CN113691527A - Security processing method, device, electronic device, and storage medium - Google Patents
Security processing method, device, electronic device, and storage medium Download PDFInfo
- Publication number
- CN113691527A CN113691527A CN202110969369.3A CN202110969369A CN113691527A CN 113691527 A CN113691527 A CN 113691527A CN 202110969369 A CN202110969369 A CN 202110969369A CN 113691527 A CN113691527 A CN 113691527A
- Authority
- CN
- China
- Prior art keywords
- intrusion behavior
- intrusion
- protocol
- service system
- access flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The embodiment of the invention relates to a security processing method, a security processing device, electronic equipment and a storage medium, in particular to the technical field of network security, wherein the method comprises the following steps: monitoring the access flow of a service system in real time; identifying whether an intrusion behavior exists according to the access flow; and if the intrusion behavior is identified, carrying out proxy on access flow corresponding to the intrusion behavior so as to avoid finding by an intruder. The technical scheme of the embodiment of the invention can provide a real honeypot environment, prevents an attacker from identifying honeypots, and simultaneously does not influence a real service system.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a security processing method, a security processing device, electronic equipment and a storage medium.
Background
Existing secure honeypot systems are usually deployed in a server, an application system or a dedicated honeypot system separately, and these honeypot systems usually leave some security holes on purpose for an attacker to invade, so as to record and analyze the invasion behavior of the attacker after the attacker invades. However, this method has low simulation and is easy to be found by attackers.
Disclosure of Invention
In view of this, embodiments of the present invention provide a security processing method, apparatus, electronic device, and storage medium, so as to prevent an attacker from recognizing a honeypot without affecting a real service system.
Additional features and advantages of embodiments of the invention will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of embodiments of the invention.
In a first aspect of the present disclosure, an embodiment of the present invention provides a security processing method, including:
monitoring the access flow of a service system in real time;
identifying whether an intrusion behavior exists according to the access flow;
and if the intrusion behavior is identified, carrying out proxy on access flow corresponding to the intrusion behavior so as to avoid finding by an intruder.
In one embodiment, proxying access traffic corresponding to the intrusion behavior to avoid discovery by an intruder comprises:
intercepting access flow corresponding to the intrusion behavior;
simulating the intrusion behavior according to the access flow, sending a request to the service system, and receiving a response result returned by the service system;
and generating a return result according to the response result so as to respond to the intrusion behavior.
In one embodiment, generating a return result according to the response result to respond to the intrusion behavior includes: and if the response result is the background page of the service system, returning a login password error page to respond to the intrusion behavior.
In an embodiment, the step of returning the page with the wrong login password to respond to the intrusion behavior further comprises the step of counting the intrusion behavior of the user, and if the counted times reach a preset time threshold value and the login password is wrong, returning a page with the successful login password to respond to the intrusion behavior.
In an embodiment, after the page with the successful login password is returned, the method further includes performing fuzzy processing on the logged-in content to avoid data leakage.
In an embodiment, the performing the fuzzy processing includes performing a replacement processing, performing an encryption, and/or performing a coding.
In an embodiment, when the access traffic corresponding to the intrusion behavior is proxied, the access traffic is based on at least one of the following protocols: the HTTP protocol, the HTTPs protocol, the SSH protocol, and the Telnet protocol.
In a second aspect of the present disclosure, an embodiment of the present invention further provides a security processing apparatus, including:
the traffic monitoring unit is used for monitoring the access traffic of the service system in real time;
the intrusion determining unit is used for identifying whether an intrusion behavior exists according to the access flow;
and the intrusion response unit is used for carrying out proxy on the access flow corresponding to the intrusion behavior to avoid finding the intrusion behavior if the intrusion behavior is identified.
In one embodiment, the intrusion response unit is configured to:
intercepting access flow corresponding to the intrusion behavior;
simulating the intrusion behavior according to the access flow, sending a request to the service system, and receiving a response result returned by the service system;
and generating a return result according to the response result so as to respond to the intrusion behavior.
In an embodiment, the intrusion response unit is configured to generate a return result according to the response result to respond to the intrusion behavior, and includes: and if the response result is the background page of the service system, returning a login password error page to respond to the intrusion behavior.
In an embodiment, the intrusion response unit is further configured to count the subsequent intrusion behavior of the user after returning the login password error page to respond to the intrusion behavior, and return the login password success page to respond to the intrusion behavior if the counted number of times reaches a predetermined number threshold and the login password is incorrect.
In an embodiment, the intrusion response unit is further configured to perform obfuscation on the logged-in content after returning the login password success page to avoid data leakage.
In an embodiment, the performing the fuzzy processing includes performing a replacement processing, performing an encryption, and/or performing a coding.
In an embodiment, when acting on the access traffic corresponding to the intrusion behavior, the intrusion response unit is based on at least one of the following protocols:
HTTP protocol, HTTPS protocol, SSH protocol, Telnet protocol, Oracle protocol, Sqlserver protocol, Mysql protocol, Sybase protocol, and DB2 protocol.
In a third aspect of the disclosure, an electronic device is provided. The electronic device includes: a processor; and a memory for storing executable instructions that, when executed by the processor, cause the electronic device to perform the method of the first aspect.
In a fourth aspect of the disclosure, a computer-readable storage medium is provided, on which a computer program is stored, which computer program, when being executed by a processor, carries out the method in the first aspect.
The technical scheme provided by the embodiment of the invention has the beneficial technical effects that:
the embodiment of the invention monitors the access flow of the service system in real time, identifies whether the intrusion behavior exists according to the access flow, if the intrusion behavior is identified, proxies the access flow corresponding to the intrusion behavior to avoid finding the intrusion, can provide a real honeypot environment, and avoids an attacker identifying the honeypot without influencing the real service system.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly described below, and it is obvious that the drawings in the following description are only a part of the embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the contents of the embodiments of the present invention and the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a security processing method according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating another security processing method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a secure processing apparatus according to an embodiment of the present invention;
FIG. 4 shows a schematic diagram of an electronic device suitable for use in implementing embodiments of the present invention.
Detailed Description
In order to make the technical problems solved, the technical solutions adopted and the technical effects achieved by the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be described in further detail below with reference to the accompanying drawings, and it is obvious that the described embodiments are only some embodiments, but not all embodiments, of the embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, belong to the scope of protection of the embodiments of the present invention.
It should be noted that the terms "system" and "network" are often used interchangeably herein in embodiments of the present invention. Reference to "and/or" in embodiments of the invention is intended to include any and all combinations of one or more of the associated listed items. The terms "first", "second", and the like in the description and claims of the present disclosure and in the drawings are used for distinguishing between different objects and not for limiting a particular order.
It should be further noted that, in the embodiments of the present invention, each of the following embodiments may be executed alone, or may be executed in combination with each other, and the embodiments of the present invention are not limited in this respect.
The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.
The technical solutions of the embodiments of the present invention are further described by the following detailed description with reference to the accompanying drawings.
Fig. 1 shows a flowchart of a security processing method according to an embodiment of the present invention, which may be applied to proxy an intrusion behavior of a business system, so as to avoid identifying honeypots by an attacker without affecting a real business system, where the method may be executed by a security processing apparatus configured in an electronic device, as shown in fig. 1, and the security processing method according to the embodiment includes:
in step S110, access traffic of the service system is monitored in real time.
In step S120, whether there is an intrusion behavior is identified according to the access traffic.
Under normal conditions, the electronic device executing the technical scheme of the embodiment is only in the monitoring mode, and has no influence on normal flow. When a person is found to launch an attack, the attack traffic is proxied to enter the honeypot.
In step S130, if an intrusion behavior is identified, an access flow corresponding to the intrusion behavior is proxied to avoid finding the intrusion behavior.
When the electronic device executing the technical solution of this embodiment proxies the access traffic corresponding to the intrusion behavior, the access traffic may be based on an HTTP protocol, an HTTPs protocol, an SSH protocol, a Telnet protocol, an Oracle protocol, an Sqlserver protocol, a Mysql protocol, a Sybase protocol, a DB2 protocol, and other protocols based on upper layers of these protocols.
For example, if an intrusion behavior is identified, access flow corresponding to the intrusion behavior may be intercepted, the intrusion behavior is simulated according to the access flow, a request is sent to the service system, a response result returned by the service system is received, and a return result is generated according to the response result to respond to the intrusion behavior.
For example, if the response result is a background page of the service system, a login password error page is returned to respond to the intrusion behavior.
And then, if the intruder continues to log in, if the login times are large enough, when the login password is wrong, a login password success page can be returned to respond to the intrusion behavior, so that the intruder can be confused on the premise of protecting the password from being leaked, and the discovery of the intruder is avoided.
For another example, in order not to affect the real service system, the data inside the server needs to be subjected to fuzzy processing, so as to avoid hazards such as data leakage.
For example, the logged-in content may be obfuscated after returning a login password success page to avoid data leakage.
The obfuscation may be performed in various ways, including but not limited to performing a replacement process, performing an encryption process, performing a coding process, and the like.
According to the embodiment, the access flow of the service system is monitored in real time, whether the intrusion behavior exists is identified according to the access flow, if the intrusion behavior is identified, the access flow corresponding to the intrusion behavior is proxied to avoid finding of an intruder, a real honeypot environment can be provided, and the fact that the intruder identifies the honeypot and cannot influence the real service system is avoided.
Fig. 2 is a schematic flow chart of another security processing method according to an embodiment of the present invention, which is based on the foregoing embodiment and is optimized. As shown in fig. 2, the security processing method according to this embodiment includes:
in step S210, access traffic of the service system is monitored in real time.
In step S220, whether there is an intrusion behavior is identified according to the access traffic.
In step S230, if an intrusion behavior is identified, an access traffic corresponding to the intrusion behavior is intercepted.
In step S240, a request is sent to the service system according to the access flow by simulating the intrusion behavior, and a response result returned by the service system is received.
In step S250, a return result is generated according to the response result to respond to the intrusion behavior.
When finding that an attacker attacks the service system, the electronic device executing the technical scheme of the embodiment can intercept the operation of the attack traffic, and then proxy the operation to initiate traffic operation to the service system.
For example, an attacker accesses a service system, then launches brute force cracking attack on a login page, and performs password brute force cracking on admin users admin. The electronic device executing the technical scheme of the embodiment intercepts the flow, and then simulates an attacker to launch brute force attack to the back-end service system. The brute force username is the same as the password of each attempt.
In a real service system, if the password input of an admin user is incorrect, a user name and a password are prompted to be wrong, and if the input password is correct, a background page is entered. The electronic equipment executing the technical scheme of the embodiment can identify the two page results in the accumulation and analysis of historical data.
When the attacker tries the 100 th time, the password of the user name admin is password123, the electronic device executing the technical scheme of the embodiment can proxy and send the traffic to the back end, and finds that the service system returns a back-end management page, which indicates that the password is correct. However, the page result that the electronic device executing the technical solution of the present embodiment can return to the attacker still is "username-password error", so that the attacker may think that his 100 th attempt is still wrong and continue to make brute force cracking attempts.
The electronic device executing the technical solution of the present embodiment may randomly delay several attempts, for example, an attacker tries the 123 th password, and the electronic device executing the technical solution of the present embodiment may return to the login backend management page, so that the attacker assumes that the 123 th password of the attacker is the correct password.
In the subsequent attack of the attacker, although the attacker thinks that the attacker logs in the service system by using the 123 th attempted password, the electronic device executing the technical scheme of the embodiment can still log in the back-end service system by using the correct password agent of the 100 th attempted password.
In order not to affect the real service system, the electronic device executing the technical scheme of the embodiment can perform fuzzy processing on the data in the server, so that the hazards of data leakage and the like are avoided.
The electronic equipment executing the technical scheme of the embodiment can identify data information of the business system in a public page in the accumulation and analysis of historical data. The background real data can be blurred by the data.
For example, an attacker logs in the management background and then checks the background commodity order information. The electronic device executing the technical scheme of the embodiment can proxy the access traffic of the attacker and then send an access request to the backend service system. The back-end service system returns real order information in the service system, including commodity information, commodity price, personal information of purchasers and the like. The electronic device executing the technical scheme of the embodiment can analyze the public data, can identify the public information in the order information, such as the commodity name, the commodity price and the like, and returns the information to the attacker without change. However, in regard to the personal information, if the electronic device executing the technical solution of the present embodiment does not find the disclosed content in the historical public data analysis, the electronic device may perform the fuzzy processing on the personal information and then return the personal information to the attacker.
The obfuscation process includes, but is not limited to, various manners of substitution, encryption, coding, and the like. For example, for a recipient cell phone number, the middle bits of the cell phone number are replaced with an asterisk and then returned to the attacker. The first three digits of the mobile phone number can be replaced by other number segments. For example, for a customer to leave a message for purchase, the customer says "please place a courier at XXXXXX", and the electronic device implementing the technical solution of the present embodiment may randomly replace some sentences, for example, "i love china". The electronic device implementing the technical solution of the present embodiment can also be used in multiple ways simultaneously or in combination.
Further, the electronic device executing the technical scheme of the embodiment may be specially configured to generate a honeypot area for recording the content modified by the current attack of the attacker, aiming at the operations of uploading, writing, modifying data and the like of the attacker.
For example, an attacker needs to upload a malicious backdoor file, the electronic device executing the technical scheme of the embodiment may store the malicious backdoor file, and then upload a harmless simulation operation file to a real service system.
When an attacker sends an operation instruction to the malicious backdoor file, the electronic device executing the technical scheme of the embodiment can analyze the operation executed by the malicious backdoor file and then send a harmless simulation instruction with the same function to the simulation operation file in the service system. The purpose of this operation is to obtain what the server will reflect, and truly simulate the influence of the service system, so that the attacker does not find that he is in the honeypot system, and meanwhile, the attacker does not have adverse effect on the real service system.
Further, the electronic device executing the technical solution of the present embodiment may also perform data fuzzy processing on the returned data.
For example, if the data modification is reflected in the real service, for example, a malicious article is published, the electronic device executing the technical solution of the embodiment may simulate to operate the back-end real service system, and the back-end real service system also publishes an article. The electronic device executing the technical scheme of the embodiment can recognize the influence of the operation on the real service system, and when a normal traffic browses the service system, the electronic device executing the technical scheme of the embodiment can intercept the published malicious article, and a normal visitor cannot see the article, but an attacker can see the article.
After the attack is finished for a period of time, the electronic device executing the technical scheme of the embodiment can automatically clear the simulation operation on the real server.
According to one or more embodiments of the present disclosure, the electronic device executing the technical solution of the present embodiment may further record relevant information of the attack in detail, including the attacker portraying, each step of operation performed, the content returned by the real service system, the content returned by the honeypot system to the attacker, and the like. The electronic device executing the technical scheme of the embodiment can also display statistical data through charts in various styles.
On the basis of the previous embodiment, the present embodiment provides a plurality of ways of acting on the access traffic corresponding to the intrusion behavior, and can provide a real honeypot environment, so as to prevent an attacker from recognizing honeypots and not affecting a real service system.
As an implementation of the methods shown in the above figures, the present application provides an embodiment of a security processing apparatus, and fig. 3 shows a schematic structural diagram of a security processing apparatus provided in this embodiment, where the embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 1 and fig. 2, and the apparatus may be specifically applied to various electronic devices. As shown in FIG. 3, the security processing device of this embodiment includes
The traffic monitoring unit 310 is configured to monitor access traffic of the service system in real time.
The intrusion determination unit 320 is configured to identify whether there is an intrusion behavior according to the access traffic.
The intrusion response unit 330 is configured to, if an intrusion behavior is identified, proxy access traffic corresponding to the intrusion behavior to avoid finding by an intruder.
According to one or more embodiments of the present disclosure, the intrusion response unit 330 is configured to further: intercepting access flow corresponding to the intrusion behavior; simulating the intrusion behavior according to the access flow, sending a request to the service system, and receiving a response result returned by the service system; and generating a return result according to the response result so as to respond to the intrusion behavior.
According to one or more embodiments of the present disclosure, the intrusion response unit 330 configured to generate a return result according to the response result to respond to the intrusion behavior includes: and if the response result is the background page of the service system, returning a login password error page to respond to the intrusion behavior.
According to one or more embodiments of the present disclosure, the intrusion response unit 330 is configured to further include, after returning the login password error page to respond to the intrusion behavior, counting the intrusion behavior of the user thereafter, and if the counted number of times reaches a predetermined number threshold and the login password is incorrect, returning a login password success page to respond to the intrusion behavior.
According to one or more embodiments of the present disclosure, the intrusion response unit 330 is configured to further include, after returning the login password success page, performing obfuscation on the logged-in content to avoid data leakage.
According to one or more embodiments of the present disclosure, the obfuscating includes performing a replacement process, performing an encryption process, and/or performing a coding process.
According to one or more embodiments of the present disclosure, the intrusion response unit 330 is configured to, when proxying access traffic corresponding to the intrusion behavior, based on at least one of the following protocols:
HTTP protocol, HTTPs protocol, SSH protocol, Telnet protocol, Oracle protocol, Sqlserver protocol, Mysql protocol, Sybase protocol, DB2 protocol, and others based on the upper layers of these protocols.
The security processing apparatus provided by this embodiment can execute the security processing method provided by the method embodiment of the present disclosure, and has the corresponding functional modules and beneficial effects of the execution method.
Referring now to FIG. 4, a block diagram of an electronic device 400 suitable for use in implementing embodiments of the present invention is shown. The terminal device in the embodiment of the present invention is, for example, a mobile device, a computer, or a vehicle-mounted device built in a floating car, or any combination thereof. In some embodiments, the mobile device may include, for example, a cell phone, a smart home device, a wearable device, a smart mobile device, a virtual reality device, and the like, or any combination thereof. The electronic device shown in fig. 4 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 4, electronic device 400 may include a processing device (e.g., central processing unit, graphics processor, etc.) 401 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)402 or a program loaded from a storage device 408 into a Random Access Memory (RAM) 403. In the RAM 403, various programs and data necessary for the operation of the electronic apparatus 400 are also stored. The processing device 401, the ROM 402, and the RAM 403 are connected to each other via a bus 404. An input/output (I/O) interface 405 is also connected to bus 404.
Generally, the following devices may be connected to the I/O interface 405: input devices 406 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; an output device 407 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 408 including, for example, tape, hard disk, etc.; and a communication device 409. The communication means 409 may allow the electronic device 400 to communicate wirelessly or by wire with other devices to exchange data. While fig. 4 illustrates an electronic device 400 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.
In particular, according to an embodiment of the present invention, the processes described above with reference to the flowcharts may be implemented as a computer software program. For example, embodiments of the invention include a computer program product comprising a computer program embodied on a computer-readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication device 409, or from the storage device 408, or from the ROM 402. The computer program performs the above-described functions defined in the methods of embodiments of the invention when executed by the processing apparatus 401.
It should be noted that the computer readable medium mentioned above can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In embodiments of the invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In yet another embodiment of the invention, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: monitoring the access flow of a service system in real time; identifying whether an intrusion behavior exists according to the access flow; and if the intrusion behavior is identified, carrying out proxy on access flow corresponding to the intrusion behavior so as to avoid finding by an intruder.
Computer program code for carrying out operations for embodiments of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present invention may be implemented by software or hardware. Where the name of a unit does not in some cases constitute a limitation of the unit itself, for example, the first retrieving unit may also be described as a "unit for retrieving at least two internet protocol addresses".
The foregoing description is only a preferred embodiment of the invention and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the disclosure in the embodiments of the present invention is not limited to the specific combinations of the above-described features, but also encompasses other embodiments in which any combination of the above-described features or their equivalents is possible without departing from the spirit of the disclosure. For example, the above features and (but not limited to) the features with similar functions disclosed in the embodiments of the present invention are mutually replaced to form the technical solution.
Claims (10)
1. A secure processing method, comprising:
monitoring the access flow of a service system in real time;
identifying whether an intrusion behavior exists according to the access flow;
and if the intrusion behavior is identified, carrying out proxy on access flow corresponding to the intrusion behavior so as to avoid finding by an intruder.
2. The method of claim 1, wherein proxying access traffic corresponding to the intrusion behavior to avoid discovery by an intruder comprises:
intercepting access flow corresponding to the intrusion behavior;
simulating the intrusion behavior according to the access flow, sending a request to the service system, and receiving a response result returned by the service system;
and generating a return result according to the response result so as to respond to the intrusion behavior.
3. The method of claim 2, wherein generating a return result from the response result to respond to the intrusion behavior comprises:
and if the response result is the background page of the service system, returning a login password error page to respond to the intrusion behavior.
4. The method of claim 3, further comprising, after returning the login password error page to respond to the intrusion, counting subsequent intrusions by the user, and if the counted number of times reaches a predetermined number threshold and the login password is incorrect, returning the login password success page to respond to the intrusion.
5. The method of claim 4, further comprising, after returning the login password success page, obfuscating the logged-in content to avoid data leakage.
6. The method of claim 5, wherein the obfuscating comprises performing substitution processing, performing encryption, and/or performing coding.
7. The method of claim 1, wherein the proxying the access traffic corresponding to the intrusion behavior is based on at least one of the following protocols:
HTTP protocol, HTTPS protocol, SSH protocol, Telnet protocol, Oracle protocol, Sqlserver protocol, Mysql protocol, Sybase protocol, and DB2 protocol.
8. A secure processing apparatus, comprising:
the traffic monitoring unit is used for monitoring the access traffic of the service system in real time;
the intrusion determining unit is used for identifying whether an intrusion behavior exists according to the access flow;
and the intrusion response unit is used for carrying out proxy on the access flow corresponding to the intrusion behavior to avoid finding the intrusion behavior if the intrusion behavior is identified.
9. An electronic device, comprising:
one or more processors; and
a memory to store executable instructions that, when executed by the one or more processors, cause the electronic device to perform the method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110969369.3A CN113691527A (en) | 2021-08-23 | 2021-08-23 | Security processing method, device, electronic device, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110969369.3A CN113691527A (en) | 2021-08-23 | 2021-08-23 | Security processing method, device, electronic device, and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113691527A true CN113691527A (en) | 2021-11-23 |
Family
ID=78581515
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110969369.3A Pending CN113691527A (en) | 2021-08-23 | 2021-08-23 | Security processing method, device, electronic device, and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113691527A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114553524A (en) * | 2022-02-21 | 2022-05-27 | 北京百度网讯科技有限公司 | Flow data processing method and device, electronic equipment and gateway |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103746956A (en) * | 2012-09-28 | 2014-04-23 | 瞻博网络公司 | Virtual honeypot |
| CN105376210A (en) * | 2014-12-08 | 2016-03-02 | 哈尔滨安天科技股份有限公司 | Account threat identification and defense method and system |
| CN106961442A (en) * | 2017-04-20 | 2017-07-18 | 中国电子技术标准化研究院 | A kind of network method for entrapping based on honey jar |
| CN107426242A (en) * | 2017-08-25 | 2017-12-01 | 中国科学院计算机网络信息中心 | Network safety protection method, device and storage medium |
| CN107707576A (en) * | 2017-11-28 | 2018-02-16 | 深信服科技股份有限公司 | A kind of network defense method and system based on Honeypot Techniques |
| CN110417710A (en) * | 2018-04-27 | 2019-11-05 | 腾讯科技(北京)有限公司 | Attack data capture method, device and storage medium |
| CN112995151A (en) * | 2021-02-08 | 2021-06-18 | 腾讯科技(深圳)有限公司 | Access behavior processing method and device, storage medium and electronic equipment |
| CN113014597A (en) * | 2021-03-17 | 2021-06-22 | 恒安嘉新(北京)科技股份公司 | Honeypot defense system |
-
2021
- 2021-08-23 CN CN202110969369.3A patent/CN113691527A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103746956A (en) * | 2012-09-28 | 2014-04-23 | 瞻博网络公司 | Virtual honeypot |
| CN105376210A (en) * | 2014-12-08 | 2016-03-02 | 哈尔滨安天科技股份有限公司 | Account threat identification and defense method and system |
| CN106961442A (en) * | 2017-04-20 | 2017-07-18 | 中国电子技术标准化研究院 | A kind of network method for entrapping based on honey jar |
| CN107426242A (en) * | 2017-08-25 | 2017-12-01 | 中国科学院计算机网络信息中心 | Network safety protection method, device and storage medium |
| CN107707576A (en) * | 2017-11-28 | 2018-02-16 | 深信服科技股份有限公司 | A kind of network defense method and system based on Honeypot Techniques |
| CN110417710A (en) * | 2018-04-27 | 2019-11-05 | 腾讯科技(北京)有限公司 | Attack data capture method, device and storage medium |
| CN112995151A (en) * | 2021-02-08 | 2021-06-18 | 腾讯科技(深圳)有限公司 | Access behavior processing method and device, storage medium and electronic equipment |
| CN113014597A (en) * | 2021-03-17 | 2021-06-22 | 恒安嘉新(北京)科技股份公司 | Honeypot defense system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114553524A (en) * | 2022-02-21 | 2022-05-27 | 北京百度网讯科技有限公司 | Flow data processing method and device, electronic equipment and gateway |
| CN114553524B (en) * | 2022-02-21 | 2023-10-10 | 北京百度网讯科技有限公司 | Traffic data processing method and device, electronic equipment and gateway |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9998480B1 (en) | Systems and methods for predicting security threats | |
| US10887307B1 (en) | Systems and methods for identifying users | |
| Tien et al. | KubAnomaly: Anomaly detection for the Docker orchestration platform with neural network approaches | |
| US10142290B1 (en) | Host-based firewall for distributed computer systems | |
| US10362046B1 (en) | Runtime behavior of computing resources of a distributed environment | |
| CN104184705A (en) | Verification method, apparatus, server, user data center and system | |
| CN111163095B (en) | Network attack analysis method, network attack analysis device, computing device, and medium | |
| US20240007487A1 (en) | Asset Remediation Trend Map Generation and Utilization for Threat Mitigation | |
| US20230308487A1 (en) | System and method for secure evaluation of cyber detection products | |
| US20220255926A1 (en) | Event-triggered reauthentication of at-risk and compromised systems and accounts | |
| US20230362142A1 (en) | Network action classification and analysis using widely distributed and selectively attributed sensor nodes and cloud-based processing | |
| CN113141335B (en) | Network attack detection method and device | |
| CN113691527A (en) | Security processing method, device, electronic device, and storage medium | |
| CN110808997B (en) | Method and device for remotely obtaining evidence of server, electronic equipment and storage medium | |
| US11689568B2 (en) | Dynamic maze honeypot response system | |
| US11356478B2 (en) | Phishing protection using cloning detection | |
| US11223651B2 (en) | Augmented data collection from suspected attackers of a computer network | |
| CN113923000B (en) | Security processing method and device, electronic equipment and storage medium | |
| US10798111B2 (en) | Detecting intrusion attempts in data transmission sessions | |
| CN114513369B (en) | Deep packet inspection-based internet of things behavior analysis method and system | |
| EP4160454A1 (en) | Computer-implemented systems and methods for application identification and authentication | |
| Anwar et al. | Guess who is listening in to the board meeting: on the use of mobile device applications as roving spy bugs | |
| CN113807530B (en) | Information processing system, method and device | |
| US11671422B1 (en) | Systems and methods for securing authentication procedures | |
| US20230094066A1 (en) | Computer-implemented systems and methods for application identification and authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |