CN113923021A - Sandbox-based encrypted flow processing method, system, device and medium - Google Patents
Sandbox-based encrypted flow processing method, system, device and medium Download PDFInfo
- Publication number
- CN113923021A CN113923021A CN202111175660.XA CN202111175660A CN113923021A CN 113923021 A CN113923021 A CN 113923021A CN 202111175660 A CN202111175660 A CN 202111175660A CN 113923021 A CN113923021 A CN 113923021A
- Authority
- CN
- China
- Prior art keywords
- encrypted traffic
- suspicious
- encrypted
- traffic
- sandbox
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure provides a sandbox-based encrypted traffic processing method, system, electronic device and computer-readable storage medium, to solve the technical problems of high identification pressure and poor security of encrypted malicious traffic, the method includes: identifying the encrypted traffic processed in the sandbox according to a preset identification rule, and identifying the encrypted traffic as normal encrypted traffic, malicious encrypted traffic or suspicious encrypted traffic; releasing the normal encryption flow; blocking malicious encrypted traffic; and inputting the suspicious encrypted traffic into a suspicious encrypted traffic database for temporary storage, giving differentiated response time for the suspicious encrypted traffic by combining the sensitivity of a server to be accessed by the suspicious encrypted traffic, and confirming the suspicious encrypted traffic again in the response time. The technical scheme disclosed by the invention realizes the rapid detection and response of the attack traffic in the encrypted traffic, and improves the service capability and the safety performance of the server while shunting the data.
Description
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a sandbox-based encrypted traffic processing method, a sandbox-based encrypted traffic processing system, an electronic device, and a computer-readable storage medium.
Background
In recent years, traffic encryption becomes more and more an important wind vane for internet development, and especially the high-frequency inferior bright phase of a series of scenes such as remote home office, remote teaching, remote conference and the like at present, the demand of traffic encryption is increased, but because of the complexity of the internet environment, the simple encryption mode can not ensure the safety and reliability of the information, more importantly, the outbreak of the encryption flow stimulates an attacker to implement malicious attack by using the encryption flow to generate a more destructive behavior, the attacker utilizes the encryption means to hide malicious viruses, worms, trojans and the like, utilizes the vulnerability of the existing encryption flow identification means and the weak points of the fire prevention strategies such as firewalls, intrusion detection equipment and the like to implement a more wild malicious behavior, therefore, the encrypted malicious flow can be identified and analyzed timely and quickly, and the method has important significance for improving the network safety and toughness and purifying the network space.
The decryption of the encrypted traffic information is a complicated problem, and the decryption of the encrypted traffic information is against the original purpose of encryption, so that most of the existing technical means are researched by establishing matching of a typical characteristic rule base of malicious traffic and a big data analysis means based on ensemble learning and the like under the condition that the existing traffic detection technology DPI (Deep packet inspection) means cannot detect the encrypted traffic. Although the prior art has a certain effect on the identification and analysis of encrypted malicious traffic to a certain extent, the following problems still exist: the server side directly faced by the client side responds according to the flow and the requirement after receiving the client side request, namely the server side is required to respond according to the result no matter whether the traffic is encrypted at the beginning or not maliciously, so that the working pressure and the safety of the server side are increased undoubtedly; secondly, fine-grained evaluation is not carried out on the importance degree of the server, and a corresponding response means cannot be adopted; in addition, the current technology has the main characteristics of single experimental or test data set, small data volume, uncomplicated structure and the like, so that the detection accuracy rate has large difference.
Disclosure of Invention
In order to at least solve the technical problems of high identification pressure on encrypted malicious traffic, poor safety and inaccurate detection in the prior art, the disclosure provides an encrypted traffic processing method based on a sandbox, an encrypted traffic processing system based on the sandbox, an electronic device and a computer readable storage medium, which can realize quick detection and response on attack traffic in encrypted traffic, improve the service capability of a server while realizing data distribution and reduce the risk of the server being attacked.
In a first aspect, the present disclosure provides a sandbox-based encrypted traffic processing method, where the method includes:
identifying the encrypted traffic processed in the sandbox according to a preset identification rule, and identifying the encrypted traffic as normal encrypted traffic, malicious encrypted traffic or suspicious encrypted traffic;
releasing the normal encryption flow; blocking malicious encrypted traffic; and inputting the suspicious encrypted traffic into a suspicious encrypted traffic database for temporary storage, setting corresponding differentiated response time for the suspicious encrypted traffic according to the sensitivity of the server to be accessed by the suspicious encrypted traffic, and confirming the suspicious encrypted traffic again within the response time.
Further, the method further comprises:
if the suspicious encrypted traffic cannot be confirmed whether to be normal encrypted traffic or not at the end of the response time, identifying a source IP address accessed by the suspicious encrypted traffic, wherein the identification content comprises the source IP address;
and inputting the identification content serving as basic data of tracing positioning into an initial tracing situation map based on the suspicious IP addresses, and forming a complete tracing situation map based on the suspicious IP addresses by inputting a certain number of the suspicious IP addresses.
Further, the method further comprises:
and if the suspicious encrypted traffic cannot be confirmed to be normal encrypted traffic when the response time is timed out, manually identifying the suspicious encrypted traffic.
Further, the setting of the corresponding differentiated response time for the server to be accessed in combination with the sensitivity of the suspicious encrypted traffic includes:
dividing the sensitivity level of the server into a plurality of sensitivity levels from low to high, and synchronizing the sensitivity levels to the sandbox;
and setting corresponding differentiated response time for suspicious encrypted traffic which needs to access the server according to the sensitivity level of the server, wherein the higher the sensitivity level of the server is, the longer the corresponding response time is, and all the differentiated response time are greater than the normal response time.
Further, the identification of the encrypted traffic processed in the sandbox according to the preset identification rule includes:
and recognizing the encrypted flow processed in the sandbox through the cooperation of a preset malicious feature library, certificate features and ensemble learning.
Further, the method further comprises:
and if the malicious encrypted flow is the novel malicious encrypted flow, extracting the characteristics of the novel malicious encrypted flow, and updating the characteristics to a malicious characteristic library.
Further, the confirming the suspicious encrypted traffic again includes:
and comprehensively studying and judging the suspicious encrypted flow in a mode of combining manual work with mixed features, ciphertext retrieval and multi-dimensional feature identification and analysis, and determining whether the suspicious encrypted flow is normal encrypted flow.
In a second aspect, the present disclosure provides a sandbox-based encrypted traffic processing system, comprising a server and a sandbox, the sandbox comprising:
the identification judgment module is set to identify the encrypted traffic processed in the sandbox through a preset identification rule and identify the encrypted traffic as normal encrypted traffic, malicious encrypted traffic or suspicious encrypted traffic; and the number of the first and second groups,
a handling module configured to pass normal encrypted traffic; blocking malicious encrypted traffic; and inputting the suspicious encrypted traffic into a suspicious encrypted traffic database for temporary storage, setting corresponding differentiated response time for the suspicious encrypted traffic according to the sensitivity of the server to be accessed by the suspicious encrypted traffic, and confirming the suspicious encrypted traffic again within the response time.
In a third aspect, the present disclosure provides an electronic device, including a memory and a processor, where the memory stores a computer program, and when the processor runs the computer program stored in the memory, the processor executes the sandbox-based encrypted traffic processing method according to any one of the first aspects.
In a fourth aspect, the present disclosure provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the sandbox-based encrypted traffic processing method of any one of the above-described first aspects.
Has the advantages that:
the sandbox-based encrypted traffic processing method, the sandbox-based encrypted traffic processing system, the electronic device and the computer-readable storage medium provided by the present disclosure identify encrypted traffic processed in the sandbox by a preset identification rule, and identify the encrypted traffic as normal encrypted traffic, malicious encrypted traffic or suspicious encrypted traffic; releasing the normal encryption flow; blocking malicious encrypted traffic; and inputting the suspicious encrypted traffic into a suspicious encrypted traffic database for temporary storage, setting corresponding differentiated response time for the suspicious encrypted traffic according to the sensitivity of the server to be accessed by the suspicious encrypted traffic, and confirming the suspicious encrypted traffic again within the response time. According to the technical scheme, the safe protection barrier of the server is formed through the sandbox, encrypted malicious flow is effectively identified before an abnormal event or an attack event occurs, blocking is timely performed, and the safety capability of the server is improved.
Drawings
Fig. 1 is a schematic flowchart of an encryption traffic processing method based on sandboxes according to an embodiment of the present disclosure;
fig. 2 is a schematic flow chart illustrating identification and determination of encrypted traffic in a sandbox according to an embodiment of the present disclosure;
fig. 3 is a schematic flowchart illustrating a process of processing various encrypted flows in a sandbox after the encrypted flows are identified according to an embodiment of the present disclosure;
fig. 4 is an architecture diagram of a sandbox-based encrypted traffic processing system according to a second embodiment of the present disclosure;
fig. 5 is an architecture diagram of an electronic device according to a third embodiment of the disclosure.
Detailed Description
In order to make the technical solutions of the present disclosure better understood by those skilled in the art, the present disclosure is further described in detail below with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments and figures described herein are merely illustrative of the invention and are not limiting of the invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order; also, the embodiments and features of the embodiments in the present disclosure may be arbitrarily combined with each other without conflict.
In which the terminology used in the embodiments of the disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in the disclosed embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In the following description, suffixes such as "module", "component", or "unit" used to denote elements are used only for the convenience of explanation of the present disclosure, and have no specific meaning in themselves. Thus, "module", "component" or "unit" may be used mixedly.
With the continuous development of 5G networks, Internet of things, industrial Internet and the like, the flow carried by the pipelines of operators is continuously increased, especially encrypted flow becomes a mainstream flow expression form, malicious codes, viruses, worms and the like are transmitted by means of encryption means and are disclosed, but the following problems still exist in the identification and analysis of encrypted malicious flow: firstly, from a client to a server, no matter the flow characteristics are based on quintuple or heptatuple, the client directly faces the server, the server receives a client request and then responds according to the flow and the requirement, no matter whether the flow is encrypted at first or not is malicious, the server is required to respond to the result, and the working pressure and the safety of the server are improved; secondly, fine-grained evaluation is not carried out on the importance degree of the servers, all the servers are in the same level as seen by the client, and the responses of the servers to the client are the same time requirement, so that a favorable opportunity is undoubtedly provided for an attacker, and furthermore, no continuous tracking means is provided for tracing malicious traffic or suspicious traffic; finally, the current research has the main characteristics of single experimental or test data set, small data volume, insufficiently complex structure and the like, that is, the research means to a certain extent is not applicable or has little effect in the environment facing the operator large network, and the detection accuracy rate has great difference.
The following describes the technical solutions of the present disclosure and how to solve the above problems in detail with specific examples. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments.
Fig. 1 is a schematic flowchart of an encryption traffic processing method based on sandboxes according to an embodiment of the present disclosure, and as shown in fig. 1, the method includes:
step S101: identifying the encrypted traffic processed in the sandbox according to a preset identification rule, and identifying the encrypted traffic as normal encrypted traffic, malicious encrypted traffic or suspicious encrypted traffic;
step S102: releasing the normal encryption flow; blocking malicious encrypted traffic; and inputting the suspicious encrypted traffic into a suspicious encrypted traffic database for temporary storage, setting corresponding differentiated response time for the suspicious encrypted traffic according to the sensitivity of the server to be accessed by the suspicious encrypted traffic, and confirming the suspicious encrypted traffic again within the response time.
A sandbox is an isolated environment that may be provided over an internet network for a running program. The sandbox is deployed at the front end of the server, can be deployed independently, can also be deployed in a distributed mode according to the actual network environment, and is used for realizing the handling response of the flow for accessing the server; the encrypted flow is transmitted into the sandbox, and the encrypted flow is identified and judged by integrating the current encrypted flow judgment means, including identification analysis such as malicious feature library, certificate feature, ensemble learning and the like, and comprehensively researched and judged. In common encrypted traffic, the mainstream encryption protocols include Ipsec (Internet Protocol Security), SSL (Secure Sockets Layer)/TLS (Transport Layer Security), SSH (Secure Shell Protocol), and the like, and with TLS as an example, TLS connection mainly includes two steps of handshaking and connection, where the handshaking step is plaintext and includes information such as a random number, a cipher suite, a Protocol version, and the like, which provides a good opportunity for encrypted traffic identification, and in this process, identification can be performed through main features such as the legitimacy of a certificate and the reliability of a certificate chain. Therefore, the technical means for detecting the encrypted traffic of the sandbox in this embodiment includes identifying and analyzing the encrypted traffic based on a plurality of features such as a certificate, a Domain Name System (DNS), a password suite, and a version, and meanwhile, the identification rule preset for identifying the encrypted traffic may further include a malicious feature library, machine learning (such as based on clustering), deep learning (such as based on a neural network), and the like, and it is necessary to cooperatively implement analysis of the encrypted traffic by a plurality of means, and then output an analysis result, which is divided into three, that is, normal encrypted traffic, malicious encrypted traffic, and suspicious encrypted traffic, where the flow is shown in fig. 2.
After the encrypted traffic is identified and distinguished as normal encrypted traffic, malicious encrypted traffic or suspicious encrypted traffic, corresponding treatment is respectively carried out on various conditions, and blocking measures are directly taken for the malicious encrypted traffic to prevent the malicious encrypted traffic from reaching a server end to cause further harm; entering the next flow for the normal encrypted flow and the suspicious encrypted flow, directly releasing the normal encrypted flow, outputting the normal encrypted flow to the server end from the sandbox, and continuing the subsequent operation according to the normal flow; the identification result is suspicious encrypted flow, the suspicious encrypted flow is input into a suspicious encrypted flow database, secondly, the suspicious flow is temporarily stored in the suspicious flow database (database waiting for further analysis), differentiated response time is made by combining the sensitivity of the server to be accessed, the suspicious encrypted flow can be divided according to the sensitivity level of the server to be accessed, the more sensitive the server is, longer response time is set, so as to further confirm the suspicious encrypted flow in the longer differentiated response time, through the division of the suspicious encrypted flow, on one hand, the pressure of server access is weakened, on the other hand, the direct attack of malicious flow in the suspicious flow is prevented, the attacked time is prolonged, and meanwhile, time is won for further analyzing and identifying the malicious flow in the suspicious encrypted flow.
The safety protection barrier of the server is formed through the sandbox on one hand, the safety of the server can be effectively protected, the working efficiency of the server is improved, on the other hand, blocking of malicious traffic and delay response of suspicious traffic are achieved through feature matching degree of malicious or suspicious traffic and key technical means such as machine learning and the like, finally, corresponding suspicious traffic response time grading is formed through server sensitivity grading, time is strived for further recognizing malicious encrypted traffic, and the safety of the server is better guaranteed.
Further, the method further comprises:
if the suspicious encrypted traffic cannot be confirmed whether to be normal encrypted traffic or not at the end of the response time, identifying a source IP address accessed by the suspicious encrypted traffic, wherein the identification content comprises the source IP address;
and inputting the identification content serving as basic data of tracing positioning into an initial tracing situation map based on the suspicious IP addresses, and forming a complete tracing situation map based on the suspicious IP addresses by inputting a certain number of the suspicious IP addresses.
If the suspicious encrypted traffic is not identified or needs to be further observed and tracked at the end of the response time, the suspicious encrypted traffic needs to be identified, namely the accessed source IP address is identified, which has important significance for the subsequent development of traceability positioning, the identification policy comprises a source IP + number, the number can be set to be self-defined, the server sensitivity level and the server number of the IP access can be set as source 192.168.3.21+ < H, 1>, which indicates that the IP address accesses a server with higher sensitivity, the output identification result can be input into a traceability situation graph based on the suspicious IP address as a basic data source, a powerful data base is provided for the subsequent development of traceability positioning based on the suspicious IP address, so as to be beneficial to forming a complete traceability tracking chain, and finally a complete traceability situation graph based on the suspicious IP address is formed through a large number of IPs, the method comprises the steps of establishing a database of malicious attack paths, forming a tracing track situation graph based on a suspicious IP, carrying out subsequent tracking through a big data means, particularly aiming at APT (advanced persistent threat attack), needing continuous tracking, finding the seedling early, further carrying out early warning treatment, and having important significance for directionally positioning to develop network security capacity improvement and building a network security defense line.
Further, the method further comprises:
and if the suspicious encrypted traffic cannot be confirmed to be normal encrypted traffic when the response time is timed out, manually identifying the suspicious encrypted traffic.
If the suspicious encrypted traffic cannot be confirmed after the corresponding differentiated response time is timed, the suspicious encrypted traffic can be finally determined through a manual identification method, and the final manual processing can increase the identification strength by inputting more manpower.
Further, the setting of the corresponding differentiated response time for the server to be accessed in combination with the sensitivity of the suspicious encrypted traffic includes:
dividing the sensitivity level of the server into a plurality of sensitivity levels from low to high, and synchronizing the sensitivity levels to the sandbox;
and setting corresponding differentiated response time for suspicious encrypted traffic which needs to access the server according to the sensitivity level of the server, wherein the higher the sensitivity level of the server is, the longer the corresponding response time is, and all the differentiated response time are greater than the normal response time.
Dividing the sensitivity level of a server into a plurality of sensitivity levels from low to high, forming linkage between a sandbox and the server, wherein the sensitivity level division of the server needs to be synchronized to the sandbox, the server level division can be defined according to the actual situation of a network, if the level from high to low can be defined as H, M, L three levels, if the server belongs to H with higher sensitivity, the time for requesting to respond to the H level needs to be careful, the corresponding response time needs to be prolonged compared with the normal request, if the normal response time is S seconds, the request response time for H level access is changed into S + T, the selection of the T value can be set according to the network environment, if the corresponding request response time of M level is 10 seconds, correspondingly, the request response time corresponding to M level is S + Q, (wherein the Q value is less than T), if the Q value is 5 seconds, the request response time corresponding to L level is S + R (R is less than Q, namely R < Q < T), by determining the response time, suspicious encrypted traffic is further combed, and the principle of adherence is 'untrusted and not released, untrusted and more verified'.
Further, the identification of the encrypted traffic processed in the sandbox according to the preset identification rule includes:
and recognizing the encrypted flow processed in the sandbox through the cooperation of a preset malicious feature library, certificate features and ensemble learning.
Malicious encrypted traffic can be better identified through a cooperative mode combining multiple modes, most of the malicious encrypted traffic can be dealt with during initial identification, and subsequent further processing tasks are reduced.
Further, the method further comprises:
and if the malicious encrypted flow is the novel malicious encrypted flow, extracting the characteristics of the novel malicious encrypted flow, and updating the characteristics to a malicious characteristic library.
After the malicious encrypted flow is identified, if the malicious encrypted flow is found not to be subjected to feature backup in the corresponding malicious feature library, the features of the novel malicious flow are further extracted, and the malicious feature library is updated, so that the subsequent identification of the malicious encrypted flow is conveniently, more conveniently and quickly realized.
Further, the confirming the suspicious encrypted traffic again includes:
and comprehensively studying and judging the suspicious encrypted flow in a mode of combining manual work with mixed features, ciphertext retrieval and multi-dimensional feature identification and analysis, and determining whether the suspicious encrypted flow is normal encrypted flow.
The suspicious encrypted traffic which cannot be confirmed in the primary identification process needs to be verified in a stricter identification mode, the verification mode needs to be comprehensively researched and judged by combining identification and analysis modes such as comprehensive manpower, mixed characteristics, new technology and the like, the suspicious encrypted traffic is identified by spending more manpower and material resources without being limited to ciphertext retrieval, multidimensional characteristics and the like, and the server is prevented from being attacked by malicious traffic.
In one embodiment of the present disclosure, after identifying encrypted traffic, processing various encrypted traffic in a sandbox is as shown in fig. 3, normal encrypted traffic is directly input to a server, suspicious encrypted traffic is input to a suspicious encrypted traffic library, different response times are set according to sensitivity levels of the server accessed by the suspicious encrypted traffic library, the server sensitivity level is H, the request response time of access is S + T, the server sensitivity level is M, the request response time of access is S + Q, the server sensitivity level is L, the request response time of access is S + R, and in response time, analysis is performed by manual and mixed features, ciphertext retrieval and identification of multidimensional features, if the suspicious encrypted traffic is determined to be normal encrypted traffic, the suspicious encrypted traffic is input to the server, if the suspicious encrypted traffic cannot be determined, the suspicious encrypted traffic is manually identified, and identifying the suspicious IP addresses, inputting the identification result into a tracing situation map based on the suspicious IP addresses, providing basic support for forming an attack path tracing map based on the suspicious IP addresses, realizing subsequent malicious traffic tracking by a big data means, and simultaneously marking the suspicious encrypted traffic which cannot be identified, and inputting the marked suspicious encrypted traffic into a server to pay close attention to the suspicious encrypted traffic in the server if the suspicious encrypted traffic is important.
The embodiment of the disclosure combines the own data resources of basic telecom operators, satisfies the diversity of data in complex environment, on one hand, forms a security protection barrier of a server through a sandbox, can effectively protect the security of the server, and improves the working efficiency of the server, on the other hand, blocks malicious traffic and delay response of suspicious traffic are realized through the feature matching degree of malicious or suspicious traffic and by combining key technical means such as machine learning, and finally, corresponding suspicious traffic response time grading is formed through server sensitivity grading, and the output result is used as a data source, thereby providing basic support for forming an attack path tracing graph based on a suspicious IP address. Through the technical scheme, the network security toughness can be enhanced, the self security defense capability is improved, the safe and reliable service guarantee can be provided for clients through a more intelligent and safe network, and the maximization and the valuization of the security capability are realized.
Fig. 4 is a sandbox-based encrypted traffic processing system according to a second embodiment of the present disclosure, which includes a server 2 and a sandbox 1, where the sandbox 1 includes:
the identification and judgment module 11 is configured to identify the encrypted traffic according to a preset identification rule, and divide the encrypted traffic into normal encrypted traffic, malicious encrypted traffic and suspicious encrypted traffic;
a handling module 12 configured to block malicious encrypted traffic and release normal encrypted traffic;
the processing module 12 is further configured to input the suspicious encrypted traffic into a suspicious encrypted traffic database and store the suspicious encrypted traffic temporarily, and then provide differentiated response time for the suspicious encrypted traffic in combination with the sensitivity of the server to be accessed by the suspicious encrypted traffic, and further confirm the suspicious encrypted traffic within the differentiated response time.
The sandbox 1 is deployed at the front end of the server 2 and used for processing the encrypted traffic.
Further, the sandbox 1 further comprises an input module 13;
the processing module 12 further sets up that if it is still impossible to confirm whether the suspicious encrypted traffic is normal encrypted traffic when the response time is timed out, a source IP address accessed by the suspicious encrypted traffic is identified, and the identification content includes the source IP address;
the input module 13 is configured to input the identification content as basic data for tracing and positioning into an initial tracing situation map based on the suspicious IP address, and form a complete tracing situation map based on the suspicious IP address by inputting a certain number of suspicious IP addresses.
Further, the handling module 12 is further configured to, after dividing the sensitivity level of the server into a plurality of sensitivity levels from low to high and synchronizing the sensitivity levels to the sandbox, set a corresponding differentiated response time for the suspicious encrypted traffic that is to access the server according to the sensitivity level of the server, where the higher the sensitivity level of the server is, the longer the corresponding response time is, and all differentiated response times are greater than the normal response time.
Further, the identification and judgment module 11 is specifically configured to recognize the encrypted traffic processed in the sandbox through cooperation of a preset malicious feature library, a certificate feature and ensemble learning.
Further, the processing module 12 is further configured to extract a feature of the malicious encrypted traffic if the malicious encrypted traffic is a new malicious encrypted traffic, and update the feature to a malicious feature library.
Further, the confirming the suspicious encrypted traffic again by the handling module 12 includes:
and comprehensively studying and judging the suspicious encrypted flow in a mode of combining manual work with mixed features, ciphertext retrieval and multi-dimensional feature identification and analysis, and determining whether the suspicious encrypted flow is normal encrypted flow.
The sandbox-based encrypted traffic processing system according to the embodiment of the present disclosure is used to implement the sandbox-based encrypted traffic processing method in the first method embodiment, so that description is simple, and specific reference may be made to the related description in the first method embodiment, which is not described herein again.
Furthermore, as shown in fig. 5, a third embodiment of the present disclosure further provides an electronic device, which includes a memory 10 and a processor 20, where the memory 10 stores a computer program, and when the processor 20 runs the computer program stored in the memory 10, the processor 20 executes the above-mentioned various possible sandbox-based encrypted traffic processing methods.
The memory 10 is connected to the processor 20, the memory 10 may be a flash memory, a read-only memory or other memories, and the processor 20 may be a central processing unit or a single chip microcomputer.
Furthermore, the disclosed embodiments also provide a computer-readable storage medium, on which a computer program is stored, the computer program being executed by a processor to perform the above-mentioned various possible methods.
The computer-readable storage media include volatile or nonvolatile, removable or non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, computer program modules or other data. Computer-readable storage media include, but are not limited to, RAM (Random Access Memory), ROM (Read-Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory), flash Memory or other Memory technology, CD-ROM (Compact disk Read-Only Memory), Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer.
It is to be understood that the above embodiments are merely exemplary embodiments that are employed to illustrate the principles of the present disclosure, and that the present disclosure is not limited thereto. It will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the disclosure, and these are to be considered as the scope of the disclosure.
Claims (10)
1. A sandbox-based encrypted traffic processing method, comprising:
identifying the encrypted traffic processed in the sandbox according to a preset identification rule, and identifying the encrypted traffic as normal encrypted traffic, malicious encrypted traffic or suspicious encrypted traffic;
releasing the normal encryption flow; blocking malicious encrypted traffic; and inputting the suspicious encrypted traffic into a suspicious encrypted traffic database for temporary storage, setting corresponding differentiated response time for the suspicious encrypted traffic according to the sensitivity of the server to be accessed by the suspicious encrypted traffic, and confirming the suspicious encrypted traffic again within the response time.
2. The method of claim 1, further comprising:
if the suspicious encrypted traffic cannot be confirmed whether to be normal encrypted traffic or not at the end of the response time, identifying a source IP address accessed by the suspicious encrypted traffic, wherein the identification content comprises the source IP address;
and inputting the identification content serving as basic data of tracing positioning into an initial tracing situation map based on the suspicious IP addresses, and forming a complete tracing situation map based on the suspicious IP addresses by inputting a certain number of the suspicious IP addresses.
3. The method of claim 1, further comprising:
and if the suspicious encrypted traffic cannot be confirmed to be normal encrypted traffic when the response time is timed out, manually identifying the suspicious encrypted traffic.
4. The method according to claim 1 or 2, wherein the setting of the sensitivity of the server to be accessed in connection with the suspicious encrypted traffic for its corresponding differentiated response time comprises:
dividing the sensitivity level of the server into a plurality of sensitivity levels from low to high, and synchronizing the sensitivity levels to the sandbox;
and setting corresponding differentiated response time for suspicious encrypted traffic which needs to access the server according to the sensitivity level of the server, wherein the higher the sensitivity level of the server is, the longer the corresponding response time is, and all the differentiated response time are greater than the normal response time.
5. The method of claim 1, wherein identifying encrypted traffic processed in the sandbox according to a predetermined identification rule comprises:
and recognizing the encrypted flow processed in the sandbox through the cooperation of a preset malicious feature library, certificate features and ensemble learning.
6. The method of claim 5, further comprising:
and if the malicious encrypted flow is the novel malicious encrypted flow, extracting the characteristics of the novel malicious encrypted flow, and updating the characteristics to a malicious characteristic library.
7. The method of claim 1, wherein said reconfirming of the suspicious encrypted traffic comprises:
and comprehensively studying and judging the suspicious encrypted flow in a mode of combining manual work with mixed features, ciphertext retrieval and multi-dimensional feature identification and analysis, and determining whether the suspicious encrypted flow is normal encrypted flow.
8. A sandbox based encrypted traffic processing system comprising a server and a sandbox, said sandbox comprising:
the identification judgment module is set to identify the encrypted traffic processed in the sandbox through a preset identification rule and identify the encrypted traffic as normal encrypted traffic, malicious encrypted traffic or suspicious encrypted traffic; and the number of the first and second groups,
a handling module configured to pass normal encrypted traffic; blocking malicious encrypted traffic; and inputting the suspicious encrypted traffic into a suspicious encrypted traffic database for temporary storage, setting corresponding differentiated response time for the suspicious encrypted traffic according to the sensitivity of the server to be accessed by the suspicious encrypted traffic, and confirming the suspicious encrypted traffic again within the response time.
9. An electronic device comprising a memory having a computer program stored therein and a processor that executes the sandbox-based encrypted traffic processing method of any one of claims 1-7 when the processor executes the computer program stored by the memory.
10. A computer-readable storage medium, having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the sandbox-based encrypted traffic processing method according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111175660.XA CN113923021B (en) | 2021-10-09 | 2021-10-09 | Sandbox-based encrypted traffic processing method, system, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111175660.XA CN113923021B (en) | 2021-10-09 | 2021-10-09 | Sandbox-based encrypted traffic processing method, system, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113923021A true CN113923021A (en) | 2022-01-11 |
| CN113923021B CN113923021B (en) | 2023-09-22 |
Family
ID=79238681
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111175660.XA Active CN113923021B (en) | 2021-10-09 | 2021-10-09 | Sandbox-based encrypted traffic processing method, system, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113923021B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114465823A (en) * | 2022-04-08 | 2022-05-10 | 杭州海康威视数字技术股份有限公司 | Industrial Internet terminal encrypted flow data security detection method, device and equipment |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106850549A (en) * | 2016-12-16 | 2017-06-13 | 北京江南博仁科技有限公司 | A kind of distributed cryptographic services gateway and implementation method |
| US20170195353A1 (en) * | 2015-12-31 | 2017-07-06 | The University Of North Carolina At Chapel Hill | Methods, systems, and computer readable media for detecting malicious network traffic |
| US20190222561A1 (en) * | 2018-01-12 | 2019-07-18 | Samsung Electronics Co., Ltd. | User terminal device, electronic device, system comprising the same and control method thereof |
| CN111010409A (en) * | 2020-01-07 | 2020-04-14 | 南京林业大学 | Encryption attack network flow detection method |
| CN111277598A (en) * | 2020-01-21 | 2020-06-12 | 北京天琴合创技术有限公司 | Traffic-based application attack identification method and system |
| CN111641620A (en) * | 2020-05-21 | 2020-09-08 | 黄筱俊 | Novel cloud honeypot method and framework for detecting evolution DDoS attack |
| CN112311814A (en) * | 2020-12-23 | 2021-02-02 | 中国航空油料集团有限公司 | Malicious encrypted traffic identification method and system based on deep learning and electronic equipment |
| CN113014549A (en) * | 2021-02-01 | 2021-06-22 | 北京邮电大学 | HTTP-based malicious traffic classification method and related equipment |
| CN113469366A (en) * | 2020-03-31 | 2021-10-01 | 北京观成科技有限公司 | Encrypted flow identification method, device and equipment |
-
2021
- 2021-10-09 CN CN202111175660.XA patent/CN113923021B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170195353A1 (en) * | 2015-12-31 | 2017-07-06 | The University Of North Carolina At Chapel Hill | Methods, systems, and computer readable media for detecting malicious network traffic |
| CN106850549A (en) * | 2016-12-16 | 2017-06-13 | 北京江南博仁科技有限公司 | A kind of distributed cryptographic services gateway and implementation method |
| US20190222561A1 (en) * | 2018-01-12 | 2019-07-18 | Samsung Electronics Co., Ltd. | User terminal device, electronic device, system comprising the same and control method thereof |
| CN111010409A (en) * | 2020-01-07 | 2020-04-14 | 南京林业大学 | Encryption attack network flow detection method |
| CN111277598A (en) * | 2020-01-21 | 2020-06-12 | 北京天琴合创技术有限公司 | Traffic-based application attack identification method and system |
| CN113469366A (en) * | 2020-03-31 | 2021-10-01 | 北京观成科技有限公司 | Encrypted flow identification method, device and equipment |
| CN111641620A (en) * | 2020-05-21 | 2020-09-08 | 黄筱俊 | Novel cloud honeypot method and framework for detecting evolution DDoS attack |
| CN112311814A (en) * | 2020-12-23 | 2021-02-02 | 中国航空油料集团有限公司 | Malicious encrypted traffic identification method and system based on deep learning and electronic equipment |
| CN113014549A (en) * | 2021-02-01 | 2021-06-22 | 北京邮电大学 | HTTP-based malicious traffic classification method and related equipment |
Non-Patent Citations (1)
| Title |
|---|
| 邹源;张甲;江滨;: "基于LSTM循环神经网络的恶意加密流量检测", 计算机应用与软件, no. 02 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114465823A (en) * | 2022-04-08 | 2022-05-10 | 杭州海康威视数字技术股份有限公司 | Industrial Internet terminal encrypted flow data security detection method, device and equipment |
| CN114465823B (en) * | 2022-04-08 | 2022-08-19 | 杭州海康威视数字技术股份有限公司 | Industrial Internet terminal encrypted flow data security detection method, device and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113923021B (en) | 2023-09-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6894003B2 (en) | Defense against APT attacks | |
| US10264104B2 (en) | Systems and methods for malicious code detection accuracy assurance | |
| Ghafir et al. | Botdet: A system for real time botnet command and control traffic detection | |
| US10855700B1 (en) | Post-intrusion detection of cyber-attacks during lateral movement within networks | |
| US7225468B2 (en) | Methods and apparatus for computer network security using intrusion detection and prevention | |
| Park et al. | Network log-based SSH brute-force attack detection model. | |
| CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
| US20140344931A1 (en) | Systems and methods for extracting cryptographic keys from malware | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| CN113746781A (en) | Network security detection method, device, equipment and readable storage medium | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| CN113923021B (en) | Sandbox-based encrypted traffic processing method, system, equipment and medium | |
| WO2017217247A1 (en) | Malignant event detection apparatus, malignant event detection method, and malignant event detection program | |
| Keshri et al. | DoS attacks prevention using IDS and data mining | |
| Cuzme-Rodríguez et al. | Offensive Security: Ethical Hacking Methodology on the Web | |
| Anand et al. | Enchanced multiclass intrusion detection using supervised learning methods | |
| RU183015U1 (en) | Intrusion detection tool | |
| Kishore et al. | Intrusion Detection System a Need | |
| Jeong et al. | Hybrid system to minimize damage by zero-day attack based on NIDPS and HoneyPot | |
| Kang et al. | Whitelist generation technique for industrial firewall in SCADA networks | |
| CN112637217B (en) | Active defense method and device of cloud computing system based on bait generation | |
| Patel et al. | An approach to detect and prevent distributed denial of service attacks using blockchain technology in cloud environment | |
| Abdollah et al. | Revealing the Influence of Feature Selection for Fast Attack Detection | |
| Prajapati et al. | Host-based forensic artefacts of botnet infection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |