CN110149324B - Network attack prevention method, device and equipment - Google Patents

Network attack prevention method, device and equipment Download PDF

Info

Publication number
CN110149324B
CN110149324B CN201910394753.8A CN201910394753A CN110149324B CN 110149324 B CN110149324 B CN 110149324B CN 201910394753 A CN201910394753 A CN 201910394753A CN 110149324 B CN110149324 B CN 110149324B
Authority
CN
China
Prior art keywords
data
detection
attack
network
abstract
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910394753.8A
Other languages
Chinese (zh)
Other versions
CN110149324A (en
Inventor
谢超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Terminus Beijing Technology Co Ltd
Original Assignee
Terminus Beijing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Terminus Beijing Technology Co Ltd filed Critical Terminus Beijing Technology Co Ltd
Priority to CN201910394753.8A priority Critical patent/CN110149324B/en
Publication of CN110149324A publication Critical patent/CN110149324A/en
Application granted granted Critical
Publication of CN110149324B publication Critical patent/CN110149324B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Abstract

The invention discloses a network anti-attack method, device and system, and belongs to the technical field of network security. The method comprises the following steps: the first detection node analyzes the detection data of the first detection node, and when the analysis result shows that the equipment has network attack behavior, alarm data are generated according to the detection data, the equipment identification of the equipment and the detection timestamp and are broadcasted in the distributed storage network; the consensus node acquires alarm data, performs consensus verification, and triggers an attack blocking protocol to automatically send an attack blocking command to each second detection node when the verification is passed; and each second detection node performs attack blocking on the equipment where the second detection node is located according to the received attack blocking command. The invention realizes the quick and effective transmission of the network attack related information, thereby reducing the infringement range of the network attack, greatly ensuring the safety of the equipment in the network and ensuring the traceability of the network attack event.

Description

Network attack prevention method, device and equipment
Technical Field
The present invention relates to the field of network security and distributed storage technologies, and in particular, to a method, an apparatus, and a device for preventing a network from being attacked.
Background
With the rapid development of internet technology, the life style of people is greatly changed, and people browse news, shop on the internet, work on the internet, so to speak, gather tens of thousands of devices and immeasurable information in the network. Along with this, network security is also a matter of concern, and in recent years, network attack events such as virus trojan horse and the like occur at times, but not every user can find the network attack events in time, so that the conditions of equipment paralysis, data loss, property loss and the like of some users occur.
In order to transmit the relevant information of the network attack to each device in the network, the common practice is to transmit the relevant information of the network attack through a server so as to achieve the purpose of effectively protecting each device; however, it has to be said that the propagation rate of the server is efficient and cannot ensure that each device in the network is notified at the first time; in addition, the accuracy of the transmitted network attack information cannot be ensured in the method, and the situation of panic of the whole population can be caused by false alarm; moreover, the method often cannot timely and effectively record the relevant information of the cyber attack, and even if the relevant information is recorded, the relevant information is also at risk of being tampered, so that the relevant information deviates from the analysis direction due to the fact that no accurate data base exists when the cyber attack analysis is subsequently carried out.
Disclosure of Invention
The purpose of the invention is realized by the following technical scheme.
In a first aspect, the present invention provides a network anti-attack method, including:
the first detection node analyzes the detection data of the first detection node, and when the analysis result shows that the equipment has network attack behavior, alarm data are generated according to the detection data, the equipment identification of the equipment and the detection timestamp;
the first detection node broadcasts the alarm data in the distributed storage network, so that all the consensus nodes in the distributed storage network can perform consensus verification and trigger an attack blocking protocol to perform attack blocking.
Optionally, the generating alarm data according to the detection data, the device identifier of the device where the alarm data is located, and the detection timestamp includes:
generating a detection data abstract according to the detection data;
generating a combined data plaintext in a preset format according to the detection data, the equipment identification and the detection timestamp;
encrypting the plaintext of the combined data by using a private key to obtain a combined data ciphertext;
and taking the detection data abstract and the combined data ciphertext as alarm data.
Optionally, the method further includes: and when the alarm data passes verification of each consensus node, the first detection node writes the alarm data into a distributed storage network.
In a second aspect, the present invention provides a network anti-attack method, including:
the consensus node acquires alarm data broadcast by the first detection node in the distributed storage network;
and the consensus node performs consensus verification on the alarm data and triggers an attack blocking protocol to block the attack when the verification is passed.
Optionally, the consensus node performs consensus verification on the alarm data, including:
the consensus node decrypts the combined data ciphertext in the alarm data according to a pre-acquired public key of the first detection node to obtain a combined data plaintext;
the consensus node judges whether the plaintext of the combined data conforms to a preset format or not, and otherwise, judges that the verification fails; if so, reading detection data in the plain text of the combined data, and generating a detection data abstract according to the read detection data;
and the consensus node judges whether the generated detection data abstract is consistent with the detection data abstract in the alarm data, if so, the verification is judged to be passed, and if not, the verification is judged to be failed.
Optionally, the triggering an attack blocking protocol to block the attack when the verification passes includes: and triggering an attack blocking protocol when the verification is passed, and sending an attack blocking command to the corresponding second detection node according to the equipment address in the attack blocking protocol.
In a third aspect, the present invention provides a network anti-attack method, including:
the second detection node receives an attack blocking command from the consensus node;
and the second detection node performs attack blocking on the equipment where the second detection node is according to the attack blocking command.
Optionally, the blocking of the attack on the device in which the device is located specifically includes: and detecting the equipment where the equipment is located and/or updating the black and white list library.
In a fourth aspect, the present invention provides a network anti-attack apparatus, including:
the detection module is used for detecting the equipment to obtain detection data;
the analysis module is used for analyzing the detection data obtained by the detection module;
the generating module is used for generating alarm data according to the detection data, the equipment identifier of the equipment and the detection timestamp when the analysis result of the analyzing module indicates that the equipment has the network attack behavior;
and the issuing module is used for broadcasting the alarm data generated by the generating module in the distributed storage network.
Optionally, the generating module includes: generating a sub-module, a combination sub-module, an encryption sub-module and a sub-module;
the generation submodule is used for generating a detection data abstract according to the detection data obtained by the detection module;
the combined submodule is used for generating a combined data plaintext in a preset format according to the detection data, the equipment identification and the detection timestamp;
the encryption submodule is used for encrypting the combined data plaintext generated by the combination submodule by using a private key to obtain a combined data ciphertext;
the acting submodule is used for taking the detection data summary generated by the generating submodule and the combined data ciphertext obtained by the encrypting submodule as alarm data.
Optionally, the apparatus further comprises: a recording module;
and the recording module is used for writing the alarm data into the distributed storage network after the alarm data generated by the generating module is verified by each consensus node.
In a fifth aspect, the present invention provides a network anti-attack apparatus, including:
the acquisition module is used for acquiring alarm data broadcasted by the first detection node in the distributed storage network;
the consensus verification module is used for carrying out consensus verification on the alarm data acquired by the acquisition module;
and the triggering module is used for triggering an attack blocking protocol to block the attack when the authentication of the consensus authentication module is passed.
Optionally, the consensus verification module includes: the device comprises a decryption submodule, a first judgment submodule, a reading generation submodule and a second judgment submodule;
the decryption submodule is used for decrypting the combined data ciphertext in the alarm data according to a pre-acquired public key of the first detection node to obtain a combined data plaintext;
the first judgment submodule is used for judging whether the combined data plaintext obtained by the decryption submodule conforms to a preset format or not;
the reading generation submodule is used for reading detection data in the combined data plaintext when the first judgment submodule judges that the combined data plaintext obtained by the decryption submodule conforms to a preset format, and generating a detection data abstract according to the read detection data;
and the second judging submodule is used for judging whether the detection data abstract generated by the reading and generating submodule is consistent with the detection data abstract in the alarm data acquired by the acquiring module, if so, the verification is judged to be passed, and if not, the verification is judged to be failed.
Optionally, the triggering module is specifically configured to: and when the common identification verification module passes the verification, triggering an attack blocking protocol, and sending an attack blocking command to a corresponding second detection node according to the equipment address in the attack blocking protocol.
In a sixth aspect, the present invention provides a network anti-attack apparatus, including:
the receiving module is used for receiving an attack blocking command from the consensus node;
and the execution module is used for carrying out attack blocking on the equipment where the execution module is located according to the attack blocking command received by the receiving module.
Optionally, the execution module is specifically configured to: and detecting and/or updating the black and white list library for the equipment.
In a seventh aspect, the present invention provides a network anti-attack system, including: the device according to any one of the fourth, fifth and sixth aspects of the present invention.
In an eighth aspect, the present invention provides a network attack prevention device, including:
one or more processors, storage devices to store one or more programs;
the one or more programs, when executed by the one or more processors, implement the method of any of the first, second, and third aspects of the present invention.
The invention has the advantages that:
in the invention, the network security technology is combined with the distributed storage network technology, namely, in the process that the first detection node detects the environmental security condition of the equipment where the first detection node is positioned, when network attack behavior is found, broadcasting corresponding alarm data in the distributed storage network, allowing each consensus node in the distributed storage network to perform consensus verification on the alarm data, and automatically triggers the deployed attack blocking protocol to automatically send information about the network attack to each second detection node in the other device when the verification passes, thereby leading each second detection node to carry out corresponding attack blocking operation, effectively reducing the infringement range of network attack, ensuring the safety of equipment, ensuring the safety and accuracy of alarm data, when network attack occurs, the related information of the network attack is quickly and automatically transmitted to each second detection node; meanwhile, the anti-tampering and traceability characteristics of the distributed storage network are fully utilized, the alarm data are written into the distributed storage network, the accuracy of the alarm data and the traceability of the network attack event are ensured, and an accurate data base is provided for the subsequent network attack analysis.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a flow chart of a network anti-attack method applied to a first detection node according to an embodiment of the invention;
FIG. 2 is a flow chart of a network anti-attack method applied to a consensus node according to an embodiment of the present invention;
FIG. 3 is a flow chart of a network anti-attack method applied to a second detection node according to an embodiment of the invention;
FIG. 4 is a flow chart of a network anti-attack method according to an embodiment of the invention;
FIG. 5 is a block diagram illustrating the block components of a first network anti-attack apparatus according to an embodiment of the present invention;
FIG. 6 is a block diagram illustrating the block diagram of a second network anti-attack device according to an embodiment of the present invention;
fig. 7 is a block diagram illustrating the block components of a third network attack prevention apparatus according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Example one
According to an embodiment of the present invention, there is provided a network anti-attack method applied to a first detection node, as shown in fig. 1, including:
step 101: the first detection node analyzes the detection data of the first detection node, and when the analysis result shows that the equipment has network attack behavior, alarm data are generated according to the detection data, the equipment identification of the equipment and the detection timestamp;
according to the embodiment of the present invention, step 101 further comprises: the first detection node receives a detection request from a user and detects the safety state of the equipment where the first detection node is located to obtain detection data.
According to the embodiment of the present invention, the generating of the alarm data according to the detection data, the device identifier of the device, and the detection timestamp in step 101 includes:
step A1: generating a detection data abstract according to the detection data;
step A2: generating a combined data plaintext in a preset format according to the detection data, the equipment identification, the detection timestamp and the abstract generation rule;
step A3: encrypting the plaintext of the combined data by using a private key to obtain a ciphertext of the combined data;
step A4: and taking the detection data abstract and the combined data ciphertext as alarm data.
The method comprises the following steps of generating a combined data plaintext in a preset format according to detection data, equipment identification, a detection timestamp and an abstract generation rule, and specifically comprises the following steps: and sequentially splicing the detection timestamp, the equipment identifier and the detection data through a hyphen character.
According to the method, the format of the plaintext of the combined data is preset, so that when the subsequent consensus node performs consensus authentication on the alarm data, the detection data in the alarm data is read according to the preset format; therefore, the problem that an initiator of an attack behavior can release malicious messages randomly in the distributed storage network by using the first detection node after equipment corresponding to the first detection node is attacked is effectively avoided.
It should be noted that the format of the plaintext of the combined data can be set according to the requirement, and is not limited to the above format; further, the specific process of analyzing the detection data in step 101 may be any practicable analysis method in the prior art, which is not limited by the present invention.
Step 102: the first detection node broadcasts the generated alarm data in the distributed storage network, so that all the consensus nodes in the distributed storage network perform consensus verification and trigger an attack blocking protocol to perform attack blocking.
According to an embodiment of the invention, the method further comprises: and when the alarm data are verified by all the consensus nodes, the first detection node writes the alarm data into the distributed storage network.
In the invention, when the first detection node detects the network attack behavior, the corresponding alarm data is broadcasted in the distributed storage network so as to quickly and accurately transmit the network attack behavior to each second detection node through the distributed storage network, so that each second detection node blocks the attack of the corresponding equipment, thereby greatly reducing the infringement range of the network attack; meanwhile, the alarm data are written into the distributed storage network, so that accurate data base is provided for the follow-up analysis of the attack behavior.
Example two
According to an embodiment of the present invention, there is also provided a network anti-attack method applied to a consensus node, as shown in fig. 2, including:
step 201: the consensus node acquires alarm data broadcast by the first detection node in the distributed storage network;
step 202: and the consensus node performs consensus verification on the acquired alarm data and triggers an attack blocking protocol to perform attack blocking when the verification is passed.
The consensus node performs consensus verification on the acquired alarm data, and the consensus verification comprises the following steps:
step B1: the consensus node decrypts the combined data ciphertext in the acquired alarm data according to the pre-acquired public key of the first detection node to obtain a combined data plaintext;
step B2: the consensus node judges whether the obtained combined data plaintext accords with a preset format or not, and otherwise, the verification is judged to fail; if so, reading the detection data in the combined data plaintext, and generating a detection data abstract according to the read detection data;
preferably, the specific steps of judging whether the plaintext of the obtained combined data conforms to the preset format by the consensus node are as follows: judging whether the detection time stamp, the equipment identification and the detection data in the combined data plaintext are sequentially spliced through a preset word connection character sequence or not, and if so, judging that the obtained combined data plaintext conforms to a preset format; otherwise, judging that the obtained combined data plaintext does not conform to the preset format; wherein, the preset word connection symbol is specifically "-".
Step B3: and the consensus node judges whether the generated detection data abstract is consistent with the detection data abstract in the acquired alarm data, if so, the verification is passed, and otherwise, the verification is not passed.
Further, in step 202, when the verification passes, an attack blocking protocol is triggered to block the attack, specifically: triggering an attack blocking protocol when the verification is passed, and automatically sending an attack blocking command to a corresponding second detection node according to the equipment address in the attack blocking protocol;
wherein, the device address is, for example, an IP address; the attack blocking command comprises the relevant information of the network attack behavior, the operation type of the attack blocking and the like.
It should be noted that the attack blocking protocol in the present invention may be one or more, and the attack blocking protocol may be set according to the requirement.
In the invention, an attack blocking protocol is preset according to information such as equipment identification, equipment address, attack blocking command and the like of each equipment and is deployed in a distributed storage network, when a network attack action occurs, the attack blocking protocol is automatically triggered, and the attack blocking command is sent to the equipment corresponding to the equipment address in the attack blocking protocol, so that a second detection node in each equipment performs attack blocking operation.
Further, before triggering the attack blocking protocol and sending an attack blocking command to a device corresponding to the device address, the method further includes: and searching a corresponding device address in the device address according to the device identifier in the alarm data, and sending an attack blocking command to devices corresponding to other device addresses except the searched device address.
In the invention, the common identification verification is carried out on the alarm data in the distributed storage network through each common identification node, the accuracy of the alarm data is effectively ensured, and the network paralysis caused by the fact that a network attack initiator utilizes the first detection node to issue malicious messages in the distributed storage network is avoided.
EXAMPLE III
According to an embodiment of the present invention, there is also provided a network anti-attack method for a second detection node, as shown in fig. 3, including:
step 301: the second detection node receives an attack blocking command from the consensus node;
step 302: and the second detection node performs attack blocking on the equipment where the second detection node is according to the received attack blocking command.
Wherein, attack and block the equipment where the self is located: the method specifically comprises the following steps: and detecting the equipment where the equipment is located and/or updating the black and white list library.
In the invention, when the second detection node receives the attack blocking command, the environment safety condition of the equipment where the second detection node is located is automatically detected, and operations such as bug fixing or patch installation are carried out to effectively avoid network attack; and/or updating the local black and white list library according to the relevant information of the network attack behavior contained in the attack blocking command so as to block the invasion of the network attack.
Example four
According to an embodiment of the present invention, there is provided a network attack prevention method, as shown in fig. 4, including:
step 401: the first detection node analyzes the detection data of the first detection node, generates alarm data according to the detection data, the equipment identification of the equipment and the detection timestamp when the analysis result shows that the equipment has network attack behavior, and broadcasts the generated alarm data in the distributed storage network;
step A1: generating a detection data abstract and an abstract generation rule matrix according to the detection data;
step A2: generating a combined data plaintext in a preset format according to the detection data, the equipment identification, the detection timestamp and the abstract generation rule matrix;
step A3: encrypting the plaintext of the combined data by using a private key to obtain a ciphertext of the combined data;
step A4: and taking the detection data abstract and the combined data ciphertext as alarm data.
In step a1, generating a detection data summary and a summary generation rule matrix according to the read detection data includes:
extracting multiple groups of data in the detection data as base data, preferably the first m x n groups of data in the detection data sequence to form an m x n order matrix Csource
Figure BDA0002057810860000091
The first detection node randomly generates mN order matrix KrandomAs a random matrix Krandom
Figure BDA0002057810860000092
Will matrix CsourceMapping to matrix KrandomTo obtain a matrix ZabstractAs a detection data summary Zabstract
Generating a digest generation rule matrix FruleIs a
Figure BDA0002057810860000094
Among them, m ═ n is preferable.
Wherein, a rule matrix F is generated according to the detection data, the equipment identification, the detection time stamp and the abstractruleGenerating a combined data plaintext with a preset format, specifically: generating a rule matrix F from the detection time stamp, the equipment identification, the detection data and the abstractruleSequentially spliced by the continuous word symbol "-".
In the invention, the format of the plaintext of the combined data is preset, so that when the subsequent consensus node performs consensus authentication on the alarm data, the detection data and the abstract in the alarm data are read according to the preset format to generate a rule matrix FruleGenerating a rule matrix F by summarizationruleAnd generating a detection data abstract Z to be matched with the detection dataabstract_laAnd detection data summary Z in alarm dataabstractMatching, and if the two are consistent, judging that the verification is passed; therefore, the problem that an initiator of an attack behavior can release malicious messages randomly in the distributed storage network by using the first detection node after equipment corresponding to the first detection node is attacked is effectively avoided.
Step 402: the consensus node acquires alarm data broadcast in the distributed storage network, performs consensus verification, and triggers an attack blocking protocol to automatically send an attack blocking command to each second detection node when the verification is passed;
the process of carrying out consensus verification on the acquired alarm data by the consensus node comprises the following steps:
step B1: the consensus node decrypts the combined data ciphertext in the acquired alarm data according to the pre-acquired public key of the first detection node to obtain a combined data plaintext;
step B2: the consensus node judges whether the obtained combined data plaintext accords with a preset format or not, and otherwise, the verification is judged to fail; if yes, reading the detection data in the combined data plaintext, and generating a rule matrix F by abstractingruleAnd generating a rule matrix F according to the read detection data and the abstractruleGenerating a detection data summary Zabstract_la(ii) a The specific generation process is as follows:
reading detection data and summary generation rule matrix F in combined data plaintextrule
Extracting multiple groups of data in the detection data as base data, wherein the size of the base data is that a rule matrix F is generated according to the abstractrulePreferably, the first m x n groups of data in the data sequence are detected to form an m x n order matrix Csource_la
Figure BDA0002057810860000101
According to Csource_laAnd the abstract generates a rule matrix FruleResolved random matrix Krandom_laWill matrix Csource_laMapping to a random matrix Krandom_laObtaining a detection data abstract Z to be matchedabstract_la
Preferably, the specific steps of judging whether the plaintext of the obtained combined data conforms to the preset format by the consensus node are as follows: judging detection time stamp, equipment identification and detection data in plain text of combined data and generating rule matrix F by abstractruleWhether the combined data are sequentially spliced through preset word connection symbols or not is judged, and if yes, the obtained combined data plaintext accords with a preset format; otherwise, the obtained combined data plaintext is judged not to beThe format is in accordance with a preset format; wherein, the preset word connection symbol is specifically "-".
Step B3: the consensus node judges whether the generated detection data abstract to be matched is consistent with the detection data abstract in the acquired alarm data, namely, judges that the detection data abstract Z to be matched is consistent with the detection data abstract Zabstract_laWhether to compare with the detected data summary Z in the alarm dataabstractIf the two are consistent, the verification is judged to be passed, otherwise, the verification is judged to be failed.
Further, in step 402, when the verification passes, an attack blocking protocol is triggered to block the attack, specifically: triggering an attack blocking protocol when the verification is passed, and automatically sending an attack blocking command to a corresponding second detection node according to the equipment address in the attack blocking protocol;
step 403: and each second detection node performs attack blocking on the equipment where the second detection node is located according to the received attack blocking command.
Specifically, each second detection node detects and/or updates the black-and-white list library of the device where the second detection node is located according to the received attack blocking command.
In the invention, when the second detection node receives the attack blocking command, the environment safety condition of the equipment where the second detection node is located is automatically detected, and operations such as bug fixing or patch installation are carried out to effectively avoid network attack; and/or updating the local black and white list library according to the relevant information of the network attack behavior contained in the attack blocking command so as to block the invasion of the network attack.
In the embodiment, the first detection node broadcasts the warning data in the distributed storage network, so that the network attack information is quickly and effectively transmitted to the second detection node; meanwhile, through a consensus mechanism, including format verification and re-verification that the plain text content is matched with the alarm data content through the detection data abstract, the accuracy of the data transmission process is ensured, the accuracy of the decryption process is verified, and meanwhile, the accuracy and the effectiveness of the alarm data are also ensured.
EXAMPLE five
According to an embodiment of the present invention, there is provided a network attack-prevention device, as shown in fig. 5, including:
the detection module 501 is used for detecting the equipment to obtain detection data;
an analysis module 502, configured to analyze the detection data obtained by the detection module 501;
a generating module 503, configured to generate alarm data according to the detection data obtained by the detecting module 501, the device identifier of the device, and the detection timestamp when the analysis result of the analyzing module 502 indicates that the device has a network attack behavior;
a publishing module 504, configured to broadcast the alarm data generated by the generating module 503 in the distributed storage network.
According to an embodiment of the present invention, the generating module 503 includes: generating a sub-module, a combination sub-module, an encryption sub-module and a sub-module, wherein:
the generation submodule is used for generating a detection data abstract according to the detection data obtained by the detection module 501;
the combined submodule is used for generating a combined data plaintext in a preset format according to the detection data, the equipment identifier, the detection timestamp and the abstract generation rule which are obtained by the detection module 501;
the encryption submodule is used for encrypting the combined data plaintext generated by the combination submodule by using a private key to obtain a combined data ciphertext;
and the sub-module is used for taking the detection data summary generated by the generation sub-module and the combined data ciphertext obtained by the encryption sub-module as alarm data.
Wherein, the combination submodule is preferably specifically used for: and sequentially splicing the detection timestamp, the equipment identifier and the detection data through a hyphen character.
According to an embodiment of the invention, the apparatus further comprises: a recording module;
and a recording module, configured to write the alarm data into the distributed storage network after each consensus node verifies that the alarm data generated by the generating module 503 passes.
EXAMPLE six
According to an embodiment of the present invention, there is provided a network attack-prevention device, as shown in fig. 6, including:
an obtaining module 601, configured to obtain alarm data broadcasted by a first detection node in a distributed storage network;
a consensus verification module 602, configured to perform consensus verification on the alarm data acquired by the acquisition module 601;
the triggering module 603 is configured to trigger an attack blocking protocol to block an attack when the common identification verification module 602 verifies that the common identification passes.
According to an embodiment of the invention, the consensus verification module 602 comprises: the device comprises a decryption submodule, a first judgment submodule, a reading generation submodule and a second judgment submodule, wherein:
the decryption submodule is used for decrypting the combined data ciphertext in the alarm data acquired by the acquisition module 601 according to the pre-acquired public key of the first detection node to obtain a combined data plaintext;
the first judgment submodule is used for judging whether the combined data plaintext obtained by the decryption submodule conforms to a preset format or not;
the reading generation submodule is used for reading detection data in the combined data plaintext when the first judgment submodule judges that the combined data plaintext obtained by the decryption submodule accords with the preset format, and generating a detection data abstract according to the read detection data;
and the second judging submodule is configured to judge whether the detection data digest generated by the reading and generating submodule is consistent with the detection data digest in the alarm data acquired by the acquiring module 501, if yes, the verification is determined to be passed, and otherwise, the verification is determined to be failed.
According to an embodiment of the present invention, the triggering module 603 is specifically configured to: and when the common identification verification module 602 passes the verification, triggering an attack blocking protocol, and sending an attack blocking command to the corresponding second detection node according to the equipment address in the attack blocking protocol.
Wherein, the device address is, for example, an IP address; the attack blocking command comprises the relevant information of the network attack behavior, the operation type of the attack blocking and the like.
EXAMPLE seven
According to an embodiment of the present invention, there is provided a network attack-prevention device, as shown in fig. 7, including:
a receiving module 701, configured to receive an attack blocking command from a consensus node;
the executing module 702 is configured to perform attack blocking on the device where the executing module is located according to the attack blocking command received by the receiving module 701.
According to an embodiment of the present invention, the executing module 702 is specifically configured to: and detecting and/or updating the black and white list library for the equipment.
It should be noted that the network anti-attack apparatus in this embodiment and the network anti-attack apparatus provided in the fourth embodiment together form a detection apparatus, and the detection apparatus is disposed in each device and is configured to detect an environmental security condition of the device, and execute an attack blocking operation when other detection apparatuses detect a network attack behavior, that is, when the other detection apparatuses receive an attack blocking command.
Correspondingly, the executing module 702 is specifically configured to: the black and white list library is updated and/or the device is detected by the detection module 501 provided in the fourth embodiment.
Example eight
According to an embodiment of the present invention, a network anti-attack system is provided, which includes the network anti-attack apparatus provided in any one of the fifth embodiment, the sixth embodiment, and the seventh embodiment.
Example nine
According to an embodiment of the present invention, there is provided a network attack prevention apparatus including: one or more processors, storage devices to store one or more programs; the one or more programs, when executed by the one or more processors, implement the method as provided in any of embodiments one, two, and three.
In the invention, the network security technology is combined with the distributed storage network technology, namely, in the process that the first detection node detects the environmental security condition of the equipment where the first detection node is positioned, when network attack behavior is found, broadcasting corresponding alarm data in the distributed storage network, allowing each consensus node in the distributed storage network to perform consensus verification on the alarm data, and automatically triggers the deployed attack blocking protocol to automatically send the relevant information of the network attack to each second detection node in other equipment when the verification is passed, thereby leading each second detection node to carry out corresponding attack blocking operation, effectively reducing the infringement range of network attack, ensuring the safety of equipment, ensuring the safety and accuracy of alarm data, when network attack occurs, the related information of the network attack is quickly and automatically transmitted to each second detection node; meanwhile, the anti-tampering and traceable characteristics are fully utilized, the alarm data are written into the distributed storage network, the accuracy of the alarm data and the traceable of the network attack event are ensured, and an accurate data base is provided for the subsequent network attack analysis.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (5)

1. A network anti-attack method is characterized by comprising the following steps:
step 401: the first detection node analyzes the detection data of the first detection node, generates alarm data according to the detection data, the equipment identification of the equipment and the detection timestamp when the analysis result shows that the equipment has network attack behavior, and broadcasts the generated alarm data in the distributed storage network; which specifically comprises
Step A1: generating a detection data abstract and an abstract generation rule matrix according to the detection data;
step A2: generating a combined data plaintext in a preset format according to the detection data, the equipment identification, the detection timestamp and the abstract generation rule matrix;
step A3: encrypting the plaintext of the combined data by using a private key to obtain a ciphertext of the combined data;
step A4: taking the detection data abstract and the combined data ciphertext as alarm data;
in step a1, generating a detection data summary and a summary generation rule matrix according to the read detection data includes:
extracting multiple groups of data in the detection data as base data to form an m x n order matrix Csource
The first detection node randomly generates an m x n order matrix KrandomAs a random matrix Krandom
Figure FDA0002281480430000012
Will matrix CsourceMapping to matrix KrandomTo obtain a matrix ZabstractAs a detection data summary Zabstract
Figure FDA0002281480430000013
Generating a digest generation rule matrix FruleIs a
Figure FDA0002281480430000021
Step 402: the consensus node acquires alarm data broadcast in the distributed storage network, performs consensus verification, and triggers an attack blocking protocol to automatically send an attack blocking command to each second detection node when the verification is passed;
the process of carrying out consensus verification on the acquired alarm data by the consensus node comprises the following steps:
step B1: the consensus node decrypts the combined data ciphertext in the acquired alarm data according to the pre-acquired public key of the first detection node to obtain a combined data plaintext;
step B2: the consensus node judges whether the obtained combined data plaintext accords with a preset format or not, and otherwise, the verification is judged to fail; is yes toReading detection data in combined data plaintext, and generating rule matrix F by abstractruleAnd generating a rule matrix F according to the read detection data and the abstractruleGenerating a detection data summary Zabstract_la(ii) a The specific generation process is as follows:
reading detection data and summary generation rule matrix F in combined data plaintextrule
Extracting multiple groups of data in the detection data as base data, wherein the size of the base data is that a rule matrix F is generated according to the abstractruleThe data in (1) are judged to form an m x n order matrix Csource_la
Figure FDA0002281480430000022
According to Csource_laAnd the abstract generates a rule matrix FruleResolve random matrix Krandom_laWill matrix Csource_laMapping to a random matrix Krandom_laObtaining a detection data abstract Z to be matchedabstract_la
Step B3: detection data abstract Z to be matched generated by consensus node judgmentabstract_laAnd detection data abstract Z in acquired alarm dataabstractIf the verification result is consistent with the verification result, judging that the verification is passed, otherwise, judging that the verification is not passed;
step 403: each second detection node performs attack blocking on the equipment where the second detection node is located according to the received attack blocking command;
the specific steps of judging whether the plaintext of the obtained combined data conforms to the preset format by the consensus node are as follows:
judging whether the detection time stamp, the equipment identification and the detection data in the combined data plaintext are sequentially spliced through a preset word connection character sequence or not, and if so, judging that the obtained combined data plaintext conforms to a preset format; otherwise, judging that the obtained combined data plaintext does not conform to the preset format; wherein, the preset word connection symbol is specifically "-".
2. The method for preventing the network from being attacked according to claim 1, wherein the blocking of the attack on the device where the device is located specifically comprises:
and detecting the equipment where the equipment is located and/or updating the black and white list library.
3. The method of claim 2,
when the second detection node receives the attack blocking command, the environment safety condition of the equipment where the second detection node is located is automatically detected, and vulnerability repair or patch installation operation is carried out to effectively avoid network attack; and/or updating the local black and white list library according to the relevant information of the network attack behavior contained in the attack blocking command so as to block the invasion of the network attack.
4. A network attack prevention apparatus for performing the method of any one of claims 1 to 3, comprising:
the acquisition module is used for acquiring alarm data broadcasted by the first detection node in the distributed storage network;
the consensus verification module is used for carrying out consensus verification on the alarm data acquired by the acquisition module;
and the triggering module is used for triggering an attack blocking protocol to block the attack when the authentication of the consensus authentication module is passed.
5. A network attack prevention device, comprising:
one or more processors, storage devices to store one or more programs;
the one or more programs, when executed by the one or more processors, implement the method of any of claims 1-3.
CN201910394753.8A 2019-05-13 2019-05-13 Network attack prevention method, device and equipment Active CN110149324B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910394753.8A CN110149324B (en) 2019-05-13 2019-05-13 Network attack prevention method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910394753.8A CN110149324B (en) 2019-05-13 2019-05-13 Network attack prevention method, device and equipment

Publications (2)

Publication Number Publication Date
CN110149324A CN110149324A (en) 2019-08-20
CN110149324B true CN110149324B (en) 2020-02-14

Family

ID=67595118

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910394753.8A Active CN110149324B (en) 2019-05-13 2019-05-13 Network attack prevention method, device and equipment

Country Status (1)

Country Link
CN (1) CN110149324B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114301640B (en) * 2021-12-15 2023-09-01 中电信数智科技有限公司 Attack and defense exercise method and system based on SRv6 network protocol

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491076A (en) * 2013-09-09 2014-01-01 杭州华三通信技术有限公司 Method and system for defending against network attacks
CN104270759A (en) * 2014-10-23 2015-01-07 成都双奥阳科技有限公司 Equipment for detecting wireless network invasion
CN107241338A (en) * 2017-06-29 2017-10-10 北京北信源软件股份有限公司 Network anti-attack devices, systems, and methods, computer-readable recording medium and storage control

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100454807C (en) * 2003-08-29 2009-01-21 华为技术有限公司 Method for protecting information integrity
US20100283608A1 (en) * 2007-01-04 2010-11-11 Honeywell International Inc. Intrusion Warning and Reporting Network
CN101311950B (en) * 2007-05-25 2012-01-18 北京书生国际信息技术有限公司 Electronic stamp realization method and device
CN102447707B (en) * 2011-12-30 2014-11-26 北京交通大学 DDoS (Distributed Denial of Service) detection and response method based on mapping request
CN104967691B (en) * 2015-07-08 2018-06-15 浪潮(北京)电子信息产业有限公司 A kind of distributed storage control method and system
CN108418697B (en) * 2017-02-09 2021-09-14 南京联成科技发展股份有限公司 Implementation architecture of intelligent safe operation and maintenance service cloud platform

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491076A (en) * 2013-09-09 2014-01-01 杭州华三通信技术有限公司 Method and system for defending against network attacks
CN104270759A (en) * 2014-10-23 2015-01-07 成都双奥阳科技有限公司 Equipment for detecting wireless network invasion
CN107241338A (en) * 2017-06-29 2017-10-10 北京北信源软件股份有限公司 Network anti-attack devices, systems, and methods, computer-readable recording medium and storage control

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《大规模网络的主动协同防御模型研究》;楼润瑜,王备战,王伟;《厦门大学学报》;20100315;全文 *

Also Published As

Publication number Publication date
CN110149324A (en) 2019-08-20

Similar Documents

Publication Publication Date Title
CN110582988B (en) Secure system operation
CN109525558B (en) Data leakage detection method, system, device and storage medium
JP6334069B2 (en) System and method for accuracy assurance of detection of malicious code
CN104991526B (en) Industrial control system safety supports framework and its Security Data Transmission and storage method
CN101714931B (en) Early warning method, device and system of unknown malicious code
JP5972401B2 (en) Attack analysis system, linkage device, attack analysis linkage method, and program
US8850583B1 (en) Intrusion detection using secure signatures
CN112217835B (en) Message data processing method and device, server and terminal equipment
CN110138731B (en) Network anti-attack method based on big data
US8316240B2 (en) Securing computer log files
US20140344933A1 (en) Method and apparatus for detecting an intrusion on a cloud computing service
US20210326327A1 (en) Blockchain Based Integrity Checks
CN110929259B (en) Process security verification white list generation method and device
JP2006511877A (en) System and method for detecting software tampering by proactively
CN108234400B (en) Attack behavior determination method and device and situation awareness system
US9547860B2 (en) System for processing feedback entries received from software
CN108027856B (en) Real-time indicator for establishing attack information using trusted platform module
CN110149324B (en) Network attack prevention method, device and equipment
Rascagneres et al. Who wasn’t responsible for Olympic Destroyer
CN111143808A (en) System security authentication method and device, computing equipment and storage medium
Giacinto et al. Alarm clustering for intrusion detection systems in computer networks
US20160210474A1 (en) Data processing apparatus, data processing method, and program
JP2005182187A (en) Unauthorized access detecting method, unauthorized access detecting system and unauthorized access detecting program
Li An analysis of the recent ransomware families
CN113228016A (en) Apparatus and method for luxo software decryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant