CN111565199A - Network attack information processing method and device, electronic equipment and storage medium - Google Patents
Network attack information processing method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN111565199A CN111565199A CN202010671834.0A CN202010671834A CN111565199A CN 111565199 A CN111565199 A CN 111565199A CN 202010671834 A CN202010671834 A CN 202010671834A CN 111565199 A CN111565199 A CN 111565199A
- Authority
- CN
- China
- Prior art keywords
- attack
- classification model
- traffic
- attack traffic
- information classification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention provides a network attack information processing method, which comprises the following steps: acquiring attack flow for attacking a target system; responding to the acquired attack traffic, and triggering a port multiplexing process to monitor the attack traffic forwarded by the target port; triggering an attack information classification model, and identifying the type of the attack traffic; and triggering a port forwarding process based on the identification result of the attack information classification model, and forwarding the attack traffic. The invention also provides a network attack information processing device, electronic equipment and a storage medium. The invention can forward the attack flow to the honeypot systems of different types correspondingly, improve the network attack information processing efficiency of the honeypot systems, reduce the number of deployed servers, save the cost of users and realize the large-scale deployment of the honeypot systems.
Description
Technical Field
The present invention relates to network attack information processing technologies, and in particular, to a network attack information processing method, apparatus, system, device, and storage medium.
Background
In the related art, honeypot technology is an active security technology for cheating attackers (also referred to as hackers). In honeypot technology, a technician may deploy a dummy system that simulates a real working system, which may be commonly referred to as a honeypot system, as a decoy and entice an attacker to attack the dummy system. When an attacker is attracted to spread an attack on the honeypot system, the honeypot system can capture attack data of the attacker. By analyzing the captured attack data, a basis can be provided for identifying the attack behavior and subsequent security defense measures in the actual production work. In the traditional honeypot system deployment process, not only a large number of servers need to be deployed and a large number of IP addresses need to be configured, but also the attack flow is not matched with the attack target, so that the processing efficiency of the honeypot system on the attack information is low.
Disclosure of Invention
In view of this, embodiments of the present invention provide a network attack information processing method and apparatus, an electronic device, and a storage medium, which can identify categories of attack traffic and forward the attack traffic through an attack information classification model, and acquire corresponding attack traffic through different types of honeypot systems, thereby improving network attack information processing efficiency of the honeypot systems, reducing the number of deployed servers, saving user costs, and achieving large-scale deployment of the honeypot systems.
The technical scheme of the embodiment of the invention is realized as follows:
the embodiment of the invention provides a network attack information processing method, which comprises the following steps:
acquiring attack flow for attacking a target system;
responding to the acquired attack traffic, and triggering a port multiplexing process to monitor the attack traffic forwarded by the target port;
triggering an attack information classification model, and identifying the type of the attack traffic;
and triggering a port forwarding process based on the identification result of the attack information classification model, and forwarding the attack traffic so as to obtain corresponding attack traffic through different types of honeypot systems.
An embodiment of the present invention further provides a network attack information processing apparatus, including:
the information transmission module is used for acquiring attack flow for attacking the target system;
the information processing module is used for responding to the acquired attack traffic and triggering a port multiplexing process so as to monitor the attack traffic forwarded by the target port;
the information processing module is used for triggering an attack information classification model and identifying the type of the attack traffic;
and the information processing module is used for triggering a port forwarding process based on the identification result of the attack information classification model and forwarding the attack traffic so as to acquire the corresponding attack traffic through different types of honeypot systems.
In the above-mentioned scheme, the first step of the method,
the information processing module is used for responding to the acquired attack flow and determining a target port based on the port multiplexing process;
the information processing module is used for configuring a socket and a socket function matched with the target port according to the target port;
and the information processing module is used for monitoring the attack traffic forwarded by the target port based on the socket and the socket function matched with the target port.
In the above-mentioned scheme, the first step of the method,
the information processing module is used for performing characteristic processing on the attack traffic through the attack information classification model;
the information processing module is used for carrying out standardized processing on the attack traffic characterization processing result according to the attack traffic characterization processing result to form attack traffic characteristics;
and the information processing module is used for processing the attack traffic characteristics based on an attack information classification model and determining the category of the attack traffic.
In the above-mentioned scheme, the first step of the method,
the information processing module is used for acquiring a training sample matched with the use environment of the attack information classification model, wherein the training sample comprises historical attack flow acquired by a corresponding target system hosting platform;
the information processing module is used for extracting a training data set and a testing data set matched with the training samples through the attack information classification model;
and the information processing module is used for training the attack information classification model according to the training data set and the testing data set which are matched with the training samples so as to determine model parameters matched with the attack information classification model.
In the above-mentioned scheme, the first step of the method,
the information processing module is used for classifying the training samples and determining different attack traffic types;
the information processing module is used for carrying out characterization processing on the training sample based on different types of the attack traffic and extracting matched difference features;
the information processing module is used for standardizing the extracted difference features to form standardized difference features, and carrying out data splitting processing on the standardized difference features according to corresponding distribution proportions to form a training data set and a test data set which are matched with the training samples.
In the above-mentioned scheme, the first step of the method,
the information processing module is used for marking the attack traffic type in the test data set matched with the training sample;
the information processing module is used for training the attack information classification model through the training data set and determining parameters of the attack information classification model;
the information processing module is used for keeping the parameters of the attack information classification model unchanged and classifying the attack traffic types in the test data set;
the information processing module is used for comparing the classification result of the attack traffic type in the test data set with the marked attack traffic type;
and the information processing module is used for determining model parameters matched with the attack information classification model when the consistent proportion of the classification result of the attack traffic type in the test data set and the marked attack traffic type exceeds a threshold value.
In the above-mentioned scheme, the first step of the method,
the information processing module is used for capturing the access service record of the attack flow based on the attack flow when the honeypot systems of different types obtain the corresponding attack flow;
the information processing module is used for acquiring and analyzing a network data packet carried by the attack traffic based on the record of the access service of the attack traffic;
and the information processing module is used for determining and monitoring the honeypot system connection behavior after the attack flow invades the honeypot system based on the network data packet.
In the above-mentioned scheme, the first step of the method,
the information processing module is used for determining corresponding firmware configuration information according to the use environment of the target system;
the information processing module is used for acquiring a matched honeypot mirror image from the honeypot mirror image cloud server according to the firmware configuration information, wherein the honeypot mirror image supports honeypot structures of different organization architectures;
the information processing module is used for creating a container in a target system and creating the honeypot system supporting different organization architectures through the container so as to capture the attack traffic to the target system through the deployed honeypot system.
In the above-mentioned scheme, the first step of the method,
the information processing module is used for sending the configuration information of the honeypot system, the attack information classification model and the classification record of the attack information classification model to the attack flow to the blockchain network so as to ensure that the honeypot system configuration information, the attack information classification model and the classification record of the attack information classification model to the attack flow are sent to the blockchain network
And the nodes of the block chain network fill the honeypot system configuration information, the attack information classification model and the classification record of the attack information classification model on the attack traffic into a new block, and when the new block is identified consistently, the new block is added to the tail of the block chain.
In the above-mentioned scheme, the first step of the method,
the information processing module is used for receiving data synchronization requests of other nodes in the block chain network;
the information processing module is used for responding to the data synchronization request and verifying the authority of the other nodes;
and the information processing module is used for controlling the current node and the other nodes to carry out data synchronization when the authority of the other nodes passes verification so as to realize that the other nodes acquire honeypot system configuration information, an attack information classification model and a classification record of the attack information classification model on attack flow.
In the above-mentioned scheme, the first step of the method,
the information processing module is used for responding to a query request and analyzing the query request to obtain a corresponding object identifier;
the information processing module is used for acquiring authority information in a target block in a block chain network according to the object identifier;
the information processing module is used for verifying the matching of the authority information and the object identification;
the information processing module is used for acquiring corresponding honeypot system configuration information, an attack information classification model and a classification record of the attack information classification model on attack traffic in the blockchain network when the authority information is matched with the object identifier;
and the information processing module is used for responding to the query instruction, and pushing the acquired configuration information of the honeypot system, the acquired attack information classification model and the acquired classification record of the attack traffic of the attack information classification model to corresponding clients.
An embodiment of the present invention further provides an electronic device, where the electronic device includes:
a memory for storing executable instructions;
and the processor is used for realizing the network attack information processing method when the executable instructions stored in the memory are run.
The embodiment of the invention also provides a computer-readable storage medium, which stores executable instructions, and the executable instructions are executed by a processor to realize the network attack information processing method.
The embodiment of the invention has the following beneficial effects:
the invention obtains the attack flow for attacking the target system; responding to the acquired attack traffic, and triggering a port multiplexing process to monitor the attack traffic forwarded by the target port; triggering an attack information classification model, and identifying the type of the attack traffic; based on the identification result of the attack information classification model, a port forwarding process is triggered to forward the attack traffic, so that the corresponding attack traffic can be acquired through different types of honeypot systems, the network attack information processing efficiency of the honeypot systems is improved, the number of deployed servers is reduced, the cost of users is saved, and the large-scale deployment of the honeypot systems is realized.
Drawings
Fig. 1 is a schematic diagram of a usage environment of a network attack information processing method provided by an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a network attack information processing apparatus according to an embodiment of the present invention;
FIG. 3 is a schematic diagram illustrating attack traffic handling by a conventional honeypot system in accordance with an embodiment of the present invention;
fig. 4 is a schematic view of an optional flow chart of the network attack information processing method according to the embodiment of the present invention;
FIG. 5 is a diagram illustrating a process of processing a port multiplexing process according to an embodiment of the present invention;
fig. 6 is a schematic view of an optional flow chart of the network attack information processing method according to the embodiment of the present invention;
fig. 7 is a schematic structural diagram of the target object determining apparatus 100 according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a block chain in the block chain network 200 according to an embodiment of the present invention;
fig. 9 is a functional architecture diagram of a blockchain network 200 according to an embodiment of the present invention;
fig. 10 is a schematic view of an optional flow chart of a network attack information processing method provided in the embodiment of the present application;
FIG. 11 is a flowchart illustrating a training process of an attack information classification model according to an embodiment of the present application;
FIG. 12 is a schematic diagram illustrating a processing of a web attack by a network attack information processing method according to an embodiment of the present application;
fig. 13 is a schematic diagram illustrating a random attack processing on an abnormal port by the network attack information processing method in the embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail with reference to the accompanying drawings, the described embodiments should not be construed as limiting the present invention, and all other embodiments obtained by a person of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or different subsets of all possible embodiments, and may be combined with each other without conflict.
Before further detailed description of the embodiments of the present invention, terms and expressions mentioned in the embodiments of the present invention are explained, and the terms and expressions mentioned in the embodiments of the present invention are applied to the following explanations.
1) The honeypot technology is essentially a technology for cheating attackers, and the attackers are induced to attack the attackers by arranging decoy hosts, network services or information, so that attack behaviors can be captured and analyzed, tools and methods used by the attackers are known, attack intentions and motivations are presumed, defenders can clearly know security threats faced by the attackers, and the security protection capability of an actual system is enhanced by technical and management means.
2) Terminals, including but not limited to: the system comprises a common terminal and a special terminal, wherein the common terminal is in long connection and/or short connection with a sending channel, and the special terminal is in long connection with the sending channel.
3) The client, a carrier in the terminal for implementing a specific function, for example, a mobile client (APP) is a carrier of a specific function in the mobile terminal, for example, a function of performing live online broadcasting or a playing function of online video.
4) In response to the condition or state on which the performed operation depends, one or more of the performed operations may be in real-time or may have a set delay when the dependent condition or state is satisfied; there is no restriction on the order of execution of the operations performed unless otherwise specified.
5) The runtime environment, the engine for interpreting and executing code, for example, for an applet, may be the JavaScript Core of the iOS platform, the X5 JS Core of the android platform.
6) 0day vulnerability, vulnerability information that is known or disclosed by the system vendor before the relevant patch is known and released.
7) Docker, an open source application container engine, allows developers to package their applications and dependencies into a portable image and then distribute it to any popular Linux or Windows machine, as well as to implement virtualization.
8) Transactions (transactions), equivalent to the computer term "Transaction," include operations that need to be committed to a blockchain network for execution and do not refer solely to transactions in the context of commerce, which embodiments of the present invention follow in view of the convention colloquially used in blockchain technology.
For example, a deployment (deployment) transaction is used to install a specified smart contract to a node in a blockchain network and is ready to be invoked; the Invoke (Invoke) transaction is used to append records of the transaction in the blockchain by invoking the smart contract and to perform operations on the state database of the blockchain, including update operations (including adding, deleting, and modifying key-value pairs in the state database) and query operations (i.e., querying key-value pairs in the state database).
9) A Block chain (Block chain) is an encrypted, chained transaction storage structure formed of blocks (blocks).
For example, the header of each block may include hash values of all transactions in the block, and also include hash values of all transactions in the previous block, so as to achieve tamper resistance and forgery resistance of the transactions in the block based on the hash values; newly generated transactions, after being filled into the tiles and passing through the consensus of nodes in the blockchain network, are appended to the end of the blockchain to form a chain growth.
10) A Block chain Network (Block chain Network) incorporates new blocks into a set of nodes of a Block chain in a consensus manner.
11) Ledger (legger) is a general term for blockchains (also called Ledger data) and state databases synchronized with blockchains.
Wherein, the blockchain records the transaction in the form of a file in a file system; the state database records the transactions in the blockchain in the form of different types of Key (Key) Value pairs for supporting fast query of the transactions in the blockchain.
12) Intelligent Contracts (Smart Contracts), also known as Chain codes (Chain codes) or application codes, are programs deployed in nodes of a blockchain network, which execute intelligent Contracts called in received transactions to perform operations of updating or querying key-value data of the account database.
13) Consensus (Consensus), a process in a blockchain network, is used to agree on transactions in blocks among the nodes involved, the agreed blocks are to be appended to the end of the blockchain, and the mechanisms to achieve Consensus include Proof of workload (Po W), Proof of rights and interests (PoS, Proof of stamp), Proof of equity authorization (DPo S, released Proof of stamp), Proof of Elapsed Time (Po ET, Proof of Elapsed Time), etc.
Fig. 1 is a schematic view of a usage scenario of an electronic device wake-up method according to an embodiment of the present invention, referring to fig. 1, a terminal (including a terminal 10-1 and a terminal 10-2) is provided with corresponding clients capable of executing different functions, where the clients are the terminals (including the terminal 10-1 and the terminal 10-2) that acquire different corresponding information from corresponding servers 200 through a network 300 for browsing, the terminal is connected to the servers 200 through the network 300, the network 300 may be a wide area network or a local area network, or a combination of the two, and data transmission is implemented using a wireless link, where during information interaction between the terminal and the network, a network attack may be suffered, and thus, a honeypot system may be deployed. In particular, honeypot technology is an active security technology that spoofs attackers. In honeypot technology, a technician may deploy a dummy system that simulates a real working system, which may be commonly referred to as a honeypot system, as a decoy and entice an attacker to attack the dummy system. When an attacker is attracted to spread an attack on the honeypot system, the honeypot system can capture attack data of the attacker. By analyzing the captured attack data, a basis can be provided for identifying the attack behavior and subsequent security defense measures in the actual production work.
As an example, the server 200 is used to deploy a network attack information processing apparatus to implement the network attack information processing method provided by the present invention, so as to obtain an attack traffic attacking a target system; responding to the acquired attack traffic, and triggering a port multiplexing process to monitor the attack traffic forwarded by the target port; triggering an attack information classification model, and identifying the type of the attack traffic; and triggering a port forwarding process based on the identification result of the attack information classification model, and forwarding the attack traffic so as to obtain corresponding attack traffic through different types of honeypot systems.
As will be described in detail below with respect to the structure of the cyber attack information processing apparatus according to an embodiment of the present invention, the cyber attack information processing apparatus may be implemented in various forms, such as a dedicated terminal with a processing function of the cyber attack information processing apparatus, or a server group provided with a processing function of the cyber attack information processing apparatus, for example, a honeypot system deployed in a target system, for example, the server 200 in the foregoing fig. 1. Fig. 2 is a schematic diagram of a composition structure of a network attack information processing apparatus according to an embodiment of the present invention, and it can be understood that fig. 2 only shows an exemplary structure of the network attack information processing apparatus, and not a whole structure, and a part of the structure or the whole structure shown in fig. 2 may be implemented as needed.
The network attack information processing device provided by the embodiment of the invention comprises: at least one processor 201, memory 202, user interface 203, and at least one network interface 204. The various components in the cyber attack information processing apparatus are coupled together by a bus system 205. It will be appreciated that the bus system 205 is used to enable communications among the components. The bus system 205 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 205 in fig. 2.
The user interface 203 may include, among other things, a display, a keyboard, a mouse, a trackball, a click wheel, a key, a button, a touch pad, or a touch screen.
It will be appreciated that the memory 202 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. The memory 202 in embodiments of the present invention is capable of storing data to support operation of the terminal (e.g., 10-1). Examples of such data include: any computer program, such as an operating system and application programs, for operating on a terminal (e.g., 10-1). The operating system includes various system programs, such as a framework layer, a core library layer, a driver layer, and the like, and is used for implementing various basic services and processing hardware-based tasks. The application program may include various application programs.
In some embodiments, the network attack information processing apparatus provided in the embodiments of the present invention may be implemented by combining software and hardware, and as an example, the network attack information processing apparatus provided in the embodiments of the present invention may be a processor in the form of a hardware decoding processor, which is programmed to execute the network attack information processing method provided in the embodiments of the present invention. For example, a processor in the form of a hardware decoding processor may employ one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), Field Programmable Gate Arrays (FPGAs), or other electronic components.
As an example of the network attack information processing apparatus provided by the embodiment of the present invention implemented by combining software and hardware, the network attack information processing apparatus provided by the embodiment of the present invention may be directly embodied as a combination of software modules executed by the processor 201, where the software modules may be located in a storage medium, the storage medium is located in the memory 202, the processor 201 reads executable instructions included in the software modules in the memory 202, and the network attack information processing method provided by the embodiment of the present invention is completed by combining necessary hardware (for example, including the processor 201 and other components connected to the bus 205).
By way of example, the Processor 201 may be an integrated circuit chip having Signal processing capabilities, such as a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or the like, wherein the general purpose Processor may be a microprocessor or any conventional Processor or the like.
As an example of the network attack information processing apparatus provided by the embodiment of the present invention implemented by hardware, the apparatus provided by the embodiment of the present invention may be implemented by directly using a processor 201 in the form of a hardware decoding processor, for example, the apparatus may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, Programmable Logic Devices (PLDs), Complex Programmable Logic Devices (CPLDs), Field Programmable Gate Arrays (FPGAs), or other electronic components to implement the network attack information processing method provided by the embodiment of the present invention.
The memory 202 in the embodiment of the present invention is used to store various types of data to support the operation of the network attack information processing apparatus. Examples of such data include: any executable instructions for operating on the network attack information processing apparatus, such as executable instructions, a program that implements the network attack information processing method of the embodiment of the present invention may be contained in the executable instructions.
In other embodiments, the network attack information processing apparatus provided by the embodiment of the present invention may be implemented in a software manner, and fig. 2 illustrates the network attack information processing apparatus stored in the memory 202, which may be software in the form of a program, a plug-in, and the like, and includes a series of modules, and as an example of the program stored in the memory 202, the network attack information processing apparatus may include the following software module information transmission module 2081 and information processing module 2082. When the software modules in the network attack information processing apparatus are read into the RAM by the processor 201 and executed, the network attack information processing method provided by the embodiment of the present invention is implemented, where the functions of each software module in the network attack information processing apparatus include:
the information transmission module 2081 is used for acquiring attack traffic for attacking a target system;
the information processing module 2082 is configured to trigger a port multiplexing process in response to the acquired attack traffic, so as to monitor the attack traffic forwarded by the target port;
the information processing module 2082 is configured to trigger an attack information classification model and identify the type of the attack traffic;
the information processing module 2082 is configured to trigger a port forwarding process based on the identification result of the attack information classification model, and forward the attack traffic, so as to obtain corresponding attack traffic through different types of honeypot systems.
Before describing the network attack information processing method provided by the embodiment of the present invention, a processing procedure of a honeypot system for attack traffic in the conventional art is described first with reference to fig. 3, fig. 3 is a schematic processing diagram of a honeypot system for attack traffic in the conventional art, wherein, in a using process of a conventional honeypot system, common WEB attack targets reach hundreds, hundreds of servers are required for distributed implementation according to the conventional honeypot arrangement, hundreds of IP addresses are required (for example, 4 servers and 4 independent IPs are shown in fig. 3), and more than 80% of attack traffic in the process is unmatched with the attack targets, that is, becomes invalid traffic, and causes huge waste of resources, (for example, fig. 3 only shows that the matching process of the attack traffic of the solid line is effective, and the dashed lines are all unmatched traffic, which causes the low efficiency honeypot system and affects the user experience).
To solve the above-mentioned drawback, referring to fig. 4, fig. 4 is an optional flowchart of the network attack information processing method according to the embodiment of the present invention, and it can be understood that the steps shown in fig. 4 may be executed by various electronic devices operating the network attack information processing apparatus, for example, a server or a server group that may deploy a honeypot system. The method specifically comprises the following steps:
step 401: and acquiring the attack traffic attacking the target system.
In the use process of the target system, in order to avoid the target system from being attacked by a network, the honeypot system can be deployed in the server or the server group, and specifically, the corresponding firmware configuration information can be determined according to the use environment of the target system; acquiring a matched honeypot mirror image from a honeypot mirror image cloud server according to the firmware configuration information, wherein the honeypot mirror image supports honeypot structures of different organization architectures; different types of honeypot images are stored in the cloud server, furthermore, a container is created in the target system, and the honeypot systems supporting different organization architectures are created through the container, so that the attack traffic of the target system can be captured through the deployed honeypot systems, wherein the attack traffic refers to the attack behavior initiated by an attacker through the internet, and one attack behavior corresponds to one attack traffic.
Step 402: and triggering a port multiplexing process in response to the acquired attack traffic so as to monitor the attack traffic forwarded by the target port.
In some embodiments of the present invention, in response to the obtained attack traffic, a port multiplexing process is triggered to monitor the attack traffic forwarded by the target port, which may be implemented in the following manner:
determining a target port based on the port multiplexing process in response to the acquired attack traffic; according to the target port, configuring a socket and a socket function matched with the target port; and monitoring the attack traffic forwarded by the target port based on the socket and the socket function matched with the target port. Referring to fig. 5, fig. 5 is a schematic diagram of a processing procedure of a port multiplexing process in an embodiment of the present invention, where a special socket may be established through the port multiplexing process: binding any port, such as 80 ports, e.g., having all attack traffic coming in from 80 ports; setting a socket setsockopt: setting option values for arbitrary type, arbitrary state sockets. Although options exist on different protocol layers, the function used in the present application only defines the option on the highest "socket" level, and after the option is classified through the traffic, the trained svm model can be used to perform type judgment, further, the type to which the requested traffic belongs is judged, and then socket communication is established with the target corresponding to the type through the port forwarding process, for example, when different honeypot service processes exist, the different sockets can be respectively used as the target 1 and the target 2, and different sockets can be established through the port forwarding process and respectively communicate with the target 1 and the target 2.
Certainly, before using the attack information classification model deployed in the server or the cloud, the attack information classification model needs to be trained to determine corresponding model parameters, specifically, the network attack information processing method provided in the embodiment of the present invention is described with reference to the network attack information processing apparatus shown in fig. 2, referring to fig. 6, fig. 6 is an optional flow diagram of the network attack information processing method provided in the embodiment of the present invention, and it can be understood that the steps shown in fig. 6 may be executed by various electronic devices operating the network attack information processing apparatus, for example, a server or a server group with a network attack information processing function. The following is a description of the steps shown in fig. 6.
Step 601: and acquiring a training sample matched with the use environment of the attack information classification model.
The training samples comprise historical attack traffic acquired by a corresponding target system hosting platform.
Step 602: and extracting a training data set and a testing data set which are matched with the training samples through the attack information classification model.
In some embodiments of the present invention, the extracting of the training data set and the testing data set matching the training sample by the attack information classification model may be implemented by:
classifying the training samples and determining different attack traffic types; based on different types of the attack traffic, carrying out characterization processing on the training sample, and extracting matched difference features; and carrying out standardization processing on the extracted difference features to form standardized difference features, and carrying out data splitting processing on the standardized difference features according to corresponding distribution proportions to form a training data set and a test data set which are matched with the training samples. In particular, the acquisition of the training samples with reference to table 1 may be collected from a hosting server github of the honeypot system, where the hosting server holds the attack types, attack targets, and corresponding identifications or markers in the historical attack traffic.
With continued reference to table 2, the attack type may be measured with sensitive words, sensitive characters, string length, etc. as weights. The characteristics of the sensitive words, the character string length and the like are converted into values between 0 and 1 in a standardization process, and particularly, when the information length of the attack flow is less than 100 bytes and the data packet carries sensitive words such as 'php, phpinfo, think' and the like, the type of the corresponding attack flow can be determined to be a Thinkphp attack; or, when the information length of the attack traffic is greater than 100 bytes and the data packet carries sensitive words such as "java. io" and "action", the type of the corresponding attack traffic can be determined to be the Struts2 attack.
Further, the randomly mixed data of the Thinkphp exploit exp and the Struts2 exploit exp were divided into test samples and test samples at a ratio of 40% and 60%, respectively. When the model training is completed, the received attack traffic can be intelligently identified through the model, for example, referring to table 3, the honeypot target type of malicious traffic attack can be identified through the deployed model.
Step 603: and training the attack information classification model according to a training data set and a testing data set which are matched with the training samples.
Wherein, specifically, the attack traffic type in the test data set matched with the training sample can be marked; training the attack information classification model through the training data set, and determining parameters of the attack information classification model; keeping the parameters of the attack information classification model unchanged, and classifying the attack traffic types in the test data set; comparing the classification result of the attack traffic type in the test data set with the marked attack traffic type; and when the consistent proportion of the classification result of the attack traffic type in the test data set and the marked attack traffic type exceeds a threshold value, determining a model parameter matched with the attack information classification model.
Thereby, a determination of model parameters adapted to the attack information classification model may be achieved. Furthermore, the trained attack information classification model is deployed in a corresponding server, and after the attack traffic is received, the types of the received attack traffic are classified, so that the honeypot system can obtain the corresponding attack traffic according to different attack traffic types.
When the trained attack information classification model is deployed in a corresponding server or a server group, the attack traffic received by the target system can be processed, specifically:
step 403: and triggering an attack information classification model, and identifying the type of the attack flow.
In some embodiments of the present invention, triggering an attack information classification model to identify the category of the attack traffic may be implemented by:
characterizing the attack traffic through the attack information classification model; according to the result of the attack traffic characterization processing, carrying out standardization processing on the result of the attack traffic characterization processing to form attack traffic characteristics; and processing the attack traffic characteristics based on an attack information classification model, and determining the category of the attack traffic.
Step 404: and triggering a port forwarding process based on the identification result of the attack information classification model, and forwarding the attack traffic so as to obtain corresponding attack traffic through different types of honeypot systems.
Further, when the honeypot systems of different types acquire corresponding attack traffic, the network attack information processing device can capture the record of the access service of the attack traffic based on the attack traffic; acquiring and analyzing a network data packet carried by the attack traffic based on the record of the access service of the attack traffic; and determining and monitoring the honeypot system connection behavior after the attack flow invades the honeypot system based on the network data packet. Further, the network attack behavior may also be recorded, for example, the source internet protocol address (i.e., IP address) of the network attack behavior, the time and number of the network attack behavior, the type of the network attack behavior, the origin of the attack traffic, and the like are recorded. In addition, when capturing the network attack behavior, the computer equipment can respond to the network attack behavior and return the reply message to the attacker of the network attack behavior, so that the attacker is prevented from identifying and invading the honeypot environment through interaction with the attacker. In addition, the computer device can hide its own IP address to avoid revealing a real IP address.
In some embodiments of the present invention, when a user of a target system migrates or reconfigures the system, the honeypot system and the network attack information processing apparatus may be rapidly configured by purchasing a blockchain network service to obtain information stored in a blockchain network, where the honeypot system configuration information, the attack information classification model, and the classification record of the attack information classification model on the attack traffic may be sent to the blockchain network, so that a node of the blockchain network fills a new block with the honeypot system configuration information, the attack information classification model, and the classification record of the attack information classification model on the attack traffic, and when the new block is identified in common, the new block is added to a tail of the blockchain.
The embodiment of the present invention may be implemented by combining a Cloud technology, where the Cloud technology (Cloud technology) is a hosting technology for unifying series resources such as hardware, software, and a network in a wide area network or a local area network to implement calculation, storage, processing, and sharing of data, and may also be understood as a generic term of a network technology, an information technology, an integration technology, a management platform technology, an application technology, and the like applied based on a Cloud computing business model. Background services of the technical network system require a large amount of computing and storage resources, such as video websites, photo-like websites and more portal websites, so cloud technology needs to be supported by cloud computing.
It should be noted that cloud computing is a computing mode, and distributes computing tasks on a resource pool formed by a large number of computers, so that various application systems can obtain computing power, storage space and information services as required. The network that provides the resources is referred to as the "cloud". Resources in the "cloud" appear to the user as being infinitely expandable and available at any time, available on demand, expandable at any time, and paid for on-demand. As a basic capability provider of cloud computing, a cloud computing resource pool platform, which is called an Infrastructure as a Service (IaaS) for short, is established, and multiple types of virtual resources are deployed in a resource pool and are used by external clients selectively. The cloud computing resource pool mainly comprises: a computing device (which may be a virtualized machine, including an operating system), a storage device, and a network device.
As shown in fig. 1, the data processing method provided in the embodiment of the present invention can be implemented by corresponding cloud devices, for example: the terminals (including the terminal 10-1 and the terminal 10-2) are connected to the server 200 located at the cloud end through a network 300, and the network 300 may be a wide area network or a local area network, or a combination of the two. It should be noted that the server 200 may be a physical device or a virtualized device.
In some embodiments of the present invention, when receiving a data synchronization request of other nodes in the blockchain network, the authority of the other nodes may be verified in response to the data synchronization request;
and when the authority of the other nodes passes the verification, controlling the current node and the other nodes to carry out data synchronization so as to realize that the other nodes acquire honeypot system configuration information, an attack information classification model and a classification record of the attack information classification model on attack flow.
In some embodiments of the present invention, the query request may be further analyzed to obtain a corresponding object identifier in response to the query request; acquiring authority information in a target block in a block chain network according to the object identifier; checking the matching of the authority information and the object identification; when the authority information is matched with the object identification, acquiring corresponding honeypot system configuration information, an attack information classification model and a classification record of the attack information classification model on attack flow in the blockchain network; and responding to the query instruction, and pushing the acquired configuration information of the honeypot system, the acquired attack information classification model and the classification record of the attack information classification model on the attack traffic to the corresponding client.
Referring to fig. 7, fig. 7 is a schematic structural diagram of the target object determining apparatus 100 according to the embodiment of the present invention, which includes a blockchain network 200 (exemplarily showing a consensus node 210-1, a consensus node 210-2, and a consensus node 210-3), an authentication center 300, a service agent 400, and a service agent 500, which are respectively described below.
The type of blockchain network 200 is flexible and may be, for example, any of a public chain, a private chain, or a federation chain. Taking a public link as an example, electronic devices such as user terminals and servers of any service entity can access the blockchain network 200 without authorization; taking a federation chain as an example, an electronic device (e.g., a terminal/server) under the jurisdiction of a service entity after obtaining authorization may access the blockchain network 200, and at this time, become a client node in the blockchain network 200.
In some embodiments, the client node may act as a mere watcher of the blockchain network 200, i.e., provides functionality to support a business entity to initiate a transaction (e.g., for uplink storage of data or querying of data on a chain), and may be implemented by default or selectively (e.g., depending on the specific business requirements of the business entity) with respect to the functions of the consensus node 210 of the blockchain network 200, such as a ranking function, a consensus service, and an accounting function, etc. Therefore, the data and the service processing logic of the service subject can be migrated into the block chain network 200 to the maximum extent, and the credibility and traceability of the data and service processing process are realized through the block chain network 200.
Consensus nodes in blockchain network 200 receive transactions submitted from client nodes (e.g., client node 410 attributed to business entity 400, and client node 510 attributed to business entity 500, shown in fig. 7) of different business entities (e.g., business entity 400 and business entity 500, shown in fig. 7), perform the transactions to update the ledger or query the ledger, and various intermediate or final results of performing the transactions may be returned for display in the business entity's client nodes.
For example, the client node 410/510 may subscribe to events of interest in the blockchain network 200, such as transactions occurring in a particular organization/channel in the blockchain network 200, and the corresponding transaction notifications are pushed by the consensus node 210 to the client node 410/510, thereby triggering the corresponding business logic in the client node 410/510.
An exemplary application of the blockchain network is described below, taking an example in which a plurality of service agents access the blockchain network to achieve management of a target object determination result.
Referring to fig. 7, a plurality of business entities involved in the management link, such as the business entity 400, may be target object determination devices based on artificial intelligence, the business entity 500 may be a display system with a target object determination function, and registers from the certificate authority 300 to obtain respective digital certificates, where the digital certificates include the public key of the business entity and the digital signature signed by the certificate authority 300 on the public key and the identity information of the business entity, and are used to be attached to the transaction together with the digital signature of the business entity for the transaction, and are sent to the blockchain network, so that the blockchain network takes out the digital certificate and the signature from the transaction, verifies the authenticity of the message (i.e. whether the message is not tampered) and the identity information of the business entity sending the message, and verifies the blockchain network according to the identity, for example, whether the blockchain network has the right to initiate the transaction. Clients running on electronic devices (e.g., terminals or servers) hosted by the business entity may request access from the blockchain network 200 to become client nodes.
The client node 410 of the service body 400 is used to obtain attack traffic attacking the target system; responding to the acquired attack traffic, and triggering a port multiplexing process to monitor the attack traffic forwarded by the target port; triggering an attack information classification model, and identifying the type of the attack traffic; triggering a port forwarding process based on the identification result of the attack information classification model, and forwarding the attack traffic so as to obtain corresponding attack traffic through honeypot systems of different types; and sending the configuration information of the honeypot system, the attack information classification model and the classification record of the attack information classification model on the attack traffic to the blockchain network 200.
The honeypot system configuration information, the attack information classification model and the classification record of the attack information classification model on the attack traffic are sent to the blockchain network 200, service logic can be set in the client node 410 in advance, when a corresponding target object determination result is formed, the client node 410 automatically sends the honeypot system configuration information, the attack information classification model and the classification record of the attack information classification model on the attack traffic to the blockchain network 200, or a service person of a service agent 400 logs in the client node 410, manually packs the honeypot system configuration information, the attack information classification model and the classification record of the attack information classification model on the attack traffic, and sends the records to the blockchain network 200. During sending, the client node 410 generates a transaction corresponding to the update operation according to the honeypot system configuration information, the attack information classification model, and the classification record of the attack information classification model on the attack traffic, specifies an intelligent contract that needs to be called to implement the update operation, and parameters transferred to the intelligent contract in the transaction, and also carries a digital certificate of the client node 410 and a signed digital signature (for example, obtained by encrypting a digest of the transaction using a private key in the digital certificate of the client node 410), and broadcasts the transaction to the consensus node 210 in the blockchain network 200.
When the transaction is received in the consensus node 210 in the blockchain network 200, the digital certificate and the digital signature carried by the transaction are verified, after the verification is successful, whether the service agent 400 has the transaction right is determined according to the identity of the service agent 400 carried in the transaction, and the transaction fails due to any verification judgment of the digital signature and the right verification. After successful verification, node 210 signs its own digital signature (e.g., by encrypting the digest of the transaction using the private key of node 210-1) and continues to broadcast in blockchain network 200.
After receiving the transaction successfully verified, the consensus node 210 in the blockchain network 200 fills the transaction into a new block and broadcasts the new block. When a new block is broadcasted by the consensus node 210 in the block chain network 200, performing a consensus process on the new block, if the consensus is successful, adding the new block to the tail of the block chain stored in the new block, updating the state database according to a transaction result, and executing a transaction in the new block: and for the transaction of submitting and updating the honeypot system configuration information, the attack information classification model and the classification record of the attack information classification model on the attack traffic, adding a key value pair comprising the honeypot system configuration information, the attack information classification model and the classification record of the attack information classification model on the attack traffic in a state database.
The service person of the service agent 500 logs in the client node 510, inputs a target object determination result or a target object query request, the client node 510 generates a transaction corresponding to the update operation/query operation according to the target object determination result or the target object query request, specifies an intelligent contract that needs to be called to implement the update operation/query operation and parameters transferred to the intelligent contract in the transaction, and the transaction also carries a digital certificate of the client node 510 and a signed digital signature (for example, a digest of the transaction is encrypted by using a private key in the digital certificate of the client node 510), and broadcasts the transaction to the consensus node 210 in the blockchain network 200.
After receiving the transaction in the consensus node 210 in the blockchain network 200, verifying the transaction, filling the block and making the consensus consistent, adding the filled new block to the tail of the blockchain stored in the new block, updating the state database according to the transaction result, and executing the transaction in the new block: for the submitted transaction of updating the configuration information of a honeypot system, the attack information classification model and the classification record of the attack information classification model on the attack flow, updating the key value pair corresponding to the target object determination result in the state database according to the manual identification result; and for the submitted transaction for inquiring a certain target object determination result, inquiring a key value pair corresponding to the target object determination result from the state database, and returning a transaction result.
It is noted that fig. 7 exemplarily shows a process of directly linking honeypot system configuration information, an attack information classification model, and classification records of attack traffic by the attack information classification model, but in other embodiments, for a case that a data amount of a target object determination result is large, the client node 410 may link a hash of the target object determination result and a corresponding hash of the target object determination result in pairs, and store the original target object determination result and the corresponding target object determination result in a distributed file system or a database. After obtaining the target object determination result and the corresponding target object determination result from the distributed file system or the database, the client node 510 may perform a check in combination with the corresponding hash in the blockchain network 200, thereby reducing the workload of uplink operations.
As an example of a block chain, referring to fig. 8, fig. 8 is a schematic structural diagram of a block chain in a block chain network 200 according to an embodiment of the present invention, where a header of each block may include hash values of all transactions in the block and also include hash values of all transactions in a previous block, a record of a newly generated transaction is filled in the block and is added to a tail of the block chain after being identified by nodes in the block chain network, so as to form a chain growth, and a chain structure based on hash values between blocks ensures tamper resistance and forgery prevention of transactions in the block.
An exemplary functional architecture of a block chain network provided in the embodiment of the present invention is described below, referring to fig. 9, fig. 9 is a functional architecture schematic diagram of a block chain network 200 provided in the embodiment of the present invention, which includes an application layer 201, a consensus layer 202, a network layer 203, a data layer 204, and a resource layer 205, which are described below respectively.
The resource layer 205 encapsulates the computing, storage, and communication resources that implement each node 210 in the blockchain network 200.
The data layer 204 encapsulates various data structures that implement the ledger, including blockchains implemented in files in a file system, state databases of the key-value type, and presence certificates (e.g., hash trees of transactions in blocks).
The network layer 203 encapsulates the functions of a Point-to-Point (P2P) network protocol, a data propagation mechanism and a data verification mechanism, an access authentication mechanism and service agent identity management.
Wherein the P2P network protocol implements communication between nodes 210 in the blockchain network 200, the data propagation mechanism ensures propagation of transactions in the blockchain network 200, and the data verification mechanism implements reliability of data transmission between nodes 210 based on cryptography methods (e.g., digital certificates, digital signatures, public/private key pairs); the access authentication mechanism is used for authenticating the identity of the service subject added into the block chain network 200 according to an actual service scene, and endowing the service subject with the authority of accessing the block chain network 200 when the authentication is passed; the business entity identity management is used to store the identity of the business entity that is allowed to access blockchain network 200, as well as the permissions (e.g., the types of transactions that can be initiated).
The consensus layer 202 encapsulates the functions of the mechanism for the nodes 210 in the blockchain network 200 to agree on a block (i.e., a consensus mechanism), transaction management, and ledger management. The consensus mechanism comprises consensus algorithms such as POS, POW and DPOS, and the pluggable consensus algorithm is supported.
The transaction management is configured to verify a digital signature carried in the transaction received by the node 210, verify identity information of the service entity, and determine whether the node has an authority to perform the transaction (read related information from the identity management of the service entity) according to the identity information; for the service agents authorized to access the blockchain network 200, the service agents all have digital certificates issued by the certificate authority, and the service agents sign the submitted transactions by using private keys in the digital certificates of the service agents, so that the legal identities of the service agents are declared.
The ledger administration is used to maintain blockchains and state databases. For the block with the consensus, adding the block to the tail of the block chain; executing the transaction in the acquired consensus block, updating the key-value pairs in the state database when the transaction comprises an update operation, querying the key-value pairs in the state database when the transaction comprises a query operation and returning a query result to the client node of the business entity. Supporting query operations for multiple dimensions of a state database, comprising: querying the block based on the block vector number (e.g., hash value of the transaction); inquiring the block according to the block hash value; inquiring a block according to the transaction vector number; inquiring the transaction according to the transaction vector number; inquiring account data of a business main body according to an account (vector number) of the business main body; and inquiring the block chain in the channel according to the channel name.
The application layer 201 encapsulates various services that the blockchain network can implement, including tracing, crediting, and verifying transactions.
Taking a WEB attack and an abnormal port random attack in an internet information interaction process as examples, a description is continued on the network attack information processing method provided by the present application, wherein, referring to fig. 10, fig. 10 is an optional flow diagram of the network attack information processing method provided by the present application embodiment, wherein, due to the diversity of WEB middleware and the diversity of application services, the WEB attack is one of the most popular attacks at present; however, honeypot listening ports are very limited, and usually only have ports such as 80, 8080, 8081 and the like, so that web attacks can be launched by using attack traffic, and meanwhile, for an abnormal port (for example, a port with a modified port name), the attack traffic can also launch an abnormal port random attack. Specifically, the method comprises the following steps:
step 1001: the initial socket is determined by the port multiplexing process.
The method comprises the steps of determining the type of a target port, configuring a socket and a socket function matched with the target port according to the type of the target port, wherein the determined initial socket can support the basic operation of the path communication of a TCP/IP protocol, providing a mechanism for an application layer process to exchange data by using a network protocol, and providing an interface for an application program to communicate through the network protocol and an interface for the application program to interact with a network protocol root.
Step 1002: and setting a socket of the port multiplexing process.
Wherein, the socket can include: the stream set interface provides a bidirectional, ordered, non-repetitive and non-record-boundary data stream service. Datagram sockets support bi-directional data flow.
Step 1003: bind and listen to 80 ports.
The ports bound by the port multiplexing process can be adjusted according to the type of the honeypot system.
Step 1004: attack traffic in a network is received.
The attack traffic in the network refers to attack behaviors launched by an attacker through the Internet, one attack behavior corresponds to one attack traffic, the attacker refers to any entity launching the attack behavior aiming at the honeypot system, and different attack traffic is guided into a specified honeypot terminal by the access server through the arrangement of the access server in the honeypot system, so that the honeypot system can capture and analyze malicious codes in the attack traffic.
Step 1005: and analyzing the received attack traffic.
The analysis result of the attack flow can be stored for analysis and association, so that an administrator can search all similar attacks in the historical attack events of the system, and further more information about attackers can be obtained. By storing, counting and displaying the attack flow captured by the honeypot system, a user can visually see the attack condition of the honeypot system, and can further trace the source of the attack according to data.
Step 1006: and acquiring training data, and training the attack information classification model.
Step 1007: and detecting the attack information classification model through the test data.
When the detection is passed, the trained attack information classification model is deployed on a local server or a cloud end so as to adapt to the use environments of different honeypot systems.
Step 1008: and intelligently judging the attack traffic through an attack information classification model.
Therefore, the classification of the types of the attack flow can be realized.
Step 1009: and forwarding the attack traffic through a port forwarding process according to the classification result.
Specifically, the type of algorithm for realizing intelligent recognition is not limited in the present application, for example, a Support Vector Machine (SVM) classifier is used to build a model for a target, so as to intelligently recognize the attack of thinkph and struts 2.
Referring to fig. 11, fig. 11 is a schematic flowchart of a training process of an attack information classification model in an embodiment of the present application, which specifically includes the following steps:
step 1101: and carrying out data classification on the training samples.
The training samples can be from analysis results of attack traffic already stored in the honeypot system, specifically, a large amount of attack traffic that can be captured by the deployed honeypot system in a corresponding operating environment, and different training samples are formed by identification and classification.
Step 1102: and performing characterization processing based on the classification result.
Wherein, the vulnerability attack exp is subjected to escape, and difference characteristics such as sensitive words, length information and the like are extracted.
Step 1103: and carrying out data standardization processing.
The original data features are irregular, and a unified standard needs to be made, for example, the feature is unified into a numerical value between 0 and 1, so that svm identification is facilitated.
Step 1104: and splitting the training data to form training data and test data.
The test data is used for detecting whether the processing effect of the attack information classification model reaches the expectation or not, and the parameters of the attack information classification model are convenient to adjust in time so as to adapt to different use environments of the honeypot system.
Step 1105: and judging whether the model verification result is expected, if so, executing the step 1106, and otherwise, not executing the step 1107.
Step 1106: and determining model parameters and finishing model training.
Step 1107: model parameters are adjusted.
Therefore, the network attack information processing method provided by the application can deal with the attack traffic in an intelligent interaction mode through the deployed model, identify the target of the attack traffic in advance, and then forward the target to the corresponding middleware or application system to process interaction, so that one server can process interaction of various types of attack traffic; a large amount of honeypot ip and server resources are saved, the honeypot interaction hit rate is greatly improved, high-accuracy interaction is achieved, the capability of a honeypot system for capturing unknown 0day bugs is improved, and the use experience of users is improved. Specifically, referring to fig. 12 and fig. 13, fig. 12 is a schematic diagram illustrating a processing of a web attack by a network attack information processing method in an embodiment of the present application; fig. 13 is a schematic diagram illustrating a random attack processing on an abnormal port by the network attack information processing method in the embodiment of the present application; with reference to fig. 12, for a use scenario of a web attack, because a honeypot monitoring port is very limited, and usually only has a common port such as 80, 8080, 8081, and the like, by the scheme of the present application, types of various attack flows can be intelligently determined in advance, and the types can be handed to honeypots of corresponding types to implement interaction, so that processing efficiency is improved, and compared with a network attack information processing method in the conventional technology, a honeypot system can implement a configured port through 80, 8080, 8081, and the like.
Further, referring to fig. 13, for the usage scenario of random attack on the abnormal port and for the modified usage environment of the port, the network attack information processing method provided by the present application can correct the attack on the abnormal port, and determine the service type to which the attack traffic protocol belongs through the attack information classification model, and forward the service type to the honeypot processing of the corresponding service, so as to finally implement interaction, improve processing efficiency, and meanwhile, different types of honeypot systems and attack information classification model devices can be deployed in one server, thereby effectively reducing hardware cost.
The beneficial technical effects are as follows:
the method comprises the steps of obtaining attack flow for attacking a target system; responding to the acquired attack traffic, and triggering a port multiplexing process to monitor the attack traffic forwarded by the target port; triggering an attack information classification model, and identifying the type of the attack traffic; based on the identification result of the attack information classification model, a port forwarding process is triggered to forward the attack traffic, so that the classes of the attack traffic can be identified through the attack information classification model, the attack traffic can be forwarded, the corresponding attack traffic can be acquired through different types of honeypot systems, the network attack information processing efficiency of the honeypot systems can be improved, the number of deployed servers can be reduced, the cost of users can be saved, and the large-scale deployment of the honeypot systems can be realized.
The above description is only exemplary of the present invention and should not be taken as limiting the scope of the present invention, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (15)
1. A network attack information processing method is characterized by comprising the following steps:
acquiring attack flow for attacking a target system;
responding to the acquired attack traffic, and triggering a port multiplexing process to monitor the attack traffic forwarded by the target port;
triggering an attack information classification model, and identifying the type of the attack traffic;
and triggering a port forwarding process based on the identification result of the attack information classification model, and forwarding the attack traffic so as to obtain corresponding attack traffic through different types of honeypot systems.
2. The method of claim 1, wherein triggering a port multiplexing process to monitor the attack traffic forwarded by the target port in response to the obtained attack traffic comprises:
determining a target port based on the port multiplexing process in response to the acquired attack traffic;
according to the target port, configuring a socket and a socket function matched with the target port;
and monitoring the attack traffic forwarded by the target port based on the socket and the socket function matched with the target port.
3. The method of claim 1, wherein the triggering an attack information classification model to identify the category of the attack traffic comprises:
characterizing the attack traffic through the attack information classification model;
according to the result of the attack traffic characterization processing, carrying out standardization processing on the result of the attack traffic characterization processing to form attack traffic characteristics;
and processing the attack traffic characteristics based on an attack information classification model, and determining the category of the attack traffic.
4. The method of claim 1, further comprising:
acquiring a training sample matched with the use environment of the attack information classification model, wherein the training sample comprises historical attack flow acquired by a corresponding target system hosting platform;
extracting a training data set and a testing data set matched with the training samples through the attack information classification model;
and training the attack information classification model according to a training data set and a testing data set which are matched with the training samples so as to determine model parameters which are matched with the attack information classification model.
5. The method of claim 4, wherein the extracting, by the attack information classification model, a training data set and a testing data set matching the training samples comprises:
classifying the training samples and determining different attack traffic types;
based on different types of the attack traffic, carrying out characterization processing on the training sample, and extracting matched difference features;
and carrying out standardization processing on the extracted difference features to form standardized difference features, and carrying out data splitting processing on the standardized difference features according to corresponding distribution proportions to form a training data set and a test data set which are matched with the training samples.
6. The method of claim 4, wherein the training the attack information classification model according to the training data set and the testing data set matched with the training sample to determine the model parameters adapted to the attack information classification model comprises:
marking attack traffic types in the test data set matched with the training samples;
training the attack information classification model through the training data set, and determining parameters of the attack information classification model;
keeping the parameters of the attack information classification model unchanged, and classifying the attack traffic types in the test data set;
comparing the classification result of the attack traffic type in the test data set with the marked attack traffic type;
and when the consistent proportion of the classification result of the attack traffic type in the test data set and the marked attack traffic type exceeds a threshold value, determining a model parameter matched with the attack information classification model.
7. The method of claim 1, further comprising:
when different types of honeypot systems acquire corresponding attack traffic, capturing a record of access service of the attack traffic based on the attack traffic;
acquiring and analyzing a network data packet carried by the attack traffic based on the record of the access service of the attack traffic;
and determining and monitoring the honeypot system connection behavior after the attack flow invades the honeypot system based on the network data packet.
8. The method of claim 1, further comprising:
determining corresponding firmware configuration information according to the use environment of the target system;
acquiring a matched honeypot mirror image from a honeypot mirror image cloud server according to the firmware configuration information, wherein the honeypot mirror image supports honeypot structures of different organization architectures;
creating a container in a target system, and creating a honeypot system supporting different organizational architectures through the container to realize capture of attack traffic on the target system through the deployed honeypot system.
9. The method according to any one of claims 1-8, further comprising:
sending the configuration information of the honeypot system, the attack information classification model and the classification record of the attack information classification model on the attack traffic to a blockchain network so as to ensure that
And the nodes of the block chain network fill the honeypot system configuration information, the attack information classification model and the classification record of the attack information classification model on the attack traffic into a new block, and when the new block is identified consistently, the new block is added to the tail of the block chain.
10. The method of claim 9, further comprising:
receiving data synchronization requests of other nodes in the blockchain network;
responding to the data synchronization request, and verifying the authority of the other nodes;
and when the authority of the other nodes passes the verification, controlling the current node and the other nodes to carry out data synchronization so as to realize that the other nodes acquire honeypot system configuration information, an attack information classification model and a classification record of the attack information classification model on attack flow.
11. The method of claim 9, further comprising:
responding to a query request, and analyzing the query request to obtain a corresponding object identifier;
acquiring authority information in a target block in a block chain network according to the object identifier;
checking the matching of the authority information and the object identification;
when the authority information is matched with the object identification, acquiring corresponding honeypot system configuration information, an attack information classification model and a classification record of the attack information classification model on attack flow in the blockchain network;
and responding to the query instruction, and pushing the acquired configuration information of the honeypot system, the acquired attack information classification model and the classification record of the attack information classification model on the attack traffic to the corresponding client.
12. A network attack information processing apparatus, characterized in that the apparatus comprises:
the information transmission module is used for acquiring attack flow for attacking the target system;
the information processing module is used for responding to the acquired attack traffic and triggering a port multiplexing process so as to monitor the attack traffic forwarded by the target port;
the information processing module is used for triggering an attack information classification model and identifying the type of the attack traffic;
and the information processing module is used for triggering a port forwarding process based on the identification result of the attack information classification model and forwarding the attack traffic so as to acquire the corresponding attack traffic through different types of honeypot systems.
13. The apparatus of claim 12,
the information processing module is used for performing characteristic processing on the attack traffic through the attack information classification model;
the information processing module is used for carrying out standardized processing on the attack traffic characterization processing result according to the attack traffic characterization processing result to form attack traffic characteristics;
and the information processing module is used for processing the attack traffic characteristics based on an attack information classification model and determining the category of the attack traffic.
14. An electronic device, characterized in that the electronic device comprises:
a memory for storing executable instructions;
a processor, configured to execute the executable instructions stored in the memory, and implement the network attack information processing method according to any one of claims 1 to 11.
15. A computer-readable storage medium storing executable instructions, wherein the executable instructions, when executed by a processor, implement the network attack information processing method according to any one of claims 1 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010671834.0A CN111565199B (en) | 2020-07-14 | 2020-07-14 | Network attack information processing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010671834.0A CN111565199B (en) | 2020-07-14 | 2020-07-14 | Network attack information processing method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111565199A true CN111565199A (en) | 2020-08-21 |
| CN111565199B CN111565199B (en) | 2021-10-01 |
Family
ID=72073922
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010671834.0A Active CN111565199B (en) | 2020-07-14 | 2020-07-14 | Network attack information processing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111565199B (en) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111935185A (en) * | 2020-10-09 | 2020-11-13 | 北京元支点信息安全技术有限公司 | Method and system for constructing large-scale trapping scene based on cloud computing |
| CN112104613A (en) * | 2020-08-24 | 2020-12-18 | 广州锦行网络科技有限公司 | Honey net testing system based on data flow packet analysis and testing method thereof |
| CN112291246A (en) * | 2020-10-30 | 2021-01-29 | 四川长虹电器股份有限公司 | Method for expanding attack flow traction capacity in honeypot scene |
| CN112738061A (en) * | 2020-12-24 | 2021-04-30 | 四川虹微技术有限公司 | Information processing method, device, management platform, electronic equipment and storage medium |
| CN112953918A (en) * | 2021-01-29 | 2021-06-11 | 李阳 | Network attack protection method combined with big data server and big data protection equipment |
| CN112995162A (en) * | 2021-02-07 | 2021-06-18 | 深信服科技股份有限公司 | Network traffic processing method and device, electronic equipment and storage medium |
| CN112995151A (en) * | 2021-02-08 | 2021-06-18 | 腾讯科技(深圳)有限公司 | Access behavior processing method and device, storage medium and electronic equipment |
| CN113392429A (en) * | 2021-05-26 | 2021-09-14 | 江苏省电力试验研究院有限公司 | Block chain-based power distribution Internet of things data safety protection method and device |
| CN113422787A (en) * | 2021-08-24 | 2021-09-21 | 广州乐盈信息科技股份有限公司 | Intelligent anti-attack method for passive optical network system |
| CN113448988A (en) * | 2021-07-08 | 2021-09-28 | 京东科技控股股份有限公司 | Method and device for training algorithm model, electronic equipment and storage medium |
| CN113794712A (en) * | 2021-09-10 | 2021-12-14 | 中国工商银行股份有限公司 | Method, apparatus, device and medium for controlling traffic of network security shooting range |
| CN113794731A (en) * | 2021-09-17 | 2021-12-14 | 工银科技有限公司 | Method, device, equipment and medium for identifying disguised attack based on CDN flow |
| CN113810408A (en) * | 2021-09-16 | 2021-12-17 | 杭州安恒信息技术股份有限公司 | Network attack organization detection method, device, equipment and readable storage medium |
| CN114070638A (en) * | 2021-11-22 | 2022-02-18 | 安天科技集团股份有限公司 | Computer system security defense method, device, electronic equipment and medium |
| CN114500026A (en) * | 2022-01-20 | 2022-05-13 | 深信服科技股份有限公司 | Network traffic processing method, device and storage medium |
| CN114531258A (en) * | 2020-11-05 | 2022-05-24 | 腾讯科技(深圳)有限公司 | Network attack behavior processing method and device, storage medium and electronic equipment |
| CN114826764A (en) * | 2022-05-17 | 2022-07-29 | 广西科技大学 | Edge computing network attack identification method and system based on ensemble learning |
| CN116016479A (en) * | 2022-12-05 | 2023-04-25 | 北京天融信网络安全技术有限公司 | Server control method, device, electronic equipment and computer readable storage medium |
| CN117454438A (en) * | 2023-12-25 | 2024-01-26 | 深圳鼎智通讯有限公司 | Attacked self-destruction system and intelligent payment terminal |
| CN117596087A (en) * | 2024-01-19 | 2024-02-23 | 深圳市安络科技有限公司 | Service simulation method, device, computer equipment and storage medium |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107872467A (en) * | 2017-12-26 | 2018-04-03 | 中国联合网络通信集团有限公司 | Honey jar active defense method and honey jar Active Defending System Against based on Serverless frameworks |
| CN107968785A (en) * | 2017-12-03 | 2018-04-27 | 浙江工商大学 | A kind of method of defending DDoS (Distributed Denial of Service) attacks in SDN data centers |
| CN108769071A (en) * | 2018-07-02 | 2018-11-06 | 腾讯科技(深圳)有限公司 | attack information processing method, device and internet of things honey pot system |
| CN109257326A (en) * | 2017-07-14 | 2019-01-22 | 东软集团股份有限公司 | The method, apparatus and storage medium and electronic equipment for defending data flow to attack |
| CN109696892A (en) * | 2018-12-21 | 2019-04-30 | 上海瀚之友信息技术服务有限公司 | A kind of Safety Automation System and its control method |
| CN110011982A (en) * | 2019-03-19 | 2019-07-12 | 西安交通大学 | A kind of attack intelligence deception system and method based on virtualization |
| CN110035079A (en) * | 2019-04-10 | 2019-07-19 | 阿里巴巴集团控股有限公司 | A kind of honey jar generation method, device and equipment |
| CN110324316A (en) * | 2019-05-31 | 2019-10-11 | 河南恩湃高科集团有限公司 | A kind of industry control anomaly detection method based on a variety of machine learning algorithms |
| CN110719299A (en) * | 2019-11-18 | 2020-01-21 | 中国移动通信集团内蒙古有限公司 | Honeypot construction method, device, equipment and medium for defending network attack |
| CN110875904A (en) * | 2018-08-31 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Method for realizing attack processing, honeypot deployment method, honeypot deployment medium and honeypot deployment device |
| CN110881052A (en) * | 2019-12-25 | 2020-03-13 | 成都知道创宇信息技术有限公司 | Network security defense method, device and system and readable storage medium |
| CN111107077A (en) * | 2019-12-16 | 2020-05-05 | 中国电子科技网络信息安全有限公司 | SVM-based attack flow classification method |
| CN111183612A (en) * | 2017-12-27 | 2020-05-19 | 西门子股份公司 | Network traffic sending method and device and hybrid honeypot system |
| CN111314276A (en) * | 2019-11-09 | 2020-06-19 | 北京长亭未来科技有限公司 | Method, device and system for detecting multiple attack behaviors |
-
2020
- 2020-07-14 CN CN202010671834.0A patent/CN111565199B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109257326A (en) * | 2017-07-14 | 2019-01-22 | 东软集团股份有限公司 | The method, apparatus and storage medium and electronic equipment for defending data flow to attack |
| CN107968785A (en) * | 2017-12-03 | 2018-04-27 | 浙江工商大学 | A kind of method of defending DDoS (Distributed Denial of Service) attacks in SDN data centers |
| CN107872467A (en) * | 2017-12-26 | 2018-04-03 | 中国联合网络通信集团有限公司 | Honey jar active defense method and honey jar Active Defending System Against based on Serverless frameworks |
| CN111183612A (en) * | 2017-12-27 | 2020-05-19 | 西门子股份公司 | Network traffic sending method and device and hybrid honeypot system |
| CN108769071A (en) * | 2018-07-02 | 2018-11-06 | 腾讯科技(深圳)有限公司 | attack information processing method, device and internet of things honey pot system |
| CN110875904A (en) * | 2018-08-31 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Method for realizing attack processing, honeypot deployment method, honeypot deployment medium and honeypot deployment device |
| CN109696892A (en) * | 2018-12-21 | 2019-04-30 | 上海瀚之友信息技术服务有限公司 | A kind of Safety Automation System and its control method |
| CN110011982A (en) * | 2019-03-19 | 2019-07-12 | 西安交通大学 | A kind of attack intelligence deception system and method based on virtualization |
| CN110035079A (en) * | 2019-04-10 | 2019-07-19 | 阿里巴巴集团控股有限公司 | A kind of honey jar generation method, device and equipment |
| CN110324316A (en) * | 2019-05-31 | 2019-10-11 | 河南恩湃高科集团有限公司 | A kind of industry control anomaly detection method based on a variety of machine learning algorithms |
| CN111314276A (en) * | 2019-11-09 | 2020-06-19 | 北京长亭未来科技有限公司 | Method, device and system for detecting multiple attack behaviors |
| CN110719299A (en) * | 2019-11-18 | 2020-01-21 | 中国移动通信集团内蒙古有限公司 | Honeypot construction method, device, equipment and medium for defending network attack |
| CN111107077A (en) * | 2019-12-16 | 2020-05-05 | 中国电子科技网络信息安全有限公司 | SVM-based attack flow classification method |
| CN110881052A (en) * | 2019-12-25 | 2020-03-13 | 成都知道创宇信息技术有限公司 | Network security defense method, device and system and readable storage medium |
Cited By (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112104613A (en) * | 2020-08-24 | 2020-12-18 | 广州锦行网络科技有限公司 | Honey net testing system based on data flow packet analysis and testing method thereof |
| CN111935185A (en) * | 2020-10-09 | 2020-11-13 | 北京元支点信息安全技术有限公司 | Method and system for constructing large-scale trapping scene based on cloud computing |
| CN112291246B (en) * | 2020-10-30 | 2022-01-28 | 四川长虹电器股份有限公司 | Method for expanding attack flow traction capacity in honeypot scene |
| CN112291246A (en) * | 2020-10-30 | 2021-01-29 | 四川长虹电器股份有限公司 | Method for expanding attack flow traction capacity in honeypot scene |
| CN114531258A (en) * | 2020-11-05 | 2022-05-24 | 腾讯科技(深圳)有限公司 | Network attack behavior processing method and device, storage medium and electronic equipment |
| CN112738061A (en) * | 2020-12-24 | 2021-04-30 | 四川虹微技术有限公司 | Information processing method, device, management platform, electronic equipment and storage medium |
| CN112953918A (en) * | 2021-01-29 | 2021-06-11 | 李阳 | Network attack protection method combined with big data server and big data protection equipment |
| CN112995162A (en) * | 2021-02-07 | 2021-06-18 | 深信服科技股份有限公司 | Network traffic processing method and device, electronic equipment and storage medium |
| CN112995162B (en) * | 2021-02-07 | 2023-03-21 | 深信服科技股份有限公司 | Network traffic processing method and device, electronic equipment and storage medium |
| CN112995151A (en) * | 2021-02-08 | 2021-06-18 | 腾讯科技(深圳)有限公司 | Access behavior processing method and device, storage medium and electronic equipment |
| CN112995151B (en) * | 2021-02-08 | 2023-11-14 | 腾讯科技(深圳)有限公司 | Access behavior processing method and device, storage medium and electronic equipment |
| CN113392429A (en) * | 2021-05-26 | 2021-09-14 | 江苏省电力试验研究院有限公司 | Block chain-based power distribution Internet of things data safety protection method and device |
| CN113392429B (en) * | 2021-05-26 | 2023-12-12 | 江苏省电力试验研究院有限公司 | Block chain-based power distribution Internet of things data safety protection method and device |
| CN113448988A (en) * | 2021-07-08 | 2021-09-28 | 京东科技控股股份有限公司 | Method and device for training algorithm model, electronic equipment and storage medium |
| CN113422787A (en) * | 2021-08-24 | 2021-09-21 | 广州乐盈信息科技股份有限公司 | Intelligent anti-attack method for passive optical network system |
| CN113422787B (en) * | 2021-08-24 | 2021-11-09 | 广州乐盈信息科技股份有限公司 | Intelligent anti-attack method for passive optical network system |
| CN113794712A (en) * | 2021-09-10 | 2021-12-14 | 中国工商银行股份有限公司 | Method, apparatus, device and medium for controlling traffic of network security shooting range |
| CN113794712B (en) * | 2021-09-10 | 2022-07-12 | 中国工商银行股份有限公司 | Method, apparatus, device and medium for controlling traffic of network security shooting range |
| CN113810408A (en) * | 2021-09-16 | 2021-12-17 | 杭州安恒信息技术股份有限公司 | Network attack organization detection method, device, equipment and readable storage medium |
| CN113794731A (en) * | 2021-09-17 | 2021-12-14 | 工银科技有限公司 | Method, device, equipment and medium for identifying disguised attack based on CDN flow |
| CN113794731B (en) * | 2021-09-17 | 2023-05-02 | 工银科技有限公司 | Method, device, equipment and medium for identifying CDN (content delivery network) -based traffic masquerading attack |
| CN114070638B (en) * | 2021-11-22 | 2023-07-18 | 安天科技集团股份有限公司 | Computer system security defense method and device, electronic equipment and medium |
| CN114070638A (en) * | 2021-11-22 | 2022-02-18 | 安天科技集团股份有限公司 | Computer system security defense method, device, electronic equipment and medium |
| CN114500026A (en) * | 2022-01-20 | 2022-05-13 | 深信服科技股份有限公司 | Network traffic processing method, device and storage medium |
| CN114826764A (en) * | 2022-05-17 | 2022-07-29 | 广西科技大学 | Edge computing network attack identification method and system based on ensemble learning |
| CN116016479A (en) * | 2022-12-05 | 2023-04-25 | 北京天融信网络安全技术有限公司 | Server control method, device, electronic equipment and computer readable storage medium |
| CN117454438A (en) * | 2023-12-25 | 2024-01-26 | 深圳鼎智通讯有限公司 | Attacked self-destruction system and intelligent payment terminal |
| CN117454438B (en) * | 2023-12-25 | 2024-04-09 | 深圳鼎智通讯有限公司 | Attacked self-destruction system and intelligent payment terminal |
| CN117596087A (en) * | 2024-01-19 | 2024-02-23 | 深圳市安络科技有限公司 | Service simulation method, device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111565199B (en) | 2021-10-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111565199B (en) | Network attack information processing method and device, electronic equipment and storage medium | |
| US9773109B2 (en) | Alternate files returned for suspicious processes in a compromised computer network | |
| US11960605B2 (en) | Dynamic analysis techniques for applications | |
| US11604878B2 (en) | Dynamic analysis techniques for applications | |
| US10560434B2 (en) | Automated honeypot provisioning system | |
| US10454950B1 (en) | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks | |
| US20200012781A1 (en) | Rendering an object using multiple versions of an application in a single process for dynamic malware analysis | |
| CN110727712A (en) | Data processing method and device based on block chain network, electronic equipment and storage medium | |
| US10447726B2 (en) | Mitigating attacks on server computers by enforcing platform policies on client computers | |
| US8887278B2 (en) | Restricting a processing system being compromised with a threat | |
| Liu et al. | On manually reverse engineering communication protocols of linux-based iot systems | |
| CN114363036B (en) | Network attack path acquisition method and device and electronic equipment | |
| Hamed et al. | Intrusion detection in contemporary environments | |
| US20230370439A1 (en) | Network action classification and analysis using widely distributed honeypot sensor nodes | |
| CN114826663A (en) | Honeypot identification method, honeypot identification device, honeypot identification equipment and storage medium | |
| Zeng et al. | Full-stack vulnerability analysis of the cloud-native platform | |
| CN115694699A (en) | Time delay parameter acquisition method and device, electronic equipment and storage medium | |
| JP2024023875A (en) | Inline malware detection | |
| CN112132554A (en) | Government affair information processing method and device, electronic equipment and storage medium | |
| CN109740328B (en) | Authority identification method and device, computer equipment and storage medium | |
| Benzidane et al. | Application-based authentication on an inter-VM traffic in a cloud environment | |
| CN112637171A (en) | Data traffic processing method, device, equipment, system and storage medium | |
| Massoud | Threat Simulations of Cloud-Native Telecom Applications | |
| US20230069731A1 (en) | Automatic network signature generation | |
| Perez | Analysis and Detection of the Silent Thieves |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40028341 Country of ref document: HK |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |