 | Multiple alarm information system safety management system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105426771A (en) * | 2015-10-28 | 2016-03-23 | 成都比特信安科技有限公司 | Method for realizing security of big data |
| CN108616534A (en) * | 2018-04-28 | 2018-10-02 | 中国科学院信息工程研究所 | A kind of method and system for protecting internet of things equipment ddos attack based on block chain |
| CN108881494A (en) * | 2018-08-10 | 2018-11-23 | 三门峡速达交通节能科技股份有限公司 | Secure messaging methods based on In-vehicle networking and block chain |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7418512B2 (en) * | 2003-10-23 | 2008-08-26 | Microsoft Corporation | Securely identifying an executable to a trust-determining entity |
| CN107566381B (en) * | 2017-09-12 | 2020-03-13 | 中国联合网络通信集团有限公司 | Equipment safety control method, device and system |
| CN108881233B (en) * | 2018-06-21 | 2021-06-01 | 中国联合网络通信集团有限公司 | Anti-attack processing method, device, equipment and storage medium |
-
2019
- 2019-04-03 CN CN201910267036.9A patent/CN110138731B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105426771A (en) * | 2015-10-28 | 2016-03-23 | 成都比特信安科技有限公司 | Method for realizing security of big data |
| CN108616534A (en) * | 2018-04-28 | 2018-10-02 | 中国科学院信息工程研究所 | A kind of method and system for protecting internet of things equipment ddos attack based on block chain |
| CN108881494A (en) * | 2018-08-10 | 2018-11-23 | 三门峡速达交通节能科技股份有限公司 | Secure messaging methods based on In-vehicle networking and block chain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110138731A (en) | 2019-08-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110138731B (en) | Network anti-attack method based on big data | |
| CN109525558B (en) | Data leakage detection method, system, device and storage medium | |
| US9794270B2 (en) | Data security and integrity by remote attestation | |
| JP5972401B2 (en) | Attack analysis system, linkage device, attack analysis linkage method, and program | |
| CN101714931B (en) | Early warning method, device and system of unknown malicious code | |
| US9294489B2 (en) | Method and apparatus for detecting an intrusion on a cloud computing service | |
| US8677493B2 (en) | Dynamic cleaning for malware using cloud technology | |
| KR20180120157A (en) | Data set extraction based pattern matching | |
| CN103294950B (en) | A kind of high-power secret information stealing malicious code detecting method based on backward tracing and system | |
| CN101656710B (en) | Proactive audit system and method | |
| US9690598B2 (en) | Remotely establishing device platform integrity | |
| TW201642135A (en) | Detecting malicious files | |
| CN112217835A (en) | Message data processing method and device, server and terminal equipment | |
| CN104991526A (en) | Industrial control system safe support framework and data safe transmission and storage method thereof | |
| CN110958239B (en) | Method and device for verifying access request, storage medium and electronic device | |
| CN110313147A (en) | Data processing method, device and system | |
| CN113872965B (en) | SQL injection detection method based on Snort engine | |
| CN111800405A (en) | Detection method, detection device and storage medium | |
| CN108234400B (en) | Attack behavior determination method and device and situation awareness system | |
| CN108027856B (en) | Real-time indicator for establishing attack information using trusted platform module | |
| CN113141335B (en) | Network attack detection method and device | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| CN111585995A (en) | Method and device for transmitting and processing safety wind control information, computer equipment and storage medium | |
| TW201937394A (en) | System and method for program security protection | |
| KR102542213B1 (en) | Real-time encryption/decryption security system and method for data in network based storage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |