CN113726790B - Network attack source identification and blocking method, system, device and medium - Google Patents
Network attack source identification and blocking method, system, device and medium Download PDFInfo
- Publication number
- CN113726790B CN113726790B CN202111018656.2A CN202111018656A CN113726790B CN 113726790 B CN113726790 B CN 113726790B CN 202111018656 A CN202111018656 A CN 202111018656A CN 113726790 B CN113726790 B CN 113726790B
- Authority
- CN
- China
- Prior art keywords
- attack source
- attack
- real
- analysis
- flow data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention discloses a method, a system, a device and a medium for identifying and plugging a network attack source, wherein the method comprises the following steps: receiving public network routing exit mirror traffic data; decoding the flow data layer by layer to obtain flow data elements; performing security detection on the streaming data element to obtain a detection result, and performing malicious file analysis on the streaming data element to obtain an analysis result; carrying out big data analysis on the detection result, the analysis result and the flow data element by using preset threat information and basic data information, and identifying an attack source, wherein the basic data at least comprises network basic information, service basic data and a white list; plugging the identified real attack source; the invention solves the technical problems that in the prior art, normal network access is sometimes judged as an attack source causing network security problem, and the real attack source cannot be plugged.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method, a system, an apparatus, and a medium for identifying and blocking a network attack source.
Background
With the wide application of network technology, the problem of network security is also paid attention to gradually, and the common threat management solution of network security is to deploy security devices and software provided by some network security manufacturers, detect attack alarms, vulnerabilities, virus Trojan and network attack conditions through the traditional rule-based detection technology, early warn network security threats and block attack sources through a firewall policy mode.
However, different network security manufacturers have different monitoring and protection means for network security problems, and sometimes judge normal network access as an attack source causing the network security problems, and cannot plug the real attack source.
Disclosure of Invention
The invention mainly aims to provide a method, a system, a device and a medium for identifying and plugging a network attack source, and aims to solve the technical problem that in the prior art, normal network access is sometimes judged as the attack source causing network security problem and the real attack source cannot be plugged.
In order to achieve the above object, a first aspect of the present invention provides a method for identifying and blocking a network attack source, including: receiving public network routing exit mirror traffic data; decoding the flow data layer by layer to obtain flow data elements; performing security detection on the flow data element to obtain a detection result, and performing malicious file analysis on the flow data element to obtain an analysis result; carrying out big data analysis on the detection result, the analysis result and the flow data element by using preset threat information and basic data information; and plugging the identified real attack source.
The method for identifying the attack source comprises the following steps: outputting an attack alarm, presenting a real-time high-risk attack source, a long-term penetration attack source and an attack success event, analyzing the attack success event to obtain a completed supply chain of the attack success event, and sending a black hole route to an Internet exit router according to the completed supply chain; and discarding the data packet replied to the real attack source by the Internet exit router so as to realize the identification and the blocking of the real attack source.
Wherein the method further comprises: and when the flow data element is detected safely, storing the flow data to a local hard disk.
The step of analyzing the malicious file on the flow data element to obtain an analysis result comprises the following steps: and analyzing and detecting the file by using a sandbox detection engine to obtain an analysis result, and transmitting the detection result to a big data platform through dynamic virtual execution to analyze the big data.
The big data analysis method comprises the following steps: judging whether the detection result or the analysis result is in a white list, if not, the flow data element is a real attack source; and carrying out scanning detection, attack effective load and habit operation after successful attack on the attack source according to the detection result or the analysis result, generating a real attack source rule, and judging whether the flow data element is a real attack source according to the real attack source rule.
The method for generating the white list comprises the following steps: analyzing the traffic load to define traffic characteristics of the traffic; judging whether the service is normal according to the service characteristics, if so, setting the service as a white list for big data analysis.
The method for plugging the real attack source comprises the following steps: matching the attack source according to the real attack source rule and the white list to identify the attack source; when the attack source is identified to use the scanning software with obvious business or open source type to detect the network or the loophole, the first time length of the attack source is blocked; when the attack source is identified to try the vulnerability exploitation type attack, the attack source is blocked for a second duration; when the successful utilization vulnerability of the attack source is identified, the IP of the attack source is permanently blocked, the target IP which is attacked is blocked at the same time, and the target IP is unsealed after the target IP is subjected to the leak-cleaning repair.
A second aspect of the present invention provides a system for identifying and blocking a network attack source, comprising: the flow receiving module is used for receiving the public network routing outlet mirror image flow data; the flow decoding module is used for decoding the flow data layer by layer to obtain flow data elements; the flow processing module is used for carrying out safety detection on the flow data element to obtain a detection result, and carrying out malicious file analysis on the flow data element to obtain an analysis result; the result analysis module is used for carrying out big data analysis on the detection result, the analysis result and the flow data element by utilizing preset threat information and basic data information, and identifying an attack source, wherein the basic data at least comprises network basic information, business basic data and a white list; and the plugging module is used for plugging the identified real attack source.
A third aspect of the present invention provides an electronic device, comprising: the network attack source identification and blocking method comprises a memory, a processor and a computer program which is stored in the memory and can run on the processor, wherein the processor realizes the network attack source identification and blocking method according to any one of the above when executing the computer program.
A fourth aspect of the present invention provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method for identifying and blocking a network attack source according to any of the above.
The invention provides a method, a system, a device and a medium for identifying and plugging a network attack source, which have the beneficial effects that: the network security can be monitored through the exit flow of the mirror image router, so that the integrity of the monitored flow is ensured, and no monitoring dead angle is left due to different monitoring and protecting means of different network security manufacturers; meanwhile, after security detection and malicious file analysis are carried out on the streaming data element, a judging rule of a real attack source is formed when big data analysis is carried out, so that the false alarm rate of security monitoring is reduced, and the real attack source can be plugged after the real attack source is judged.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are necessary for the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention and that other drawings may be obtained from them without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for identifying and blocking a network attack source according to an embodiment of the present invention;
FIG. 2 is a flow chart of a big data analysis method of a network attack source identification and blocking method according to an embodiment of the present invention;
FIG. 3 is a flowchart of a method for generating a white list of a method for identifying and blocking a network attack source according to an embodiment of the present invention;
FIG. 4 is a flowchart of identifying an attack source according to the method for identifying and blocking a network attack source according to an embodiment of the present invention;
FIG. 5 is a flow chart of a method for blocking a real attack source according to the method for identifying and blocking a network attack source of the embodiment of the present invention;
FIG. 6 is a system frame diagram of a network attack source identification and blocking system according to an embodiment of the present invention;
fig. 7 is a block diagram of an electronic device according to an embodiment of the invention.
Detailed Description
In order to make the objects, features and advantages of the present invention more comprehensible, the technical solutions in the embodiments of the present invention will be clearly described in conjunction with the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, a method for identifying and blocking a network attack source includes:
s101, receiving public network routing exit mirror image flow data;
s102, decoding the flow data layer by layer to obtain flow data elements;
s103, carrying out security detection on the streaming data element to obtain a detection result, and carrying out malicious file analysis on the streaming data element to obtain an analysis result;
s104, carrying out big data analysis on the detection result, the analysis result and the flow data element by using preset threat information and basic data information, and identifying an attack source, wherein the basic data at least comprises network basic information, service basic data and a white list;
s105, plugging the identified real attack source.
In this embodiment, before executing step S101, the outlet traffic of the public network route is mirrored, and mirrored traffic data is generated, so that the integrity of the monitored traffic can be ensured.
Step S101 and step S102 play a role of an attack detection probe, so that the collection and analysis of flow data are realized, and the flow data are decoded layer by layer.
The step S103 can be executed locally, a malicious file analysis system can be erected on a cloud platform, malicious file analysis can be performed on the flow data element, safety detection is performed on the flow data element, and the intrusion alarming work can be realized through the erected safety monitoring system.
The execution of step S104 may be local, or may be performed on a cloud platform, where a big data analysis platform is erected, where the big data analysis platform may be used to process and sort the flow metadata, and the method for identifying and blocking the real attack source according to the embodiment is formed by using its strong big data analysis capability and various machine learning algorithms.
In step S105, the blocking module may be developed on the big data analysis platform to form a linkage with the egress router, and implement attack source blocking on the global public network asset at the egress through the sending BGP route.
Therefore, the network attack source identification and blocking method provided by the embodiment can monitor the network security through the output flow of the mirror image router, ensure the integrity of the monitored flow and avoid leaving monitoring dead angles due to different monitoring and protecting means of different network security manufacturers; meanwhile, after security detection and malicious file analysis are carried out on the streaming data element, a judging rule of a real attack source is formed when big data analysis is carried out, so that the false alarm rate of security monitoring is reduced, and the real attack source can be plugged after the real attack source is judged.
In one embodiment, the method for identifying and blocking the network attack source further comprises:
and S106, when the security detection is carried out on the flow data element, storing the flow data to a local hard disk.
In this embodiment, the decoded traffic data, that is, the traffic is uploaded to the big data analysis platform to perform big data analysis, and the traffic data before decoding is stored in the local hard disk.
Referring to fig. 2, in one embodiment, in step S104, a method for big data analysis includes:
s1041, judging whether a detection result or an analysis result is in a white list, if not, the flow data element is a real attack source;
s1042, scanning and detecting the attack source, attacking the effective load and habit operation after attacking successfully according to the detection result or analysis result, generating the real attack source rule, judging whether the flow data element is the real attack source according to the real attack source rule.
In this embodiment, a normal traffic triggered alarm whitelist rule is formed, and the traffic alarm whitelist rule can greatly reduce false alarms generated by traffic access in the operation of the operator industry, and forms a clear attack source judgment rule. By carrying out big data analysis on scanning detection of an attack source, attack payload, habit operation after successful attack and the like, a real attack source judgment rule is formed, the false alarm rate is greatly reduced, and plugging rules for scanning the attack source, utilizing the attack source of a vulnerability attempt and utilizing the attack source of the vulnerability success are respectively formed, so that false plugging is effectively reduced.
Referring to fig. 3, in an embodiment, in step S1041, the method for generating a white list includes:
s1141, analyzing the traffic load to define the traffic characteristics of the traffic;
s1241, judging whether the service is normal according to the service characteristics, if so, setting the service as a white list for big data analysis.
In this embodiment, a service data flow of at least 15000 service hosts is grabbed, and analyzed to form a normal service flow triggered alarm white list rule, which specifically includes: in normal service flow of some call professions, some safety monitoring devices report overflow loopholes, but the service flow is a normal service request, the service characteristics are determined by analyzing the following service flow load, and a rule is added into a big data analysis platform, so that a white list can be formed for the type of alarm, and the false alarm condition of the type of service is eliminated.
And then carrying out big data analysis on scanning detection of an attack source, attack effective load, habit operation after attack success and the like to form a real attack source judging rule and an attack success attack source judging rule, so that the false alarm rate is greatly reduced, for example, an IP address of an attacker is 39.144.X.X, vulnerability scanning is firstly initiated for a plurality of IPs, the attacker finds out a vulnerability of struts2 deserialization while scanning, the vulnerability is tried to be utilized, the attacker tries to use an ifconfig command, and an intranet IP address corresponding to a destination IP is 172.16.0.6. Meanwhile, a response is obtained, and an attacker effectively attacks the target IP; the extraction of the service real attack success rule is: the attack source has a scanning behavior-the attacker tries to exploit the vulnerability-the attacker uses system commands (ipconfig to view the acquired host IP address or whoami to view ownership account information, etc.). While enumerating other feature rules formed by big data analysis includes: scanning type attack source rule features and scanning type attack source rule features: with a commercial scanner identification, an open source scanner identification, such as rsas, nmap, awvs, appscan, etc. Vulnerability try type attacks source rule features, arbitrary file download/read, apache threads 2 remote command execution vulnerability, apache Shiro remote command execution, JBOSS deserialization, thinkphp remote code execution vulnerability, weblogic deserialization, tomcat console weak password, unauthorized access, etc., common Webshell, etc.
In this embodiment, the characteristics of each scan type attack source rule are specifically as follows:
SQL injection features: selection, window, order, unit, introduction, selection, delete, update, count, drop, chr, mid, master, truncate, char, delete, sitenme, netuser, xp_cmdshell, exec, execute, insert, create, drop, table, from, grant, go_con, information_schema, table_schema, window, etc., and there are also some common sql functions such as uesr (), @ @ version, utl _indr, get_host_nmeo, ctxsys.
Arbitrary file download/read: a large number of path traversers and related sensitive directories may occur in a common Payload, for example,/,/etc/passwd,/etc/group, C: \boot. Int, etc., and an attacker may further use the key words such as web · xmi, ·class, etc. (for symbols such as./ etc., related encoding operations such as URL encoding or dual function URL encoding may be performed, and care should be taken).
Apache threads 2 remote command execution vulnerability: some common keywords are symbols such as memberAcess, getrun, println, java. Iang, oglnContext, redirect $ (for double quotation marks, single quotation marks', equal quotation marks =, brackets (), etc.), and related encoding operations such as URL encoding may be performed, and care should be taken. The interfaces of the general Struts2 framework end with.
Apache Shiro remote command execution: whether the Cookie field contains a remmberme parameter, and whether there is an abnormality (ultra-long encrypted content) in the value of the corresponding parameter.
JBOSS deserialization: some common keywords are membrane, java. Uteil, java. Lang, while Payload contains a large number of 16-ary codes (for double quotes ", single quotes", equal =, brackets (), and related coding operations, such as URL coding, may be performed, requiring attention to/invoker/readonly,/invoker/jmxlnvoker servlet;
thinkphp remote code execution vulnerability: some common keywords, such as some common commands touch, whamo, nc, calc.exe, etc., and some common php functions (phpinfo () etc.), the directory structure of thinphp is typically/index/? s=;
weblogic deserialization: the Payload of Weblogic is mostly a messy code, and is mainly judged according to some interface paths and related keywords, for example, < soap env:, java. Lang, run. Getruntimeo). Exec, etc. (the problem of coding is also noted).
Common Webshell:
1. a general file name suffix name jsp, php, py, asp and the like;
2. the Web application will rename the uploaded file name for a second time, for example, rename by uuid, timestamp, etc., and features longer alphanumeric combinations;
3. since the webshell needs to execute corresponding functions, such as executing commands, connecting databases, etc., there will be functions Guan Jianyu of related compiled languages in the file content, such as run.
4. The webshell may have corresponding access control, so the content may contain "user name, password and other space samples;
5. since the uploading file is the uploading file, the value of the Content-type parameter of the data packet of the uploading webshell is generally multi part/form-data;
6. some webshell designations are common, such as webshell. Jsp, jspy, jsp, etc.;
the access path of the webshell is typically a file upload directory, such as/upload,/image, etc.
Weblogic weak password: the Weblogic console path is typically per con-hole/log/LoginForm jsp, and a user name password will typically be presented for a request and a default password like Weblogic/Weblogic will be present.
Tomcat console weak password: mainly console paths like/manager/status,/manager/html,/host-manager/etc.
Unauthorized access (docker, hadoop, elasticsearch, jenkins, etc.): keywords are mainly also some sensitive catalogs of related services, such as/message,/script,/_nodes,/_river,/v 1.25/images/json,/master-status、/version、
Dfshealth.jsp, etc.
Referring to fig. 4, in one embodiment, in step S104, identifying an attack source includes:
s1043, outputting an attack alarm, presenting a real-time high-risk attack source, a long-term penetration attack source and an attack success event, analyzing the attack success event to obtain a completed supply chain of the attack success event, and sending a black hole route to an Internet exit router according to the completed supply chain;
s1044, discarding the data packet replied to the real attack source by the Internet exit router so as to realize identification and blocking of the real attack source.
All network attacks are based on flow channels, a one-key blocking module is linked with a network total outlet router, a BGP black hole router is transmitted to the outlet router, and data packets returned to an attack source are discarded, so that the attack flow passing through the total outlet and the attacked flow can be blocked rapidly, the treatment means can cover all ranges, meanwhile, a service white list, a global root domain white list and the like are automatically blocked, and the service network is ensured not to be blocked by mistake.
Referring to fig. 5, in one embodiment, in step S105, a method for blocking a real attack source includes:
s1051, matching attack sources according to real attack source rules and white lists to identify the attack sources;
s1052, when the attack source is identified to use the scanning software with obvious business or open source type to detect the network or the loophole, the first time length of the attack source is blocked; when the attack source is identified to try the vulnerability exploitation type attack, the attack source is blocked for a second duration; when the successful utilization of the vulnerability by the attack source is identified, the IP of the attack source is permanently blocked, the target IP which is attacked is blocked, and the target IP is unsealed after the target IP is subjected to the leak-cleaning repair.
In this embodiment, the first time period and the second time period may be set according to actual requirements, for example, the first time period may be 3 minutes, 5 minutes, 8 minutes, 10 minutes, and the like, and the second time period may be 10 minutes, 15 minutes, 20 minutes, and the like.
According to the attack source rule obtained by the embodiment, the attack source rule is matched with the collected white list, and when the scanning type attack source uses the scanning software with obvious business or open source type to detect the network or the loophole, the attack source can be blocked for 5 minutes; when the attack source attempts the exploit class attack, the attack source may be blocked for 10 minutes. When judging that the attack source successfully utilizes the vulnerability, permanently sealing the IP and simultaneously sealing the destination IP, and then performing online operation after the destination IP finishes the leak scanning repair, so that the loss is reduced to the minimum.
Referring to fig. 6, in one embodiment, the present application further provides a system for identifying and blocking a network attack source, including: the device comprises a flow receiving module 1, a flow decoding module 2, a flow processing module 3, a result analysis module 4 and a plugging module 5; the flow receiving module 1 is used for receiving the public network routing exit mirror image flow data; the flow decoding module 2 is used for decoding the flow data layer by layer to obtain flow data elements; the flow processing module 3 is used for carrying out safety detection on the flow data elements to obtain detection results, and carrying out malicious file analysis on the flow data elements to obtain analysis results; the result analysis module 4 is used for carrying out big data analysis on the detection result, the analysis result and the flow data element by utilizing preset threat information and basic data information, and identifying an attack source, wherein the basic data at least comprises network basic information, service basic data and a white list; the plugging module 5 is used for plugging the identified real attack source.
The network attack source identification and blocking system provided by the embodiment can monitor network security through the output flow of the mirror image router, ensure the integrity of the monitored flow and avoid leaving monitoring dead angles due to different monitoring and protection means of different network security manufacturers; meanwhile, after security detection and malicious file analysis are carried out on the streaming data element, a judging rule of a real attack source is formed when big data analysis is carried out, so that the false alarm rate of security monitoring is reduced, and the real attack source can be plugged after the real attack source is judged.
In one embodiment, the result analysis module 4 comprises: an attack success event analysis unit and a data packet discarding unit; the attack success event analysis unit is used for outputting an attack alarm, presenting a real-time high-risk attack source, a long-term penetration attack source and an attack success event, analyzing the attack success event, obtaining a completed supply chain of the attack success event, and sending a black hole route to the Internet exit router according to the completed supply chain; the data packet discarding unit is used for discarding the data packet returned to the real attack source by the Internet exit router so as to realize the identification and the blocking of the real attack source.
In one embodiment, the network attack source identification and blocking system further comprises: and the local storage module is used for storing the flow data to the local hard disk when the flow data element is detected safely.
In one embodiment, the flow processing module 3 comprises: the sandbox detection unit and the transmission unit; the sandbox detection unit is used for analyzing and detecting the file by using the sandbox detection engine to obtain an analysis result; the transmission unit is used for transmitting the detection result to the big data platform through dynamic virtual execution so as to analyze big data.
In one embodiment, the result analysis module 4 further comprises: a white list determining unit and a real attack source rule generating unit; the white list determining unit is used for judging whether the detection result or the analysis result is in the white list, if not, the flow data element is a real attack source; the real attack source rule generating unit is used for carrying out scanning detection, attack effective load and habit operation after successful attack on the attack source according to the detection result or the analysis result, generating a real attack source rule, and judging whether the flow data element is the real attack source according to the real attack source rule.
In one embodiment, the white list determination unit comprises: a traffic load analysis subunit and a white list setting unit; the service traffic load analysis subunit is used for analyzing the service traffic load so as to determine the service characteristics of the service; the white list setting unit is used for judging whether the service is normal according to the service characteristics, if so, setting the service as a white list for big data analysis.
In one embodiment, the occlusion module 5 comprises: a white list matching unit and a forbidden unit; the white list matching unit is used for matching the attack source according to the real attack source rule and the white list so as to identify the attack source; the blocking unit is used for blocking the first time length of the attack source when the attack source is identified to use the scanning software with obvious business or open source type to detect the network or the loophole; when the attack source is identified to try the vulnerability exploitation type attack, the attack source is blocked for a second duration; when the successful utilization of the vulnerability by the attack source is identified, the IP of the attack source is permanently blocked, the target IP which is attacked is blocked at the same time, and the target IP is unsealed after the target IP is subjected to the leak-cleaning repair.
Referring to fig. 7, an electronic device according to an embodiment of the present application includes: the network attack source identification and blocking method described in the foregoing is implemented by the memory 601, the processor 602, and a computer program stored in the memory 601 and executable on the processor 602, when the processor 602 executes the computer program.
Further, the electronic device further includes: at least one input device 603 and at least one output device 604.
The memory 601, the processor 602, the input device 603, and the output device 604 are connected via a bus 605.
The input device 603 may be a camera, a touch panel, a physical key, a mouse, or the like. The output device 604 may be, in particular, a display screen.
The memory 601 may be a high-speed random access memory (RAM, random Access Memory) memory or a non-volatile memory (non-volatile memory), such as a disk memory. The memory 601 is used for storing a set of executable program codes and the processor 602 is coupled to the memory 601.
Further, the embodiments of the present application also provide a computer readable storage medium, which may be provided in the electronic device in the foregoing embodiments, and the computer readable storage medium may be the memory 601 in the foregoing embodiments. The computer readable storage medium has stored thereon a computer program which, when executed by the processor 602, implements the network attack source identification and blocking method described in the foregoing embodiments.
Further, the computer-readable medium may be any medium capable of storing a program code, such as a usb (universal serial bus), a removable hard disk, a Read-Only Memory 601 (ROM), a RAM, a magnetic disk, or an optical disk.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, and for example, the division of the modules is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or modules, which may be in electrical, mechanical, or other forms.
The modules described as separate components may or may not be physically separate, and components shown as modules may or may not be physical modules, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in each embodiment of the present invention may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module. The integrated modules may be implemented in hardware or in software functional modules.
The integrated modules, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
It should be noted that, for the sake of simplicity of description, the foregoing method embodiments are all expressed as a series of combinations of actions, but it should be understood by those skilled in the art that the present invention is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily all required for the present invention.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.
The foregoing describes a method, system, device and medium for identifying and blocking a network attack source, which are provided by the present invention, and the details of this description should not be construed as limiting the invention, since the specific embodiments and application ranges of this invention will vary according to the concepts of the embodiments of the present invention.
Claims (9)
1. The method for identifying and blocking the network attack source is characterized by comprising the following steps:
receiving public network routing exit mirror traffic data;
decoding the flow data layer by layer to obtain flow data elements;
performing security detection on the flow data element to obtain a detection result, and performing malicious file analysis on the flow data element to obtain an analysis result;
carrying out big data analysis on the detection result, the analysis result and the flow data element by using preset threat information and basic data information, and identifying an attack source, wherein the basic data at least comprises network basic information, service basic data and a white list;
plugging the identified real attack source;
the big data analysis method comprises the following steps:
judging whether the detection result or the analysis result is in a white list, if not, the flow data element is a real attack source;
and carrying out scanning detection, attack effective load and habit operation after successful attack on the attack source according to the detection result or the analysis result, generating a real attack source rule, and judging whether the flow data element is a real attack source according to the real attack source rule.
2. The method for identifying and blocking network attack sources according to claim 1, wherein,
the method for identifying the attack source comprises the following steps:
outputting an attack alarm, presenting a real-time high-risk attack source, a long-term penetration attack source and an attack success event, analyzing the attack success event to obtain a completed supply chain of the attack success event, and sending a black hole route to an Internet exit router according to the completed supply chain;
and discarding the data packet replied to the real attack source by the Internet exit router so as to realize the identification and the blocking of the real attack source.
3. The method for identifying and blocking network attack sources according to claim 1, wherein,
the method further comprises the steps of:
and when the flow data element is detected safely, storing the flow data to a local hard disk.
4. The method for identifying and blocking network attack sources according to claim 1, wherein,
the malicious file analysis is carried out on the flow data element, and the analysis result comprises the following steps:
and analyzing and detecting the file by using a sandbox detection engine to obtain an analysis result, and transmitting the detection result to a big data platform through dynamic virtual execution to analyze the big data.
5. The method for identifying and blocking network attack sources according to claim 1, wherein,
the method for generating the white list comprises the following steps:
analyzing the traffic load to define traffic characteristics of the traffic;
judging whether the service is normal according to the service characteristics, if so, setting the service as a white list for big data analysis.
6. The method for identifying and blocking network attack sources according to claim 1, wherein,
the method for plugging the real attack source comprises the following steps:
matching the attack source according to the real attack source rule and the white list to identify the attack source;
when the attack source is identified to use the scanning software with obvious business or open source type to detect the network or the loophole, the first time length of the attack source is blocked; when the attack source is identified to try the vulnerability exploitation type attack, the attack source is blocked for a second duration; when the successful utilization vulnerability of the attack source is identified, the IP of the attack source is permanently blocked, the target IP which is attacked is blocked at the same time, and the target IP is unsealed after the target IP is subjected to the leak-cleaning repair.
7. A network attack source identification and blocking system, comprising:
the flow receiving module is used for receiving the public network routing outlet mirror image flow data;
the flow decoding module is used for decoding the flow data layer by layer to obtain flow data elements;
the flow processing module is used for carrying out safety detection on the flow data element to obtain a detection result, and carrying out malicious file analysis on the flow data element to obtain an analysis result;
the result analysis module is used for carrying out big data analysis on the detection result, the analysis result and the flow data element by utilizing preset threat information and basic data information;
the plugging module is used for plugging the identified real attack source;
the result analysis module comprises: a white list determining unit and a real attack source rule generating unit; the white list determining unit is used for judging whether the detection result or the analysis result is in the white list, if not, the flow data element is a real attack source; the real attack source rule generating unit is used for carrying out scanning detection, attack effective load and habit operation after successful attack on the attack source according to the detection result or the analysis result, generating a real attack source rule, and judging whether the flow data element is the real attack source according to the real attack source rule.
8. An electronic device, comprising: a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method for identifying and blocking a network attack source according to any of claims 1 to 6 when executing the computer program.
9. A computer readable storage medium having stored thereon a computer program, which, when executed by a processor, implements the network attack source identification and blocking method according to any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111018656.2A CN113726790B (en) | 2021-09-01 | 2021-09-01 | Network attack source identification and blocking method, system, device and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111018656.2A CN113726790B (en) | 2021-09-01 | 2021-09-01 | Network attack source identification and blocking method, system, device and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113726790A CN113726790A (en) | 2021-11-30 |
| CN113726790B true CN113726790B (en) | 2023-06-16 |
Family
ID=78680332
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111018656.2A Active CN113726790B (en) | 2021-09-01 | 2021-09-01 | Network attack source identification and blocking method, system, device and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113726790B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113965419B (en) * | 2021-12-22 | 2022-07-08 | 北京微步在线科技有限公司 | Method and device for judging attack success through reverse connection |
| CN115021984B (en) * | 2022-05-23 | 2024-02-13 | 绿盟科技集团股份有限公司 | Network security detection method and device, electronic equipment and storage medium |
| CN117544429B (en) * | 2024-01-10 | 2024-03-26 | 腾讯科技(深圳)有限公司 | Attack protection method, apparatus, electronic device and computer readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110149350A (en) * | 2019-06-24 | 2019-08-20 | 国网安徽省电力有限公司信息通信分公司 | A kind of associated assault analysis method of alarm log and device |
| CN110336784A (en) * | 2019-05-22 | 2019-10-15 | 北京瀚海思创科技有限公司 | Network attack identification prediction system, method and storage medium based on big data |
| CN110636085A (en) * | 2019-11-12 | 2019-12-31 | 中国移动通信集团广西有限公司 | Attack detection method and device based on flow and computer readable storage medium |
| CN112134877A (en) * | 2020-09-22 | 2020-12-25 | 北京华赛在线科技有限公司 | Network threat detection method, device, equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10693892B2 (en) * | 2017-12-11 | 2020-06-23 | International Business Machines Corporation | Network attack tainting and tracking |
-
2021
- 2021-09-01 CN CN202111018656.2A patent/CN113726790B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110336784A (en) * | 2019-05-22 | 2019-10-15 | 北京瀚海思创科技有限公司 | Network attack identification prediction system, method and storage medium based on big data |
| CN110149350A (en) * | 2019-06-24 | 2019-08-20 | 国网安徽省电力有限公司信息通信分公司 | A kind of associated assault analysis method of alarm log and device |
| CN110636085A (en) * | 2019-11-12 | 2019-12-31 | 中国移动通信集团广西有限公司 | Attack detection method and device based on flow and computer readable storage medium |
| CN112134877A (en) * | 2020-09-22 | 2020-12-25 | 北京华赛在线科技有限公司 | Network threat detection method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113726790A (en) | 2021-11-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113726790B (en) | Network attack source identification and blocking method, system, device and medium | |
| US10447730B2 (en) | Detection of SQL injection attacks | |
| US10855700B1 (en) | Post-intrusion detection of cyber-attacks during lateral movement within networks | |
| US8572750B2 (en) | Web application exploit mitigation in an information technology environment | |
| Grier et al. | Secure web browsing with the OP web browser | |
| RU2495486C1 (en) | Method of analysing and detecting malicious intermediate nodes in network | |
| KR101689298B1 (en) | Automated verification method of security event and automated verification apparatus of security event | |
| Caswell et al. | Snort intrusion detection and prevention toolkit | |
| US7720965B2 (en) | Client health validation using historical data | |
| WO2020210538A1 (en) | Systems and methods for detecting injection exploits | |
| US20170034210A1 (en) | Client side human user indicator | |
| US20170171244A1 (en) | Database deception in directory services | |
| US20130031635A1 (en) | System, Method and Computer Readable Medium for Evaluating a Security Characteristic | |
| KR100732689B1 (en) | Web Security Method and apparatus therefor | |
| US11283820B2 (en) | Context profiling for malware detection | |
| US9336396B2 (en) | Method and system for generating an enforceable security policy based on application sitemap | |
| US11949694B2 (en) | Context for malware forensics and detection | |
| RU2762528C1 (en) | Method for processing information security events prior to transmission for analysis | |
| TWI470468B (en) | System and method for detecting web malicious programs and behaviors | |
| Patil | Request dependency integrity: validating web requests using dependencies in the browser environment | |
| Priyadarshini et al. | A cross platform intrusion detection system using inter server communication technique | |
| Ezeife et al. | SensorWebIDS: a web mining intrusion detection system | |
| US11632393B2 (en) | Detecting and mitigating malware by evaluating HTTP errors | |
| US10819730B2 (en) | Automatic user session profiling system for detecting malicious intent | |
| Jacob | Automatic XSS detection and Snort signatures/ACLs generation by the means of a cloud-based honeypot system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |