CN113452794A - Method, system, server and router for intelligently and dynamically adding blacklist - Google Patents
Method, system, server and router for intelligently and dynamically adding blacklist Download PDFInfo
- Publication number
- CN113452794A CN113452794A CN202110740345.0A CN202110740345A CN113452794A CN 113452794 A CN113452794 A CN 113452794A CN 202110740345 A CN202110740345 A CN 202110740345A CN 113452794 A CN113452794 A CN 113452794A
- Authority
- CN
- China
- Prior art keywords
- data
- malicious data
- router
- cloud server
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a system for intelligently and dynamically adding a blacklist, a cloud server, a router and a computer readable storage medium, comprising the following steps: connecting a cloud server, and acquiring the latest data of the malicious data characteristic database from the cloud server; connecting a client, and calculating network data transmitted by the client according to a detection rule to obtain a data characteristic value; comparing the data characteristic value with a malicious data characteristic database; if the malicious data characteristic database does not have the data characteristic value, and the suspected malicious data is judged according to the monitored running condition and the network use condition, uploading the suspected malicious data to a cloud server for further analysis; after the suspected malicious data are analyzed by the cloud server and confirmed to be the malicious data, synchronizing a malicious data feature database and a detection rule updated by the cloud server; and adding the detected client side sending the malicious data to a blacklist. The invention improves the safety of network application.
Description
Technical Field
The invention belongs to the field of network application, and particularly relates to a method and a system for intelligently and dynamically adding a blacklist, a cloud server, a router and a computer readable storage medium.
Background
Currently, existing routers generally have a function of configuring a blacklist, but they are mainly implemented based on a MAC address or an IP address of a client, and whether the client accesses a network resource through the router is determined according to the MAC address or a right to access the network resource is set according to the IP address.
With the development of informatization, more and more clients need to be connected with the internet, a router is used as a common network inlet, the network environment becomes more and more complex, and the traditional blacklist configuration mode (through MAC/IP address identification) cannot well protect the network security.
Disclosure of Invention
The invention aims to provide a method and a system for intelligently and dynamically adding a blacklist, a cloud server, a router and a computer readable storage medium, and aims to solve the problem that the existing blacklist configuration mode cannot well protect network security.
In a first aspect, the present invention provides a method for intelligently and dynamically adding a blacklist, including:
connecting a cloud server, and acquiring the latest data of the malicious data characteristic database from the cloud server;
connecting a client, and calculating network data transmitted by the client according to a detection rule to obtain a data characteristic value; the detection rule is obtained by configuring network data, or predefined detection rules are synchronously downloaded from a cloud server;
comparing the data characteristic value with a malicious data characteristic database; if the malicious data characteristic database does not have the data characteristic value, and the suspected malicious data is judged according to the monitored running condition and the network use condition, uploading the suspected malicious data to a cloud server for further analysis;
after the suspected malicious data are analyzed by the cloud server and confirmed to be the malicious data, synchronizing a malicious data feature database and a detection rule updated by the cloud server;
and adding the detected client side sending the malicious data to a blacklist, and generating a detection log.
Further, the network data comprises MAC addresses, IP addresses, original data analysis rules, and accessed intranet and extranet resources.
In a second aspect, the present invention provides a computer-readable storage medium storing a computer program which, when executed by a processor, performs the steps of the method for intelligent dynamic blacklisting.
In a third aspect, the present invention provides a router, including:
one or more processors;
a memory; and
one or more computer programs, the processor and the memory being connected by a bus, wherein the one or more computer programs are stored in the memory and configured to be executed by the one or more processors, which when executing the computer programs implement the steps of the method of intelligent dynamic addition of blacklists as described in the first aspect.
In a fourth aspect, the present invention provides a method for intelligently and dynamically adding a blacklist, including:
connecting a router;
synchronously updating the malicious data characteristic database to the router;
collecting network data uploaded by a router and transmitted by a client, and calculating to obtain a data characteristic value;
analyzing the obtained data characteristic value, and judging whether the data is malicious data;
and after the malicious data are confirmed, updating the confirmed malicious data to a malicious data feature database, generating a corresponding detection rule, and synchronously updating the detection rule to the router, so that the router adds the client side sending the malicious data to a blacklist.
In a fifth aspect, the present invention provides a computer-readable storage medium, which stores a computer program, which when executed by a processor implements the steps of the method for intelligent dynamic blacklist addition according to the fourth aspect.
In a sixth aspect, the present invention provides a cloud server, including:
one or more processors;
a memory; and
one or more computer programs, the processor and the memory being connected by a bus, wherein the one or more computer programs are stored in the memory and configured to be executed by the one or more processors, which when executing the computer programs implement the steps of the method of intelligent dynamic addition of blacklists as described in the fourth aspect.
In a seventh aspect, the present invention provides a system for intelligently and dynamically adding a blacklist, including a router, and a cloud server connected to the router;
the router monitors the operation state of the system, calculates a network data characteristic value, compares the network data characteristic value with a malicious data characteristic database to confirm malicious data, adds a client side which sends the malicious data into a blacklist, and forbids the client side from accessing the network;
the cloud server collects network data uploaded by the router, analyzes the calculated data characteristic values, confirms malicious data, establishes a malicious data characteristic database, generates corresponding detection rules and updates the malicious data characteristic database to the online router in real time.
According to the method and the device, the abnormal flow and the malicious operation of the client are detected by combining the detection rule with the data acquisition and analysis of the router by the cloud server, the client sending the malicious data is added to the blacklist, the illegal client is intelligently detected, the abnormal client is isolated in the blacklist mode, the network safety is improved, and the stability of the network is guaranteed.
Drawings
Fig. 1 is a flowchart of a method for dynamically adding a blacklist intelligently according to an embodiment of the present invention.
Fig. 2 is a block diagram illustrating a specific structure of a router according to an embodiment of the present invention.
Fig. 3 is a flowchart of a method for intelligently and dynamically adding a blacklist according to another embodiment of the present invention.
Fig. 4 is a block diagram of a specific structure of a cloud server according to an embodiment of the present invention.
Fig. 5 is a block diagram illustrating a specific structure of a system for intelligently and dynamically adding a blacklist according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clearly apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In order to explain the technical means of the present invention, the following description will be given by way of specific examples.
Referring to fig. 1, a method for intelligently and dynamically adding a blacklist according to an embodiment of the present invention includes the following steps: it should be noted that the method for intelligently and dynamically adding blacklists is not limited to the flow sequence shown in fig. 1 if substantially the same result is obtained.
S011, connecting a cloud server, and acquiring the latest data of the malicious data feature database from the cloud server;
s012, connecting a client, and calculating network data transmitted by the client according to a detection rule to obtain a data characteristic value; the detection rule is obtained by configuring network data, or predefined detection rules are synchronously downloaded from a cloud server;
s013, comparing the data characteristic values with a malicious data characteristic database; if the malicious data characteristic database does not have the data characteristic value, and the suspected malicious data is judged according to the monitored running condition and the network use condition, uploading the suspected malicious data to a cloud server for further analysis;
s014, synchronizing a malicious data feature database and detection rules updated by the cloud server after the suspected malicious data are analyzed by the cloud server and confirmed to be the malicious data;
and S015, adding the detected client side sending the malicious data to a blacklist, and generating a detection log.
In an embodiment of the present invention, the network data includes a MAC address, an IP address, an original data analysis rule, and accessed intranet and extranet resources.
An embodiment of the present invention provides a computer-readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the computer program implements the steps of the method for intelligently and dynamically adding a blacklist according to an embodiment of the present invention.
Fig. 2 is a specific block diagram of a router according to an embodiment of the present application, where a router 100 includes: one or more processors 101, a memory 102, and one or more computer programs, wherein the processors 101 and the memory 102 are connected by a bus, the one or more computer programs are stored in the memory 102 and configured to be executed by the one or more processors 101, and the steps of the method for intelligent dynamic addition of blacklists according to an embodiment of the present invention are implemented when the computer programs are executed by the processors 101.
Referring to fig. 3, another embodiment of the present invention provides a method for intelligently and dynamically adding a blacklist, including:
s021, connecting a router;
s022, synchronously updating the malicious data feature database to the router;
s023, collecting network data which are uploaded by a router and transmitted by a client, and calculating to obtain a data characteristic value;
s024, analyzing the obtained data characteristic value, and judging whether the data characteristic value is malicious data;
and S025, after the malicious data is confirmed, updating the newly confirmed malicious data to a malicious data feature database, generating a corresponding detection rule, synchronously updating the detection rule to the router, and enabling the router to add the client side sending the malicious data to a blacklist.
An embodiment of the present invention provides a computer-readable storage medium storing a computer program, which when executed by a processor implements the steps of the method for intelligently and dynamically adding a blacklist according to another embodiment of the present invention.
Fig. 4 shows that an embodiment of the present invention provides a cloud server 200, including: one or more processors 201, a memory 202, and one or more computer programs, wherein the processors 201 and the memory 202 are connected by a bus, the one or more computer programs are stored in the memory 202 and configured to be executed by the one or more processors 201, and the processor 201 implements the steps of the method of intelligent dynamic blacklisting as described in another embodiment of the present invention when the computer programs are executed.
Fig. 5 shows an embodiment of the present invention provides a system for intelligently and dynamically adding a blacklist, which includes a router 200, and a cloud server 100 connected to the router 200;
the router 100 monitors the operation state, calculates a network data characteristic value, compares the network data characteristic value with a malicious data characteristic database to confirm malicious data, adds a client sending the malicious data into a blacklist, and prohibits the client from accessing the network;
the cloud server 200 collects network data uploaded by the router, analyzes the calculated data characteristic values, confirms malicious data, establishes a malicious data characteristic database, generates corresponding detection rules, and updates the malicious data characteristic database to the online router in real time.
In the embodiment of the invention, the abnormal flow and the malicious operation of the client are detected by combining the detection rule with the data acquisition and analysis of the router by the cloud server, the client sending the malicious data is added to the blacklist, the illegal client is intelligently detected, the abnormal client is isolated by the blacklist mode, the network security is improved, and the stability of the network is ensured.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by associated hardware instructed by a program, which may be stored in a computer-readable storage medium, and the storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.
Claims (8)
1. A method for intelligently and dynamically adding a blacklist is characterized by comprising the following steps:
connecting a cloud server, and acquiring the latest data of the malicious data characteristic database from the cloud server;
connecting a client, and calculating network data transmitted by the client according to a detection rule to obtain a data characteristic value; the detection rule is obtained by configuring network data, or predefined detection rules are synchronously downloaded from a cloud server;
comparing the data characteristic value with a malicious data characteristic database; if the malicious data characteristic database does not have the data characteristic value, and the suspected malicious data is judged according to the monitored running condition and the network use condition, uploading the suspected malicious data to a cloud server for further analysis;
after the suspected malicious data are analyzed by the cloud server and confirmed to be the malicious data, synchronizing a malicious data feature database and a detection rule updated by the cloud server;
and adding the detected client side sending the malicious data to a blacklist, and generating a detection log.
2. The method of claim 1, wherein the network data comprises MAC addresses, IP addresses, raw data analysis rules, visited intranet and extranet resources.
3. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method of intelligent dynamic blacklisting according to any one of claims 1 or 2.
4. A router, comprising:
one or more processors;
a memory; and
one or more computer programs, the processor and the memory being connected by a bus, wherein the one or more computer programs are stored in the memory and configured to be executed by the one or more processors, wherein the steps of the method of intelligent dynamic addition of blacklists as claimed in any of claims 1 or 2 are implemented when the computer programs are executed by the processors.
5. A method for intelligently and dynamically adding a blacklist is characterized by comprising the following steps:
connecting a router;
synchronously updating the malicious data characteristic database to the router;
collecting network data uploaded by a router and transmitted by a client, and calculating to obtain a data characteristic value;
analyzing the obtained data characteristic value, and judging whether the data is malicious data;
and after the malicious data are confirmed, updating the confirmed malicious data to a malicious data feature database, generating a corresponding detection rule, synchronously updating the detection rule to the router, and enabling the router to add the client side sending the malicious data to a blacklist.
6. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method of intelligent dynamic blacklisting according to claim 5.
7. A cloud server, comprising:
one or more processors;
a memory; and
one or more computer programs, the processor and the memory being connected by a bus, wherein the one or more computer programs are stored in the memory and configured to be executed by the one or more processors, wherein the steps of the method of intelligent dynamic blacklisting are implemented when the computer programs are executed by the processors.
8. The system for intelligently and dynamically adding the blacklist is characterized by comprising a router and a cloud server connected with the router;
the router monitors the operation state, calculates the network data characteristic value, compares the network data characteristic value with a malicious data characteristic database to confirm malicious data, adds a client side which sends the malicious data into a blacklist, and forbids the client side from accessing the network;
the cloud server collects network data uploaded by the router, analyzes the calculated data characteristic values, confirms malicious data, establishes a malicious data characteristic database, generates corresponding detection rules and updates the malicious data characteristic database to the online router in real time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110740345.0A CN113452794A (en) | 2021-06-30 | 2021-06-30 | Method, system, server and router for intelligently and dynamically adding blacklist |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110740345.0A CN113452794A (en) | 2021-06-30 | 2021-06-30 | Method, system, server and router for intelligently and dynamically adding blacklist |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113452794A true CN113452794A (en) | 2021-09-28 |
Family
ID=77814581
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110740345.0A Pending CN113452794A (en) | 2021-06-30 | 2021-06-30 | Method, system, server and router for intelligently and dynamically adding blacklist |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113452794A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113792294A (en) * | 2021-11-15 | 2021-12-14 | 北京升鑫网络科技有限公司 | Malicious class detection method, system, device, equipment and medium |
| CN114172721A (en) * | 2021-12-06 | 2022-03-11 | 北京天融信网络安全技术有限公司 | Malicious data protection method and device, electronic equipment and storage medium |
| CN114928476A (en) * | 2022-04-27 | 2022-08-19 | 北京天融信网络安全技术有限公司 | Target file security detection method and detection device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103491543A (en) * | 2013-09-30 | 2014-01-01 | 北京奇虎科技有限公司 | Method for detecting malicious websites through wireless terminal, and wireless terminal |
| CN105262739A (en) * | 2015-09-25 | 2016-01-20 | 上海斐讯数据通信技术有限公司 | Security defense method, terminal, server, and system |
| CN105262722A (en) * | 2015-09-07 | 2016-01-20 | 深信服网络科技(深圳)有限公司 | Terminal malicious traffic rule updating method, cloud server and security gateway |
| CN105337970A (en) * | 2015-10-20 | 2016-02-17 | 上海斐讯数据通信技术有限公司 | Router, server and router-server-cooperative network access control method |
| CN107634931A (en) * | 2016-07-18 | 2018-01-26 | 深圳市深信服电子科技有限公司 | Processing method, cloud server, gateway and the terminal of abnormal data |
| CN107819768A (en) * | 2017-11-15 | 2018-03-20 | 厦门安胜网络科技有限公司 | Service end actively disconnects method, terminal device and the storage medium of illegal long connection |
-
2021
- 2021-06-30 CN CN202110740345.0A patent/CN113452794A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103491543A (en) * | 2013-09-30 | 2014-01-01 | 北京奇虎科技有限公司 | Method for detecting malicious websites through wireless terminal, and wireless terminal |
| CN105262722A (en) * | 2015-09-07 | 2016-01-20 | 深信服网络科技(深圳)有限公司 | Terminal malicious traffic rule updating method, cloud server and security gateway |
| CN105262739A (en) * | 2015-09-25 | 2016-01-20 | 上海斐讯数据通信技术有限公司 | Security defense method, terminal, server, and system |
| CN105337970A (en) * | 2015-10-20 | 2016-02-17 | 上海斐讯数据通信技术有限公司 | Router, server and router-server-cooperative network access control method |
| CN107634931A (en) * | 2016-07-18 | 2018-01-26 | 深圳市深信服电子科技有限公司 | Processing method, cloud server, gateway and the terminal of abnormal data |
| CN107819768A (en) * | 2017-11-15 | 2018-03-20 | 厦门安胜网络科技有限公司 | Service end actively disconnects method, terminal device and the storage medium of illegal long connection |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113792294A (en) * | 2021-11-15 | 2021-12-14 | 北京升鑫网络科技有限公司 | Malicious class detection method, system, device, equipment and medium |
| CN114172721A (en) * | 2021-12-06 | 2022-03-11 | 北京天融信网络安全技术有限公司 | Malicious data protection method and device, electronic equipment and storage medium |
| CN114172721B (en) * | 2021-12-06 | 2024-01-23 | 北京天融信网络安全技术有限公司 | Malicious data protection method and device, electronic equipment and storage medium |
| CN114928476A (en) * | 2022-04-27 | 2022-08-19 | 北京天融信网络安全技术有限公司 | Target file security detection method and detection device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113452794A (en) | Method, system, server and router for intelligently and dynamically adding blacklist | |
| JP7014606B2 (en) | Behavioral analysis-based DNS tunneling detection and classification framework for network security | |
| US9438616B2 (en) | Network asset information management | |
| CN109474575B (en) | DNS tunnel detection method and device | |
| US20160234167A1 (en) | Detecting anomaly action within a computer network | |
| US20160366159A1 (en) | Traffic feature information extraction method, traffic feature information extraction device, and traffic feature information extraction program | |
| CN110505235B (en) | System and method for detecting malicious request bypassing cloud WAF | |
| US10642906B2 (en) | Detection of coordinated cyber-attacks | |
| TW201824047A (en) | Attack request determination method, apparatus and server | |
| AU2015403433A1 (en) | System and method for high speed threat intelligence management using unsupervised machine learning and prioritization algorithms | |
| CN112653669B (en) | Network terminal security threat early warning method, system and network terminal management device | |
| KR102291142B1 (en) | Apparatus, method, storage medium of storing program and computer program for analyzing cyber assets damage using system operation status information | |
| CN104901975B (en) | Web log file safety analytical method, device and gateway | |
| EP3223495A1 (en) | Detecting an anomalous activity within a computer network | |
| WO2018099206A1 (en) | Apt detection method, system, and device | |
| RU2769075C1 (en) | System and method for active detection of malicious network resources | |
| CN115134099B (en) | Network attack behavior analysis method and device based on full flow | |
| CN107733867B (en) | Botnet discovery and protection method, system and storage medium | |
| CN104954188B (en) | Web log file safety analytical method based on cloud, device and system | |
| CN109428857B (en) | Detection method and device for malicious detection behaviors | |
| CN111565203B (en) | Method, device and system for protecting service request and computer equipment | |
| CN106789486B (en) | Method and device for detecting shared access, electronic equipment and computer readable storage medium | |
| CN111031009A (en) | Multilayer-based NOSQL injection attack detection method and device | |
| JP2013232716A (en) | Attack determination apparatus, attack determination method and attack determination program | |
| Liu et al. | Fingerprinting web browser for tracing anonymous web attackers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210928 |