CN111541675A - Network security protection method, device and equipment based on white list - Google Patents

Network security protection method, device and equipment based on white list Download PDF

Info

Publication number
CN111541675A
CN111541675A CN202010305704.5A CN202010305704A CN111541675A CN 111541675 A CN111541675 A CN 111541675A CN 202010305704 A CN202010305704 A CN 202010305704A CN 111541675 A CN111541675 A CN 111541675A
Authority
CN
China
Prior art keywords
domain name
target
address
white list
target application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010305704.5A
Other languages
Chinese (zh)
Other versions
CN111541675B (en
Inventor
赵煜
潘泉波
李盛葆
向媛媛
张泰�
李睿
尹川铭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Branch Center National Computer Network And Information Security Management Center
Original Assignee
Shandong Branch Center National Computer Network And Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Branch Center National Computer Network And Information Security Management Center filed Critical Shandong Branch Center National Computer Network And Information Security Management Center
Priority to CN202010305704.5A priority Critical patent/CN111541675B/en
Publication of CN111541675A publication Critical patent/CN111541675A/en
Application granted granted Critical
Publication of CN111541675B publication Critical patent/CN111541675B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application discloses a network security protection method based on a white list, which utilizes a sandbox technology to expand network behaviors of independently analyzed malicious applications to network assets of analyzed normal applications, deploys the applications on a platform, utilizes the platform to analyze the flow of the applications, further utilizes a consensus algorithm to determine the corresponding relation between the applications and the network assets, obtains the white list, and finally carries out network security protection based on the white list, so that the reliability and the scene adaptability of the network security protection are improved. In addition, the application also provides a network security protection device, equipment and a readable storage medium based on the white list, and the technical effect of the network security protection device and the equipment corresponds to that of the method.

Description

Network security protection method, device and equipment based on white list
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a readable storage medium for network security protection based on a white list.
Background
When network security protection or flow analysis is performed, a large number of unknown IP or domain names exist, whether the unknown IP or domain names belong to malice cannot be determined, and misjudgment is easily caused. At present, a sandbox is often used for analyzing malicious samples, communication IP and domain names of the malicious samples are labeled, and then a threat information library is constructed by combining threat information. And the IP and the domain name in the threat information library are utilized to carry out plugging configuration on the firewall, so that the network safety is guaranteed. However, the blacklist-based policy is often poor in reliability, and a security protection policy based on the blacklist is not generally adopted by a key system during key guarantee.
Therefore, how to improve the reliability of the network security protection scheme is a problem to be solved urgently by the technical personnel in the field.
Disclosure of Invention
The application aims to provide a network security protection method, a device, equipment and a readable storage medium based on a white list, which are used for solving the problem that the reliability of the current network security protection scheme is low. The specific scheme is as follows:
in a first aspect, the present application provides a network security protection method based on a white list, including:
deploying a target application to be analyzed into a target platform, wherein the target platform is a platform which is based on a sandbox technology and can independently run the target application;
performing traffic analysis on the target application by using the target platform, and determining an IP address and a domain name of external communication of the target application as a traffic analysis result;
determining the corresponding relation between the IP address and the domain name and the target application according to the flow analysis result by using a consensus algorithm to obtain a white list;
and according to the white list, utilizing a firewall technology to perform network security protection.
Preferably, the deploying the target application to be analyzed into the target platform includes:
deploying a target application to be analyzed into a target platform, wherein the target platform is any one of the following items: sandbox, virtual machine, Docker, solid host.
Preferably, the performing, by using the target platform, traffic analysis on the target application, and determining an IP address and a domain name of external communication of the target application as a traffic analysis result includes:
performing traffic analysis on the target application by using the target platform, determining an IP address and a domain name of external communication of the target application, and generating an IP table and a domain name table as a traffic analysis result, wherein the IP table comprises any one or more of the following dimensions: platform number, application name, destination IP, destination port, recent communication time, communication frequency, communication protocol, plaintext or ciphertext, wherein the domain name table comprises any one or more dimensions of: platform number, application name, request domain name, return IP value, last communication time, communication frequency, request DNS server.
Preferably, the determining, by using a consensus algorithm, a correspondence between the IP address and the domain name and the target application according to the traffic analysis result to obtain a white list includes:
judging whether the current IP address and the domain name meet the marking conditions by using a consensus algorithm, wherein the marking conditions are as follows: the number of the target platforms with the target applications is larger than a preset threshold, and the flow analysis result of the target platforms with the target applications exceeding a preset proportion comprises a current IP address and a domain name;
and if the marking condition is met, determining that the corresponding relation exists between the current IP address and domain name and the target application, and adding the current IP address and domain name to a white list.
Preferably, the adding the current IP address and domain name to the white list includes:
constructing a network asset database as a white list;
and adding the current IP address and the domain name in the network asset database, and setting a label of the target application for the current IP address and the domain name.
Preferably, after the adding the current IP address and domain name and setting the label of the target application for the current IP address and domain name, the method further includes:
judging whether the IP address and the domain name in the network asset database exceed a preset time threshold value and are not communicated with a target application;
and if so, deleting the label of the target application preset for the IP address and the domain name.
In a second aspect, the present application provides a white list-based network security protection apparatus, including:
a deployment module: the system comprises a target platform, a database and a database, wherein the target platform is used for deploying a target application to be analyzed into the target platform, and the target platform is a platform which is based on sandbox technology and can independently run the target application;
a flow analysis module: the system comprises a target platform, a target application and a server, wherein the target platform is used for carrying out traffic analysis on the target application and determining an IP address and a domain name of external communication of the target application as a traffic analysis result;
a correspondence determination module: the device is used for determining the corresponding relation between the IP address and the domain name and the target application according to the flow analysis result by utilizing a consensus algorithm to obtain a white list;
the safety protection module: and the system is used for utilizing a firewall technology to perform network security protection according to the white list.
In a third aspect, the present application provides a network security protection device based on a white list, including:
a memory: for storing a computer program;
a processor: for executing the computer program to implement the steps of the white list-based network security protection method as described above.
In a fourth aspect, the present application provides a readable storage medium, on which a computer program is stored, which, when being executed by a processor, is configured to implement the steps of the white list-based network security defending method described above.
The application provides a network security protection method based on a white list, which comprises the following steps: deploying a target application to be analyzed into a target platform, wherein the target platform is a platform which is based on a sandbox technology and can independently run the target application; performing traffic analysis on the target application by using the target platform, and determining an IP address and a domain name of external communication of the target application as a traffic analysis result; determining the corresponding relation between the IP address and the domain name and the target application according to the flow analysis result by utilizing a consensus algorithm to obtain a white list; and according to the white list, performing network security protection by using a firewall technology. Therefore, the method expands the network behavior of the independently analyzed malicious application to the analysis of the network assets of the normal application by utilizing the sandbox technology, deploys the application on the platform, performs flow analysis on the application by utilizing the platform, further determines the corresponding relation between the application and the network assets by utilizing the consensus algorithm to obtain the white list, and finally performs network security protection based on the white list, so that the reliability of the network security protection and the scene adaptability are improved.
In addition, the application also provides a network security protection device, equipment and a readable storage medium based on the white list, and the technical effect of the network security protection device, the equipment and the readable storage medium correspond to the technical effect of the method, and the details are not repeated here.
Drawings
For a clearer explanation of the embodiments or technical solutions of the prior art of the present application, the drawings needed for the description of the embodiments or prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart illustrating a first implementation of a white list-based network security protection method according to an embodiment of the present disclosure;
fig. 2 is a flowchart illustrating an implementation of a second white list-based network security protection method according to an embodiment of the present disclosure;
FIG. 3 is a block diagram illustrating an embodiment of a white list-based network security protection apparatus according to the present disclosure;
fig. 4 is a schematic structural diagram of an embodiment of a network security protection device based on a white list according to the present application.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The core of the application is to provide a network security protection method, a device, equipment and a readable storage medium based on a white list, and the network security protection is expanded from only analyzing malicious codes to analyzing normal applications. It should be noted that, unlike malware, normal applications often have a single fixed control IP and domain name, and network assets associated with normal applications, especially large applications, are numerous and varied, and need to be consolidated by using various technical means. According to the method and the device, the corresponding relation between the application and the network assets is determined through technical means such as sandbox analysis, flow collection, flow statistics and consensus algorithm, a white list is obtained, network safety protection is finally carried out on the basis of the white list, and the reliability and the scene adaptability of the network safety protection are improved.
Referring to fig. 1, a first embodiment of a network security protection method based on a white list provided in the present application is described below, where the first embodiment includes:
s101, deploying a target application to be analyzed to a target platform, wherein the target platform is a platform which is based on a sandbox technology and can independently run the target application;
s102, carrying out traffic analysis on the target application by using the target platform, and determining an IP address and a domain name of external communication of the target application as a traffic analysis result;
s103, determining the corresponding relation between the IP address and the domain name and the target application according to the flow analysis result by using a consensus algorithm to obtain a white list;
and S104, performing network security protection by using a firewall technology according to the white list.
In order to increase the security of network data interaction, a firewall is usually disposed between the internal network and the external network. The white list-based network security protection refers to performing corresponding configuration on a firewall according to a white list so as to ensure network security, and the key point of the white list-based network security protection lies in how to generate the white list.
Unlike blacklists, generating a blacklist by analyzing malware is relatively simple, as the control-side IP and domain name of malware tend to be single fixed. Whereas normal applications, especially large applications, often involve a large amount of network assets (IP addresses, domain names, etc.) and therefore require complex analysis to derive white lists from them. In this embodiment, a sandbox technology is used to collect traffic information of various normal software (operating system, application, APP, and other programs), analyze information such as network assets related to a communication process, and determine a corresponding relationship between an IP and a domain name and an application, thereby obtaining a white list.
Firstly, deploying a target application to be analyzed to a target platform, wherein the target platform is a platform of a technology sandbox technology and capable of independently running the target application. It can be understood that, in this embodiment, the sandbox technology is not limited to a sandbox, and may also be a virtual machine, a Docker, an entity host, and the like, as long as a target application to be analyzed can be independently run. A so-called sandbox is a virtual system program that allows a browser or other program to be run in a sandbox environment and changes made to the run can be subsequently deleted. In network security, sandboxing refers to the tools used to test the behavior of untrusted files or applications, etc., in an isolated environment.
In practical application, the target application refers to an application to be analyzed, and can be selected from various large software application stores and common office software. The target platform has a flow recording function, each target platform only deploys one application, and one application can be deployed to a plurality of target platforms.
Then, the target platform is used to perform traffic analysis on the target application, that is, network asset information related to the running process of the target application, such as an IP address and a domain name of external communication, is collected, and of course, information such as a port number, communication time, communication frequency, and the like can be collected as a traffic analysis result.
And after the flow analysis result is obtained, determining the corresponding relation between the IP address and the domain name and the target application by utilizing a consensus algorithm. Specifically, for the current target application, if the number of target platforms deployed with the current target application exceeds a preset threshold and the traffic analysis results of the target platforms exceeding a preset proportion all include a certain IP address and a domain name, it is determined that a corresponding relationship exists between the IP address and the domain name and the current target application, and then, under the condition that the known target application is a normal application, the corresponding IP address and the domain name can be considered as reliable, and the IP address and the domain name meeting the above conditions are added to a white list. The preset threshold and the preset ratio may be adjusted according to actual conditions, which is not limited in this embodiment.
Finally, network security protection can be realized by utilizing a firewall technology according to the white list.
The network security protection method based on the white list provided by the embodiment can deploy the target application to be analyzed to the target platform; performing traffic analysis on the target application by using the target platform, and determining an IP address and a domain name of external communication of the target application as a traffic analysis result; determining the corresponding relation between the IP address and the domain name and the target application according to the flow analysis result by utilizing a consensus algorithm to obtain a white list; and according to the white list, performing network security protection by using a firewall technology. As can be seen, in the embodiment, a sandbox technology is used to expand network behavior for analyzing malicious applications alone to network assets for analyzing normal applications, an application is deployed on a platform, the platform is used to perform traffic analysis on the application, a consensus algorithm is used to determine a correspondence between the application and the network assets, a white list is obtained, network security protection is performed based on the white list, and reliability and scene adaptability of network security protection are improved.
The second embodiment of the network security protection method based on the white list provided by the present application is described in detail below, and the second embodiment is implemented based on the first embodiment and is expanded to a certain extent on the basis of the first embodiment.
Specifically, the present embodiment deploys the target application to be analyzed into a sandbox,
referring to fig. 2, the second embodiment specifically includes:
s201, deploying a target application to be analyzed into a sandbox;
s202, carrying out flow analysis on the target application by using a sandbox, determining an IP address and a domain name of external communication of the target application, and generating an IP table and a domain name table as a flow analysis result;
wherein the IP table comprises any one or more of the following dimensions: platform number, application name, destination IP, destination port, recent communication time, communication frequency, communication protocol, plaintext or ciphertext, wherein the domain name table comprises any one or more dimensions of: platform number, application name, request domain name, return IP value, last communication time, communication frequency, request DNS server.
S203, creating a network asset database as a white list;
it should be noted that the present embodiment does not limit the execution sequence of S203, as long as it is guaranteed to be before S205.
S204, judging whether the current IP address and the domain name meet the marking condition by using a consensus algorithm, and if so, entering S205; otherwise, taking the next IP address and the domain name in the flow analysis result as the current IP address and the domain name, and entering S204 until all the IP addresses and the domain names in the flow analysis result are analyzed;
in the traffic analysis result for the target application, there are typically a plurality of IP addresses and domain names. In this embodiment, when the relationship between the target application and the IP address and the domain name is sorted by using the consensus algorithm, the IP address and the domain name in the traffic analysis result are analyzed one by one, and therefore, the "current IP address and domain name" mentioned in this embodiment refers to the IP address and the domain name currently analyzed in the traffic analysis result.
The embodiment adopts a voting mechanism, each application is deployed into at least 10 sandboxes, and no less than 30% of the sandboxes record certain network asset information at the same time, so that the corresponding relationship between the application and the network asset information can be determined. In other words, the above-mentioned marking conditions are: the number of the target platforms with the target applications is larger than a preset threshold, and the traffic analysis result of the target platforms with the target applications exceeding a preset proportion comprises a current IP address and a domain name. Wherein the preset threshold is 10, and the preset proportion is 30%.
S205, determining that a corresponding relation exists between a current IP address and a domain name and a target application, adding the current IP address and the domain name in the network asset database, and setting a label of the target application for the current IP address and the domain name;
s206, periodically judging whether the IP address and the domain name in the network asset database exceed a preset time threshold value and are not communicated with a target application; if yes, entering S207, otherwise, not performing any processing;
in this embodiment, the correspondence recorded in the network asset database has timeliness, and the correspondence without communication record for too long time is cleared. The preset time threshold may be set according to actual requirements, and this embodiment is not limited.
S207, deleting the label of the target application preset for the IP address and the domain name;
and S208, according to the network asset database, performing network security protection by using a firewall technology.
In this embodiment, the consensus algorithm may further include the following features: multiple applications have common network assets, which can be labeled by large categories; for IDC assets and IP assets of CDN technology, individual marking can be carried out; a multi-label regime, i.e. there may be multiple labels for the same application.
In practical applications, appropriate manual intervention may be performed. The method utilizes manpower to increase the asset collection range in aspects of asset marking, application maintenance (login account, simulation operation) and the like.
In addition, a domain name IP linkage mechanism may be implemented, i.e., the IP of the domain name resolution requested by the application is also tagged with the application. That is, for a normal application, when a domain name is normal, it is considered that an IP address corresponding to the domain name returned by the DNS server is also normal, and a label of a target application is set for the IP address.
It can be seen that, in the network security protection method based on the white list provided in this embodiment, the sandbox technology is used to expand the network behavior of the malicious software which is analyzed separately to the network asset of the normal software, the algorithms are used to determine the corresponding relationship between the software and the network asset, and finally the network asset database is constructed. By long-term collection and arrangement, most of commonly applied network assets can be marked, and convenience is provided in later-stage network firewall white list configuration and flow analysis.
In the following, a white list-based network security protection apparatus provided in an embodiment of the present application is introduced, and a white list-based network security protection apparatus described below and a white list-based network security protection method described above may be referred to correspondingly.
As shown in fig. 3, the white list based network security protection apparatus of this embodiment includes:
the deployment module 301: the system comprises a target platform, a database and a database, wherein the target platform is used for deploying a target application to be analyzed into the target platform, and the target platform is a platform which is based on sandbox technology and can independently run the target application;
the flow analysis module 302: the system comprises a target platform, a target application and a server, wherein the target platform is used for carrying out traffic analysis on the target application and determining an IP address and a domain name of external communication of the target application as a traffic analysis result;
the correspondence determining module 303: the device is used for determining the corresponding relation between the IP address and the domain name and the target application according to the flow analysis result by utilizing a consensus algorithm to obtain a white list;
the security protection module 304: and the system is used for utilizing a firewall technology to perform network security protection according to the white list.
The white list-based network security protection apparatus of this embodiment is used to implement the white list-based network security protection method, and therefore a specific implementation manner of the apparatus may be found in the foregoing embodiment part of the white list-based network security protection method, for example, the deployment module 301, the traffic analysis module 302, the correspondence determination module 303, and the security protection module 304 are respectively used to implement steps S101, S102, S103, and S104 in the white list-based network security protection method. Therefore, specific embodiments thereof may be referred to in the description of the corresponding respective partial embodiments, and will not be described herein.
In addition, since the network security protection device based on the white list of the embodiment is used for implementing the network security protection method based on the white list, the role thereof corresponds to that of the above method, and details are not repeated here.
In addition, the present application further provides a network security protection device based on a white list, as shown in fig. 4, including:
the memory 100: for storing a computer program;
the processor 200: for executing the computer program to implement the steps of the white list based network security defending method as described above.
Finally, the present application provides a readable storage medium having stored thereon a computer program for implementing the steps of the white list based network security defending method as described above when executed by a processor.
The embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The above detailed descriptions of the solutions provided in the present application, and the specific examples applied herein are set forth to explain the principles and implementations of the present application, and the above descriptions of the examples are only used to help understand the method and its core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (9)

1. A network security protection method based on a white list is characterized by comprising the following steps:
deploying a target application to be analyzed into a target platform, wherein the target platform is a platform which is based on a sandbox technology and can independently run the target application;
performing traffic analysis on the target application by using the target platform, and determining an IP address and a domain name of external communication of the target application as a traffic analysis result;
determining the corresponding relation between the IP address and the domain name and the target application according to the flow analysis result by using a consensus algorithm to obtain a white list;
and according to the white list, utilizing a firewall technology to perform network security protection.
2. The method of claim 1, wherein deploying the target application to be analyzed into the target platform comprises:
deploying a target application to be analyzed into a target platform, wherein the target platform is any one of the following items: sandbox, virtual machine, Docker, solid host.
3. The method of claim 2, wherein the performing traffic analysis on the target application by using the target platform, and determining an IP address and a domain name of an external communication of the target application as a traffic analysis result comprises:
performing traffic analysis on the target application by using the target platform, determining an IP address and a domain name of external communication of the target application, and generating an IP table and a domain name table as a traffic analysis result, wherein the IP table comprises any one or more of the following dimensions: platform number, application name, destination IP, destination port, recent communication time, communication frequency, communication protocol, plaintext or ciphertext, wherein the domain name table comprises any one or more dimensions of: platform number, application name, request domain name, return IP value, last communication time, communication frequency, request DNS server.
4. The method of claim 1, wherein determining the correspondence between the IP address and the domain name and the target application according to the traffic analysis result by using a consensus algorithm to obtain a white list comprises:
judging whether the current IP address and the domain name meet the marking conditions by using a consensus algorithm, wherein the marking conditions are as follows: the number of the target platforms with the target applications is larger than a preset threshold, and the flow analysis result of the target platforms with the target applications exceeding a preset proportion comprises a current IP address and a domain name;
and if the marking condition is met, determining that the corresponding relation exists between the current IP address and domain name and the target application, and adding the current IP address and domain name to a white list.
5. The method of claim 4, wherein adding the current IP address and domain name to a white list comprises:
constructing a network asset database as a white list;
and adding the current IP address and the domain name in the network asset database, and setting a label of the target application for the current IP address and the domain name.
6. The method of claim 5, wherein after the adding the current IP address and domain name and setting the label of the target application for the current IP address and domain name, further comprising:
judging whether the IP address and the domain name in the network asset database exceed a preset time threshold value and are not communicated with a target application;
and if so, deleting the label of the target application preset for the IP address and the domain name.
7. A white list based network security protection device, comprising:
a deployment module: the system comprises a target platform, a database and a database, wherein the target platform is used for deploying a target application to be analyzed into the target platform, and the target platform is a platform which is based on sandbox technology and can independently run the target application;
a flow analysis module: the system comprises a target platform, a target application and a server, wherein the target platform is used for carrying out traffic analysis on the target application and determining an IP address and a domain name of external communication of the target application as a traffic analysis result;
a correspondence determination module: the device is used for determining the corresponding relation between the IP address and the domain name and the target application according to the flow analysis result by utilizing a consensus algorithm to obtain a white list;
the safety protection module: and the system is used for utilizing a firewall technology to perform network security protection according to the white list.
8. A white list based network security protection device, comprising:
a memory: for storing a computer program;
a processor: for executing the computer program for implementing the steps of the white list based network security defending method according to any one of claims 1 to 6.
9. A readable storage medium, having stored thereon a computer program for implementing the steps of the whitelist-based network security method according to any one of claims 1-6 when executed by a processor.
CN202010305704.5A 2020-04-17 2020-04-17 Network security protection method, device and equipment based on white list Active CN111541675B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010305704.5A CN111541675B (en) 2020-04-17 2020-04-17 Network security protection method, device and equipment based on white list

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010305704.5A CN111541675B (en) 2020-04-17 2020-04-17 Network security protection method, device and equipment based on white list

Publications (2)

Publication Number Publication Date
CN111541675A true CN111541675A (en) 2020-08-14
CN111541675B CN111541675B (en) 2022-05-17

Family

ID=71970981

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010305704.5A Active CN111541675B (en) 2020-04-17 2020-04-17 Network security protection method, device and equipment based on white list

Country Status (1)

Country Link
CN (1) CN111541675B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112333191A (en) * 2020-11-06 2021-02-05 杭州安恒信息技术股份有限公司 Illegal network asset detection and access blocking method, device, equipment and medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106650425A (en) * 2016-12-06 2017-05-10 中国联合网络通信集团有限公司 Method and device for controlling security sandbox
CN106685951A (en) * 2016-12-26 2017-05-17 北京奇虎科技有限公司 Network flow filtering system and method based on domain name rules
CN108809892A (en) * 2017-04-27 2018-11-13 贵州白山云科技有限公司 A kind of IP white lists generation method and device
US20190044958A1 (en) * 2017-08-01 2019-02-07 PC Pitstop, Inc System, Method, and Apparatus for Computer Security
CN110611673A (en) * 2019-09-18 2019-12-24 赛尔网络有限公司 IP credit calculation method, device, electronic equipment and medium
CN110891071A (en) * 2019-12-25 2020-03-17 杭州安恒信息技术股份有限公司 Network traffic information acquisition method, device and related equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106650425A (en) * 2016-12-06 2017-05-10 中国联合网络通信集团有限公司 Method and device for controlling security sandbox
CN106685951A (en) * 2016-12-26 2017-05-17 北京奇虎科技有限公司 Network flow filtering system and method based on domain name rules
CN108809892A (en) * 2017-04-27 2018-11-13 贵州白山云科技有限公司 A kind of IP white lists generation method and device
US20190044958A1 (en) * 2017-08-01 2019-02-07 PC Pitstop, Inc System, Method, and Apparatus for Computer Security
CN110611673A (en) * 2019-09-18 2019-12-24 赛尔网络有限公司 IP credit calculation method, device, electronic equipment and medium
CN110891071A (en) * 2019-12-25 2020-03-17 杭州安恒信息技术股份有限公司 Network traffic information acquisition method, device and related equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112333191A (en) * 2020-11-06 2021-02-05 杭州安恒信息技术股份有限公司 Illegal network asset detection and access blocking method, device, equipment and medium

Also Published As

Publication number Publication date
CN111541675B (en) 2022-05-17

Similar Documents

Publication Publication Date Title
CN108183916B (en) Network attack detection method and device based on log analysis
CN111355697B (en) Detection method, device, equipment and storage medium for botnet domain name family
CN109347827B (en) Method, device, equipment and storage medium for predicting network attack behavior
US8701192B1 (en) Behavior based signatures
CN111274583A (en) Big data computer network safety protection device and control method thereof
US11270001B2 (en) Classification apparatus, classification method, and classification program
CN112685682B (en) Method, device, equipment and medium for identifying forbidden object of attack event
CN107295021B (en) Security detection method and system of host based on centralized management
CN110365674B (en) Method, server and system for predicting network attack surface
CN111625841B (en) Virus processing method, device and equipment
JP5739034B1 (en) Attack detection system, attack detection device, attack detection method, and attack detection program
CN110880983A (en) Penetration testing method and device based on scene, storage medium and electronic device
EP3913888A1 (en) Detection method for malicious domain name in domain name system and detection device
CN112131571B (en) Threat tracing method and related equipment
CN115001789B (en) Method, device, equipment and medium for detecting collapse equipment
CN110365673B (en) Method, server and system for isolating network attack plane
CN110381047B (en) Network attack surface tracking method, server and system
CN117294517A (en) Network security protection method and system for solving abnormal traffic
CN113315785B (en) Alarm reduction method, device, equipment and computer readable storage medium
CN111541675B (en) Network security protection method, device and equipment based on white list
CN112953895B (en) Attack behavior detection method, device and equipment and readable storage medium
CN112448963A (en) Method, device, equipment and storage medium for analyzing automatic attack industrial assets
CN115955333A (en) C2 server identification method and device, electronic equipment and readable storage medium
KR100772177B1 (en) Method and apparatus for generating intrusion detection event to test security function
CN115935356A (en) Software security testing method, system and application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant