CN113452794A - Method, system, server and router for intelligently and dynamically adding blacklist - Google Patents

Method, system, server and router for intelligently and dynamically adding blacklist Download PDF

Info

Publication number
CN113452794A
CN113452794A CN202110740345.0A CN202110740345A CN113452794A CN 113452794 A CN113452794 A CN 113452794A CN 202110740345 A CN202110740345 A CN 202110740345A CN 113452794 A CN113452794 A CN 113452794A
Authority
CN
China
Prior art keywords
data
malicious data
router
cloud server
malicious
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110740345.0A
Other languages
Chinese (zh)
Inventor
吴文杰
张利鹏
王照
陈开宏
何丽娥
陈馥汇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
N Radio Technologies Co ltd
Original Assignee
N Radio Technologies Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by N Radio Technologies Co ltd filed Critical N Radio Technologies Co ltd
Priority to CN202110740345.0A priority Critical patent/CN113452794A/en
Publication of CN113452794A publication Critical patent/CN113452794A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method and a system for intelligently and dynamically adding a blacklist, a cloud server, a router and a computer readable storage medium, comprising the following steps: connecting a cloud server, and acquiring the latest data of the malicious data characteristic database from the cloud server; connecting a client, and calculating network data transmitted by the client according to a detection rule to obtain a data characteristic value; comparing the data characteristic value with a malicious data characteristic database; if the malicious data characteristic database does not have the data characteristic value, and the suspected malicious data is judged according to the monitored running condition and the network use condition, uploading the suspected malicious data to a cloud server for further analysis; after the suspected malicious data are analyzed by the cloud server and confirmed to be the malicious data, synchronizing a malicious data feature database and a detection rule updated by the cloud server; and adding the detected client side sending the malicious data to a blacklist. The invention improves the safety of network application.

Description

Method, system, server and router for intelligently and dynamically adding blacklist
Technical Field
The invention belongs to the field of network application, and particularly relates to a method and a system for intelligently and dynamically adding a blacklist, a cloud server, a router and a computer readable storage medium.
Background
Currently, existing routers generally have a function of configuring a blacklist, but they are mainly implemented based on a MAC address or an IP address of a client, and whether the client accesses a network resource through the router is determined according to the MAC address or a right to access the network resource is set according to the IP address.
With the development of informatization, more and more clients need to be connected with the internet, a router is used as a common network inlet, the network environment becomes more and more complex, and the traditional blacklist configuration mode (through MAC/IP address identification) cannot well protect the network security.
Disclosure of Invention
The invention aims to provide a method and a system for intelligently and dynamically adding a blacklist, a cloud server, a router and a computer readable storage medium, and aims to solve the problem that the existing blacklist configuration mode cannot well protect network security.
In a first aspect, the present invention provides a method for intelligently and dynamically adding a blacklist, including:
connecting a cloud server, and acquiring the latest data of the malicious data characteristic database from the cloud server;
connecting a client, and calculating network data transmitted by the client according to a detection rule to obtain a data characteristic value; the detection rule is obtained by configuring network data, or predefined detection rules are synchronously downloaded from a cloud server;
comparing the data characteristic value with a malicious data characteristic database; if the malicious data characteristic database does not have the data characteristic value, and the suspected malicious data is judged according to the monitored running condition and the network use condition, uploading the suspected malicious data to a cloud server for further analysis;
after the suspected malicious data are analyzed by the cloud server and confirmed to be the malicious data, synchronizing a malicious data feature database and a detection rule updated by the cloud server;
and adding the detected client side sending the malicious data to a blacklist, and generating a detection log.
Further, the network data comprises MAC addresses, IP addresses, original data analysis rules, and accessed intranet and extranet resources.
In a second aspect, the present invention provides a computer-readable storage medium storing a computer program which, when executed by a processor, performs the steps of the method for intelligent dynamic blacklisting.
In a third aspect, the present invention provides a router, including:
one or more processors;
a memory; and
one or more computer programs, the processor and the memory being connected by a bus, wherein the one or more computer programs are stored in the memory and configured to be executed by the one or more processors, which when executing the computer programs implement the steps of the method of intelligent dynamic addition of blacklists as described in the first aspect.
In a fourth aspect, the present invention provides a method for intelligently and dynamically adding a blacklist, including:
connecting a router;
synchronously updating the malicious data characteristic database to the router;
collecting network data uploaded by a router and transmitted by a client, and calculating to obtain a data characteristic value;
analyzing the obtained data characteristic value, and judging whether the data is malicious data;
and after the malicious data are confirmed, updating the confirmed malicious data to a malicious data feature database, generating a corresponding detection rule, and synchronously updating the detection rule to the router, so that the router adds the client side sending the malicious data to a blacklist.
In a fifth aspect, the present invention provides a computer-readable storage medium, which stores a computer program, which when executed by a processor implements the steps of the method for intelligent dynamic blacklist addition according to the fourth aspect.
In a sixth aspect, the present invention provides a cloud server, including:
one or more processors;
a memory; and
one or more computer programs, the processor and the memory being connected by a bus, wherein the one or more computer programs are stored in the memory and configured to be executed by the one or more processors, which when executing the computer programs implement the steps of the method of intelligent dynamic addition of blacklists as described in the fourth aspect.
In a seventh aspect, the present invention provides a system for intelligently and dynamically adding a blacklist, including a router, and a cloud server connected to the router;
the router monitors the operation state of the system, calculates a network data characteristic value, compares the network data characteristic value with a malicious data characteristic database to confirm malicious data, adds a client side which sends the malicious data into a blacklist, and forbids the client side from accessing the network;
the cloud server collects network data uploaded by the router, analyzes the calculated data characteristic values, confirms malicious data, establishes a malicious data characteristic database, generates corresponding detection rules and updates the malicious data characteristic database to the online router in real time.
According to the method and the device, the abnormal flow and the malicious operation of the client are detected by combining the detection rule with the data acquisition and analysis of the router by the cloud server, the client sending the malicious data is added to the blacklist, the illegal client is intelligently detected, the abnormal client is isolated in the blacklist mode, the network safety is improved, and the stability of the network is guaranteed.
Drawings
Fig. 1 is a flowchart of a method for dynamically adding a blacklist intelligently according to an embodiment of the present invention.
Fig. 2 is a block diagram illustrating a specific structure of a router according to an embodiment of the present invention.
Fig. 3 is a flowchart of a method for intelligently and dynamically adding a blacklist according to another embodiment of the present invention.
Fig. 4 is a block diagram of a specific structure of a cloud server according to an embodiment of the present invention.
Fig. 5 is a block diagram illustrating a specific structure of a system for intelligently and dynamically adding a blacklist according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clearly apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In order to explain the technical means of the present invention, the following description will be given by way of specific examples.
Referring to fig. 1, a method for intelligently and dynamically adding a blacklist according to an embodiment of the present invention includes the following steps: it should be noted that the method for intelligently and dynamically adding blacklists is not limited to the flow sequence shown in fig. 1 if substantially the same result is obtained.
S011, connecting a cloud server, and acquiring the latest data of the malicious data feature database from the cloud server;
s012, connecting a client, and calculating network data transmitted by the client according to a detection rule to obtain a data characteristic value; the detection rule is obtained by configuring network data, or predefined detection rules are synchronously downloaded from a cloud server;
s013, comparing the data characteristic values with a malicious data characteristic database; if the malicious data characteristic database does not have the data characteristic value, and the suspected malicious data is judged according to the monitored running condition and the network use condition, uploading the suspected malicious data to a cloud server for further analysis;
s014, synchronizing a malicious data feature database and detection rules updated by the cloud server after the suspected malicious data are analyzed by the cloud server and confirmed to be the malicious data;
and S015, adding the detected client side sending the malicious data to a blacklist, and generating a detection log.
In an embodiment of the present invention, the network data includes a MAC address, an IP address, an original data analysis rule, and accessed intranet and extranet resources.
An embodiment of the present invention provides a computer-readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the computer program implements the steps of the method for intelligently and dynamically adding a blacklist according to an embodiment of the present invention.
Fig. 2 is a specific block diagram of a router according to an embodiment of the present application, where a router 100 includes: one or more processors 101, a memory 102, and one or more computer programs, wherein the processors 101 and the memory 102 are connected by a bus, the one or more computer programs are stored in the memory 102 and configured to be executed by the one or more processors 101, and the steps of the method for intelligent dynamic addition of blacklists according to an embodiment of the present invention are implemented when the computer programs are executed by the processors 101.
Referring to fig. 3, another embodiment of the present invention provides a method for intelligently and dynamically adding a blacklist, including:
s021, connecting a router;
s022, synchronously updating the malicious data feature database to the router;
s023, collecting network data which are uploaded by a router and transmitted by a client, and calculating to obtain a data characteristic value;
s024, analyzing the obtained data characteristic value, and judging whether the data characteristic value is malicious data;
and S025, after the malicious data is confirmed, updating the newly confirmed malicious data to a malicious data feature database, generating a corresponding detection rule, synchronously updating the detection rule to the router, and enabling the router to add the client side sending the malicious data to a blacklist.
An embodiment of the present invention provides a computer-readable storage medium storing a computer program, which when executed by a processor implements the steps of the method for intelligently and dynamically adding a blacklist according to another embodiment of the present invention.
Fig. 4 shows that an embodiment of the present invention provides a cloud server 200, including: one or more processors 201, a memory 202, and one or more computer programs, wherein the processors 201 and the memory 202 are connected by a bus, the one or more computer programs are stored in the memory 202 and configured to be executed by the one or more processors 201, and the processor 201 implements the steps of the method of intelligent dynamic blacklisting as described in another embodiment of the present invention when the computer programs are executed.
Fig. 5 shows an embodiment of the present invention provides a system for intelligently and dynamically adding a blacklist, which includes a router 200, and a cloud server 100 connected to the router 200;
the router 100 monitors the operation state, calculates a network data characteristic value, compares the network data characteristic value with a malicious data characteristic database to confirm malicious data, adds a client sending the malicious data into a blacklist, and prohibits the client from accessing the network;
the cloud server 200 collects network data uploaded by the router, analyzes the calculated data characteristic values, confirms malicious data, establishes a malicious data characteristic database, generates corresponding detection rules, and updates the malicious data characteristic database to the online router in real time.
In the embodiment of the invention, the abnormal flow and the malicious operation of the client are detected by combining the detection rule with the data acquisition and analysis of the router by the cloud server, the client sending the malicious data is added to the blacklist, the illegal client is intelligently detected, the abnormal client is isolated by the blacklist mode, the network security is improved, and the stability of the network is ensured.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by associated hardware instructed by a program, which may be stored in a computer-readable storage medium, and the storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (8)

1. A method for intelligently and dynamically adding a blacklist is characterized by comprising the following steps:
connecting a cloud server, and acquiring the latest data of the malicious data characteristic database from the cloud server;
connecting a client, and calculating network data transmitted by the client according to a detection rule to obtain a data characteristic value; the detection rule is obtained by configuring network data, or predefined detection rules are synchronously downloaded from a cloud server;
comparing the data characteristic value with a malicious data characteristic database; if the malicious data characteristic database does not have the data characteristic value, and the suspected malicious data is judged according to the monitored running condition and the network use condition, uploading the suspected malicious data to a cloud server for further analysis;
after the suspected malicious data are analyzed by the cloud server and confirmed to be the malicious data, synchronizing a malicious data feature database and a detection rule updated by the cloud server;
and adding the detected client side sending the malicious data to a blacklist, and generating a detection log.
2. The method of claim 1, wherein the network data comprises MAC addresses, IP addresses, raw data analysis rules, visited intranet and extranet resources.
3. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method of intelligent dynamic blacklisting according to any one of claims 1 or 2.
4. A router, comprising:
one or more processors;
a memory; and
one or more computer programs, the processor and the memory being connected by a bus, wherein the one or more computer programs are stored in the memory and configured to be executed by the one or more processors, wherein the steps of the method of intelligent dynamic addition of blacklists as claimed in any of claims 1 or 2 are implemented when the computer programs are executed by the processors.
5. A method for intelligently and dynamically adding a blacklist is characterized by comprising the following steps:
connecting a router;
synchronously updating the malicious data characteristic database to the router;
collecting network data uploaded by a router and transmitted by a client, and calculating to obtain a data characteristic value;
analyzing the obtained data characteristic value, and judging whether the data is malicious data;
and after the malicious data are confirmed, updating the confirmed malicious data to a malicious data feature database, generating a corresponding detection rule, synchronously updating the detection rule to the router, and enabling the router to add the client side sending the malicious data to a blacklist.
6. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method of intelligent dynamic blacklisting according to claim 5.
7. A cloud server, comprising:
one or more processors;
a memory; and
one or more computer programs, the processor and the memory being connected by a bus, wherein the one or more computer programs are stored in the memory and configured to be executed by the one or more processors, wherein the steps of the method of intelligent dynamic blacklisting are implemented when the computer programs are executed by the processors.
8. The system for intelligently and dynamically adding the blacklist is characterized by comprising a router and a cloud server connected with the router;
the router monitors the operation state, calculates the network data characteristic value, compares the network data characteristic value with a malicious data characteristic database to confirm malicious data, adds a client side which sends the malicious data into a blacklist, and forbids the client side from accessing the network;
the cloud server collects network data uploaded by the router, analyzes the calculated data characteristic values, confirms malicious data, establishes a malicious data characteristic database, generates corresponding detection rules and updates the malicious data characteristic database to the online router in real time.
CN202110740345.0A 2021-06-30 2021-06-30 Method, system, server and router for intelligently and dynamically adding blacklist Pending CN113452794A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110740345.0A CN113452794A (en) 2021-06-30 2021-06-30 Method, system, server and router for intelligently and dynamically adding blacklist

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110740345.0A CN113452794A (en) 2021-06-30 2021-06-30 Method, system, server and router for intelligently and dynamically adding blacklist

Publications (1)

Publication Number Publication Date
CN113452794A true CN113452794A (en) 2021-09-28

Family

ID=77814581

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110740345.0A Pending CN113452794A (en) 2021-06-30 2021-06-30 Method, system, server and router for intelligently and dynamically adding blacklist

Country Status (1)

Country Link
CN (1) CN113452794A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113792294A (en) * 2021-11-15 2021-12-14 北京升鑫网络科技有限公司 Malicious class detection method, system, device, equipment and medium
CN114172721A (en) * 2021-12-06 2022-03-11 北京天融信网络安全技术有限公司 Malicious data protection method and device, electronic equipment and storage medium
CN114928476A (en) * 2022-04-27 2022-08-19 北京天融信网络安全技术有限公司 Target file security detection method and detection device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491543A (en) * 2013-09-30 2014-01-01 北京奇虎科技有限公司 Method for detecting malicious websites through wireless terminal, and wireless terminal
CN105262739A (en) * 2015-09-25 2016-01-20 上海斐讯数据通信技术有限公司 Security defense method, terminal, server, and system
CN105262722A (en) * 2015-09-07 2016-01-20 深信服网络科技(深圳)有限公司 Terminal malicious traffic rule updating method, cloud server and security gateway
CN105337970A (en) * 2015-10-20 2016-02-17 上海斐讯数据通信技术有限公司 Router, server and router-server-cooperative network access control method
CN107634931A (en) * 2016-07-18 2018-01-26 深圳市深信服电子科技有限公司 Processing method, cloud server, gateway and the terminal of abnormal data
CN107819768A (en) * 2017-11-15 2018-03-20 厦门安胜网络科技有限公司 Service end actively disconnects method, terminal device and the storage medium of illegal long connection

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491543A (en) * 2013-09-30 2014-01-01 北京奇虎科技有限公司 Method for detecting malicious websites through wireless terminal, and wireless terminal
CN105262722A (en) * 2015-09-07 2016-01-20 深信服网络科技(深圳)有限公司 Terminal malicious traffic rule updating method, cloud server and security gateway
CN105262739A (en) * 2015-09-25 2016-01-20 上海斐讯数据通信技术有限公司 Security defense method, terminal, server, and system
CN105337970A (en) * 2015-10-20 2016-02-17 上海斐讯数据通信技术有限公司 Router, server and router-server-cooperative network access control method
CN107634931A (en) * 2016-07-18 2018-01-26 深圳市深信服电子科技有限公司 Processing method, cloud server, gateway and the terminal of abnormal data
CN107819768A (en) * 2017-11-15 2018-03-20 厦门安胜网络科技有限公司 Service end actively disconnects method, terminal device and the storage medium of illegal long connection

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113792294A (en) * 2021-11-15 2021-12-14 北京升鑫网络科技有限公司 Malicious class detection method, system, device, equipment and medium
CN114172721A (en) * 2021-12-06 2022-03-11 北京天融信网络安全技术有限公司 Malicious data protection method and device, electronic equipment and storage medium
CN114172721B (en) * 2021-12-06 2024-01-23 北京天融信网络安全技术有限公司 Malicious data protection method and device, electronic equipment and storage medium
CN114928476A (en) * 2022-04-27 2022-08-19 北京天融信网络安全技术有限公司 Target file security detection method and detection device

Similar Documents

Publication Publication Date Title
CN113452794A (en) Method, system, server and router for intelligently and dynamically adding blacklist
JP7014606B2 (en) Behavioral analysis-based DNS tunneling detection and classification framework for network security
AU2018208693B2 (en) A system to identify machines infected by malware applying linguistic analysis to network requests from endpoints
US9438616B2 (en) Network asset information management
CN109474575B (en) DNS tunnel detection method and device
US20160234167A1 (en) Detecting anomaly action within a computer network
US20170228658A1 (en) System and Method for High Speed Threat Intelligence Management Using Unsupervised Machine Learning and Prioritization Algorithms
CN110505235B (en) System and method for detecting malicious request bypassing cloud WAF
TW201824047A (en) Attack request determination method, apparatus and server
WO2016209756A1 (en) Dns snooping to create ip address-based trust database used to select deep packet inspection and storage of ip packets
CN112653669B (en) Network terminal security threat early warning method, system and network terminal management device
US10642906B2 (en) Detection of coordinated cyber-attacks
JP2019021294A (en) SYSTEM AND METHOD OF DETERMINING DDoS ATTACKS
CN108809749B (en) Performing upper layer inspection of a stream based on a sampling rate
WO2018099206A1 (en) Apt detection method, system, and device
EP3223495A1 (en) Detecting an anomalous activity within a computer network
KR102291142B1 (en) Apparatus, method, storage medium of storing program and computer program for analyzing cyber assets damage using system operation status information
CN107733867B (en) Botnet discovery and protection method, system and storage medium
CN109428857B (en) Detection method and device for malicious detection behaviors
CN115134099B (en) Network attack behavior analysis method and device based on full flow
CN111565203B (en) Method, device and system for protecting service request and computer equipment
CN106789486B (en) Method and device for detecting shared access, electronic equipment and computer readable storage medium
JP2013232716A (en) Attack determination apparatus, attack determination method and attack determination program
RU2769075C1 (en) System and method for active detection of malicious network resources
Yen Detecting stealthy malware using behavioral features in network traffic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20210928