CN113923021B - Sandbox-based encrypted traffic processing method, system, equipment and medium - Google Patents
Sandbox-based encrypted traffic processing method, system, equipment and medium Download PDFInfo
- Publication number
- CN113923021B CN113923021B CN202111175660.XA CN202111175660A CN113923021B CN 113923021 B CN113923021 B CN 113923021B CN 202111175660 A CN202111175660 A CN 202111175660A CN 113923021 B CN113923021 B CN 113923021B
- Authority
- CN
- China
- Prior art keywords
- encrypted traffic
- suspicious
- traffic
- sandbox
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The disclosure provides a sandbox-based encryption traffic processing method, a sandbox-based encryption traffic processing system, electronic equipment and a computer-readable storage medium, so as to solve the technical problems of high encryption malicious traffic identification pressure and poor security, wherein the method comprises the following steps: identifying the encrypted traffic processed in the sandbox by a preset identification rule, and identifying the encrypted traffic as normal encrypted traffic, malicious encrypted traffic or suspicious encrypted traffic; releasing the normal encrypted traffic; blocking malicious encrypted traffic; the suspicious encrypted traffic is input into a suspicious encrypted traffic database for temporary storage, and differentiated response time is given to the suspicious encrypted traffic by combining the sensitivity of a server to be accessed by the suspicious encrypted traffic, and the suspicious encrypted traffic is confirmed again within the response time. According to the technical scheme, the attack traffic in the encrypted traffic is rapidly detected and responded, and the service capacity and the safety performance of the server are improved at the same time of data distribution.
Description
Technical Field
The disclosure relates to the technical field of network security, in particular to a sandbox-based encrypted traffic processing method, a sandbox-based encrypted traffic processing system, electronic equipment and a computer-readable storage medium.
Background
In recent years, traffic encryption becomes an important wind vane for internet development more and more, especially, the high-frequency bright phase of a series of scenes such as the current remote home office, remote teaching, remote conference and the like, the traffic encryption requirement is aggravated, but because of the complexity of the internet environment, the simple encryption mode can not guarantee the safety and reliability of information, more importantly, the explosion of the encrypted traffic arouses that an attacker uses the encrypted traffic to implement malicious attack to generate more destructive behaviors, the attacker uses the encryption means to hide malicious viruses, worms, trojans and the like, and uses the vulnerability of the existing encryption traffic identification means and the weak points of fire prevention strategies such as a firewall, intrusion detection equipment and the like to implement more crazy malicious behaviors, so that the encrypted traffic can be timely and rapidly identified and analyzed, and the method has important significance in improving the network safety toughness and purifying the network space.
Since decryption of encrypted traffic information is a complex problem and the original purpose of encryption is violated, in the case that the conventional traffic detection technology DPI (Deep PacketInspection ) means cannot detect encrypted traffic, the conventional technical means are mostly studied by establishing matching of a typical feature rule library possessed by malicious traffic and big data analysis means based on ensemble learning and the like. Although the prior art has a certain effect on the identification and analysis of encrypted malicious traffic to a certain extent, the following problems still exist: the server side directly facing the client side responds according to the flow and the requirements after the server side receives the client side request, namely whether the server side is required to respond to the result no matter whether the encrypted traffic is malicious or not at first, which definitely increases the working pressure and the safety of the server side; secondly, fine granularity evaluation is not carried out aiming at the importance degree of the server, and corresponding response means cannot be adopted; in addition, the prior art has the main characteristics of single experimental or test data set, small data volume, insufficiently complex structure and the like, so that the detection accuracy rate has larger difference.
Disclosure of Invention
In order to at least solve the technical problems of high identification pressure, poor safety and inaccurate detection of encrypted malicious traffic in the prior art, the disclosure provides a sandbox-based encrypted traffic processing method, a sandbox-based encrypted traffic processing system, electronic equipment and a computer readable storage medium, which can realize rapid detection and response of attack traffic in encrypted traffic, improve the service capacity of a server while realizing data distribution, and reduce the risk of the server being attacked.
In a first aspect, the present disclosure provides a sandbox-based encrypted traffic processing method, the method comprising:
identifying the encrypted traffic processed in the sandbox by a preset identification rule, and identifying the encrypted traffic as normal encrypted traffic, malicious encrypted traffic or suspicious encrypted traffic;
releasing the normal encrypted traffic; blocking malicious encrypted traffic; and inputting the suspicious encrypted traffic into a suspicious encrypted traffic database for temporary storage, setting corresponding differentiated response time for the suspicious encrypted traffic according to the sensitivity of a server to be accessed by the suspicious encrypted traffic, and confirming the suspicious encrypted traffic again within the response time.
Further, the method further comprises:
if the suspicious encrypted traffic cannot be confirmed at the end of the response time timing, identifying a source IP address accessed by the suspicious encrypted traffic, wherein the identification content comprises the source IP address;
and inputting the identification content as basic data of tracing positioning into an initial tracing situation map based on suspicious IP addresses, and forming a complete tracing situation map based on the suspicious IP addresses by inputting a certain number of suspicious IP addresses.
Further, the method further comprises:
and if the suspicious encrypted traffic cannot be confirmed at the end of the response time counting, manually identifying the suspicious encrypted traffic.
Further, the setting, for the server to be accessed in combination with the sensitivity of the suspicious encrypted traffic, a corresponding differentiated response time includes:
dividing the sensitivity level of the server into a plurality of sensitivity levels from low to high, and synchronizing the sensitivity levels to a sandbox;
setting corresponding differentiated response time for suspicious encrypted traffic to access the server according to the sensitivity level of the server, wherein the higher the sensitivity level of the server is, the longer the corresponding response time is, and the response time of all the differences is larger than the normal response time.
Further, the method for identifying the encrypted traffic processed in the sandbox through the preset identification rule comprises the following steps:
and identifying the encrypted traffic processed in the sandbox through cooperation of a preset malicious feature library, certificate features and ensemble learning.
Further, the method further comprises:
and if the malicious encrypted traffic is novel malicious encrypted traffic, extracting the characteristics of the malicious encrypted traffic and updating the characteristics to a malicious characteristic library.
Further, the reconfirming the suspicious encrypted traffic includes:
and comprehensively judging the suspicious encrypted traffic by combining manual work with the identification analysis of the mixed characteristics, the ciphertext retrieval and the multidimensional characteristics, and confirming whether the suspicious encrypted traffic is normal encrypted traffic.
In a second aspect, the present disclosure provides a sandbox-based encrypted traffic processing system, comprising a server and a sandbox, the sandbox comprising:
the identification judging module is used for identifying the encrypted traffic processed in the sandbox through a preset identification rule and identifying the encrypted traffic as normal encrypted traffic, malicious encrypted traffic or suspicious encrypted traffic; the method comprises the steps of,
a disposal module arranged to pass through normal encrypted traffic; blocking malicious encrypted traffic; and inputting the suspicious encrypted traffic into a suspicious encrypted traffic database for temporary storage, setting corresponding differentiated response time for the suspicious encrypted traffic according to the sensitivity of a server to be accessed by the suspicious encrypted traffic, and confirming the suspicious encrypted traffic again within the response time.
In a third aspect, the present disclosure provides an electronic device comprising a memory and a processor, the memory having a computer program stored therein, the processor performing the sandbox-based encrypted traffic processing method according to any one of the first aspects when the processor runs the computer program stored in the memory.
In a fourth aspect, the present disclosure provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the sandbox-based encrypted traffic processing method of any of the first aspects above.
The beneficial effects are that:
the sandbox-based encrypted traffic processing method, the sandbox-based encrypted traffic processing system, the electronic equipment and the computer readable storage medium provided by the disclosure identify encrypted traffic processed in the sandbox through a preset identification rule, and identify the encrypted traffic as normal encrypted traffic, malicious encrypted traffic or suspicious encrypted traffic; releasing the normal encrypted traffic; blocking malicious encrypted traffic; and inputting the suspicious encrypted traffic into a suspicious encrypted traffic database for temporary storage, setting corresponding differentiated response time for the suspicious encrypted traffic according to the sensitivity of a server to be accessed by the suspicious encrypted traffic, and confirming the suspicious encrypted traffic again within the response time. According to the technical scheme, the security protection barrier of the server is formed through the sandbox, encrypted malicious traffic is effectively identified before an abnormal event or an attack event occurs, blocking is timely carried out, the security capability of the server is improved, and the technical scheme can be combined with the existing network basic condition of an operator, so that the rapid detection and response of the attack traffic in the encrypted traffic can be realized under the condition that the data diversity and complexity are met, the service capability of the server is improved while the data distribution is realized, and the risk of the server being attacked is reduced.
Drawings
Fig. 1 is a schematic flow chart of a sandbox-based encrypted traffic processing method according to a first embodiment of the disclosure;
fig. 2 is a schematic flow chart of identifying and judging encrypted traffic in a sandbox according to a first embodiment of the disclosure;
FIG. 3 is a schematic flow chart of processing various encrypted traffic in a sandbox after identifying the encrypted traffic according to the first embodiment of the present disclosure;
fig. 4 is a block diagram of an encrypted traffic processing system based on a sandbox according to a second embodiment of the present disclosure;
fig. 5 is a schematic diagram of an electronic device according to a third embodiment of the disclosure.
Detailed Description
In order that those skilled in the art will better understand the technical solutions of the present disclosure, the present disclosure will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments and figures described herein are merely illustrative of the invention, and are not limiting of the invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and the above-described figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order; moreover, embodiments of the present disclosure and features of embodiments may be arbitrarily combined with each other without conflict.
Wherein the terminology used in the embodiments of the disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in this disclosure and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In the following description, suffixes such as "module", "component", or "unit" for representing elements are used only for facilitating the description of the present disclosure, and are not of specific significance per se. Thus, "module," "component," or "unit" may be used in combination.
With the continuous development of 5G networks, internet of things, industrial internet, etc., the traffic carried by operator pipelines is continuously growing, especially the encrypted traffic has become the mainstream traffic expression form, and the transmission of malicious codes, viruses, worms, etc. by means of encryption means has been disclosed, but the following problems still exist in the identification and analysis of encrypted malicious traffic: firstly, from a client to a server, the client directly faces the server based on flow characteristics of five-tuple or seven-tuple, the server responds according to flow and requirements after receiving a client request, and the server needs to respond to the result no matter whether encryption flow is malicious or not at first, so that working pressure and safety of the server are increased; secondly, no fine granularity evaluation is performed on the importance degree of the servers, all servers are in the same level in view of the client, and the response of the servers to the client is the same time requirement, which clearly provides an attacker with a favorable opportunity, and in addition, no means for continuous tracking is provided for tracing malicious traffic or suspicious traffic; finally, the current research has the main characteristics of single experimental or test data set, small data volume, insufficiently complex structure and the like, namely research means to a certain extent are not applicable or have very little effect in the environment facing to the large network of operators, and the detection accuracy rate has larger difference.
The following describes the technical solutions of the present disclosure and how the technical solutions of the present disclosure solve the above-mentioned problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments.
Fig. 1 is a flow chart of a sandbox-based encrypted traffic processing method according to a first embodiment of the disclosure, as shown in fig. 1, where the method includes:
step S101: identifying the encrypted traffic processed in the sandbox by a preset identification rule, and identifying the encrypted traffic as normal encrypted traffic, malicious encrypted traffic or suspicious encrypted traffic;
step S102: releasing the normal encrypted traffic; blocking malicious encrypted traffic; and inputting the suspicious encrypted traffic into a suspicious encrypted traffic database for temporary storage, setting corresponding differentiated response time for the suspicious encrypted traffic according to the sensitivity of a server to be accessed by the suspicious encrypted traffic, and confirming the suspicious encrypted traffic again within the response time.
Sandboxes are isolated environments that an internet network may provide for running programs. The sandboxes are deployed at the front end of the server, can be independently deployed, can be distributed according to the actual network environment and are used for realizing treatment response to the flow accessing the server, the sandboxes and the server can be connected in a heartbeat mode, the treatment condition of the sandboxes is treated, and the server has advanced knowledge rights, so that the server can make a treatment strategy in advance; the encrypted flow is transmitted into a sandbox, and the encrypted flow is comprehensively researched and judged by integrating the identification and judgment of the current encrypted flow judgment means, including identification and analysis of malicious feature libraries, certificate features, integrated learning and the like. In the conventional encrypted traffic, the main encryption protocols include Ipsec (Internet Protocol Security, internet security protocol), SSL (Secure Sockets Layer, secure socket protocol)/TLS (Transport Layer Security ) and SSH (Secure Shell protocol), and the TLS connection mainly includes two steps of handshake and connection, where the handshake phase is clear and includes information such as a random number, a cipher suite, and a protocol version, which provides a good opportunity for encrypted traffic identification, and can be identified by main features such as validity of a certificate and reliability of a certificate chain in the process. Therefore, the technical means for detecting the encrypted traffic of the sandbox in this embodiment includes identifying and analyzing the encrypted traffic based on numerous features such as certificates, DNS (Domain Name System ), password suites, versions, etc., and meanwhile, the identifying rules preset for identifying the encrypted traffic may also include malicious feature libraries, machine learning (such as based on clustering, etc.), deep learning (such as based on neural networks, etc.), etc., which require multiple means to cooperatively implement the analysis of the encrypted traffic, and then output the analysis result, which is divided into three, namely, normal encrypted traffic, malicious encrypted traffic, and suspicious encrypted traffic, and the flow is shown in fig. 2.
After the encrypted traffic is identified and distinguished into normal encrypted traffic, malicious encrypted traffic or suspicious encrypted traffic, respectively performing corresponding treatment on various conditions, and directly taking blocking measures on the malicious encrypted traffic to prevent the malicious encrypted traffic from reaching a server side to cause further harm; the normal encrypted flow and the suspicious encrypted flow enter the next flow, the normal encrypted flow is directly released, and the normal encrypted flow is output to the server side from the sandbox, and the subsequent operation is continued according to the normal flow; the identification result is suspicious encrypted traffic and is input into a suspicious encrypted traffic database, secondly, aiming at the suspicious traffic, the suspicious encrypted traffic is temporarily stored in the suspicious traffic database (database waiting for further analysis), differential response time is made by combining the sensitivity of the server to be accessed by the suspicious encrypted traffic, the server is more sensitive and is set to be longer in response time according to the sensitivity level of the server to be accessed by the suspicious encrypted traffic, and the suspicious encrypted traffic is further confirmed in the longer differential response time.
According to the embodiment of the disclosure, on one hand, the security protection barrier of the server is formed through the sandbox, the security of the server can be effectively protected, the working efficiency of the server is improved, on the other hand, blocking of malicious traffic is achieved through the feature matching degree of malicious traffic or suspicious traffic and key technical means such as machine learning, delayed response of the suspicious traffic is achieved, and finally, corresponding suspicious traffic response time class division is formed through server sensitivity class division, so that time is strived for further identifying malicious encrypted traffic, and the security of the server is better guaranteed.
Further, the method further comprises:
if the suspicious encrypted traffic cannot be confirmed at the end of the response time timing, identifying a source IP address accessed by the suspicious encrypted traffic, wherein the identification content comprises the source IP address;
and inputting the identification content as basic data of tracing positioning into an initial tracing situation map based on suspicious IP addresses, and forming a complete tracing situation map based on the suspicious IP addresses by inputting a certain number of suspicious IP addresses.
If the suspicious encrypted traffic is still not recognized or needs to be further observed and tracked after the response time timing is finished, the suspicious encrypted traffic needs to be marked, namely the visited source IP address is marked, the suspicious IP address is of great significance to the subsequent development of tracing positioning, the marking strategy comprises source IP+ numbers, the setting of the numbers can be customized, the setting of the numbers can be set as the server sensitivity level and the server numbers of the IP visit, such as source 192.168.3.21+ < H,1>, the IP address accesses a server with higher sensitivity, the outputted marking result can be input into a tracing situation map based on the suspicious IP address as a basic data source, a powerful data basis is provided for the subsequent development of tracing positioning based on the suspicious IP address, so as to facilitate the formation of a complete tracing pursuit chain, a complete tracing situation map based on the suspicious IP address is finally formed through a large number of suspicious IP addresses, a database of a tracing attack path is formed, the subsequent tracing track is carried out through a large data means, and especially, the method is of continuously and early warning and the network security positioning is of great importance to the network security, the security and security.
Further, the method further comprises:
and if the suspicious encrypted traffic cannot be confirmed at the end of the response time counting, manually identifying the suspicious encrypted traffic.
If the suspicious encrypted traffic cannot be confirmed after the corresponding differentiated response time is counted, the suspicious encrypted traffic can be finally determined by a manual identification method, the final manual processing can increase the identification strength by inputting more manpower, and in another implementation mode of the embodiment, the suspicious encrypted traffic which cannot be identified can be blocked or directly input to a server after being identified, and the suspicious encrypted traffic can be subjected to the monitorable response in the server.
Further, the setting, for the server to be accessed in combination with the sensitivity of the suspicious encrypted traffic, a corresponding differentiated response time includes:
dividing the sensitivity level of the server into a plurality of sensitivity levels from low to high, and synchronizing the sensitivity levels to a sandbox;
setting corresponding differentiated response time for suspicious encrypted traffic to access the server according to the sensitivity level of the server, wherein the higher the sensitivity level of the server is, the longer the corresponding response time is, and the response time of all the differences is larger than the normal response time.
Dividing the sensitivity level of the server into a plurality of sensitivity levels from low to high, and forming linkage between the sandbox and the server, wherein the sensitivity level of the server needs to be synchronously given to the sandbox, the sensitivity level of the server can be defined according to the actual condition of the network, if the sensitivity level of the server is H, M, L three levels, if the server belongs to H with higher sensitivity, the time of requesting to respond to the H level needs to be carefully prolonged compared with the normal request, if the normal response time is S seconds, the response time of requesting to access to the H level becomes S+T, the selection of a T value can be formulated according to the network environment of the server, such as 10 seconds, the response time of the request corresponding to the M level is S+Q, (wherein the Q value is smaller than T), such as Q value is 5 seconds, the response time of the request corresponding to the L level is S+R (R is smaller than Q, namely R < Q < T), and the suspicious encrypted traffic is further combed by determining the response time, and the principle of trust is' not to be released and verification is not carried out.
Further, the method for identifying the encrypted traffic processed in the sandbox through the preset identification rule comprises the following steps:
and identifying the encrypted traffic processed in the sandbox through cooperation of a preset malicious feature library, certificate features and ensemble learning.
The malicious encrypted traffic can be better identified through a cooperative mode combining a plurality of modes, so that most of the malicious encrypted traffic can be dealt with during primary identification, and subsequent further processing tasks are reduced.
Further, the method further comprises:
and if the malicious encrypted traffic is novel malicious encrypted traffic, extracting the characteristics of the malicious encrypted traffic and updating the characteristics to a malicious characteristic library.
After the malicious encrypted traffic is identified, if the malicious encrypted traffic is found to be not subjected to feature backup in the corresponding malicious feature library, the novel malicious traffic is further extracted and the malicious feature library is updated, so that the subsequent identification of the malicious encrypted traffic is conveniently, more conveniently and rapidly realized.
Further, the reconfirming the suspicious encrypted traffic includes:
and comprehensively judging the suspicious encrypted traffic by combining manual work with the identification analysis of the mixed characteristics, the ciphertext retrieval and the multidimensional characteristics, and confirming whether the suspicious encrypted traffic is normal encrypted traffic.
The suspicious encrypted traffic which cannot be confirmed in the primary identification process is required to be verified in a stricter identification mode, and the verification mode is required to be comprehensively researched and judged by combining comprehensive manual work with the identification analysis modes of mixed characteristics, new technology and the like, and the method comprises the steps of ciphertext retrieval, multidimensional characteristics and the like, and can realize the identification of the suspicious encrypted traffic by spending more manpower and material resources, so that the server is prevented from being attacked by malicious traffic.
In one embodiment of the disclosure, after identifying the encrypted traffic, processing modes of various encrypted traffic in a sandbox are as shown in fig. 3, directly inputting normal encrypted traffic to a server, inputting suspicious encrypted traffic to a suspicious encrypted traffic library, setting different response times according to the sensitivity level of the server accessed by the suspicious encrypted traffic, setting the sensitivity level of the server as H, setting the response time of the accessed request as s+t, setting the sensitivity level of the server as M, setting the response time of the accessed request as s+q, setting the sensitivity level of the server as L, setting the response time of the accessed request as s+r, performing research analysis on the response time by manual and mixed characteristics, ciphertext retrieval and multi-dimensional characteristic identification, if the suspicious encrypted traffic is determined to be normal encrypted traffic, inputting the suspicious encrypted traffic to the server, if the suspicious encrypted traffic cannot be determined, manually identifying the suspicious encrypted traffic, and identifying the suspicious encrypted traffic, inputting identification results to a tracing situation map based on suspicious IP addresses, providing basic support for forming an attack tracing map based on the suspicious IP addresses, realizing subsequent identification of the suspicious encrypted traffic, and performing important service comparison if the suspicious traffic is not focused on the suspicious traffic, and carrying out subsequent identification.
According to the embodiment of the disclosure, the self-owned data resources of the basic telecom operators are combined, the diversity of data in a complex environment is met, on one hand, the security protection barrier of a server is formed through the sandboxes, the security of the server can be effectively protected, the working efficiency of the server is improved, on the other hand, blocking of malicious traffic is achieved through the characteristic matching degree of the malicious traffic or the suspicious traffic and key technical means such as machine learning, delay response of the suspicious traffic is achieved, and finally, corresponding suspicious traffic response time class division is formed through server sensitivity class division, an output result is used as a data source, and basic support is provided for forming an attack path tracing graph based on suspicious IP addresses. Through the technical scheme of the disclosure, the network safety toughness can be enhanced, the self safety defense capacity is improved, the safe and reliable service guarantee can be provided for clients through a more intelligent and safe network, and the maximization and the value of the safety capacity are realized.
Fig. 4 is a sandbox-based encrypted traffic processing system according to a second embodiment of the present disclosure, including a server 2 and a sandbox 1, where the sandbox 1 includes:
the identifying and judging module 11 is configured to identify the encrypted traffic by a preset identifying rule, and divide the encrypted traffic into a normal encrypted traffic, a malicious encrypted traffic and a suspicious encrypted traffic;
a handling module 12 arranged to block malicious encrypted traffic and pass normal encrypted traffic;
the handling module 12 is further arranged to input and temporarily store suspicious encrypted traffic into a suspicious encrypted traffic database, and then to give a differentiated response time for the suspicious encrypted traffic in combination with the sensitivity of the server to be accessed by the suspicious encrypted traffic, and to further confirm the suspicious encrypted traffic within the differentiated response time.
The sandbox 1 is disposed at the front end of the server 2 and is used for processing the encrypted traffic.
Further, the sandbox 1 further comprises an input module 13;
the handling module 12 is further configured to identify a source IP address accessed by the suspicious encrypted traffic if it is still not possible to confirm whether the suspicious encrypted traffic is normal encrypted traffic at the end of the response time timing, the identifying content including the source IP address;
the input module 13 is configured to input the identification content as basic data of tracing positioning into an initial tracing situation map based on suspicious IP addresses, and form a complete tracing situation map based on suspicious IP addresses by inputting a certain number of suspicious IP addresses.
Further, the handling module 12 is further configured to set a corresponding differentiated response time according to the sensitivity level of the server after dividing the sensitivity level of the server into a plurality of sensitivity levels from low to high and synchronizing the sensitivity levels to the sandbox, where the higher the sensitivity level of the server is, the longer the corresponding response time is, and all the differentiated response times are greater than the normal response time.
Further, the identification and judgment module 11 is specifically configured to identify the encrypted traffic handled in the sandbox through cooperation of a preset malicious feature library, certificate features and ensemble learning.
Further, the handling module 12 is further configured to extract the characteristics of the malicious encrypted traffic and update the characteristics to a malicious feature library if the malicious encrypted traffic is a new malicious encrypted traffic.
Further, the validating again the suspicious encrypted traffic by the handling module 12 includes:
and comprehensively judging the suspicious encrypted traffic by combining manual work with the identification analysis of the mixed characteristics, the ciphertext retrieval and the multidimensional characteristics, and confirming whether the suspicious encrypted traffic is normal encrypted traffic.
The sandbox-based encrypted traffic processing system of the embodiment of the present disclosure is used for implementing the sandbox-based encrypted traffic processing method of the first embodiment of the method, so that the description is simpler, and specific reference may be made to the related description of the first embodiment of the method, which is not repeated here.
In addition, as shown in fig. 5, a third embodiment of the present disclosure further provides an electronic device, including a memory 10 and a processor 20, where the memory 10 stores a computer program, and when the processor 20 runs the computer program stored in the memory 10, the processor 20 executes the above-mentioned various possible sandbox-based encryption traffic processing methods.
The memory 10 is connected to the processor 20, the memory 10 may be a flash memory, a read-only memory, or other memories, and the processor 20 may be a central processing unit or a single chip microcomputer.
Furthermore, embodiments of the present disclosure also provide a computer-readable storage medium having stored thereon a computer program that is executed by a processor to perform the various possible methods described above.
Computer-readable storage media include volatile or nonvolatile, removable or non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, computer program modules or other data. Computer-readable storage media includes, but is not limited to, RAM (Random Access Memory ), ROM (Read-Only Memory), EEPROM (Electrically Erasable Programmable Read Only Memory, charged erasable programmable Read-Only Memory), flash Memory or other Memory technology, CD-ROM (Compact Disc Read-Only Memory), digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer.
It is to be understood that the above embodiments are merely exemplary embodiments employed to illustrate the principles of the present disclosure, however, the present disclosure is not limited thereto. Various modifications and improvements may be made by those skilled in the art without departing from the spirit and substance of the disclosure, and are also considered to be within the scope of the disclosure.
Claims (9)
1. A sandbox-based encrypted traffic processing method, the method comprising:
identifying the encrypted traffic processed in the sandbox by a preset identification rule, and identifying the encrypted traffic as normal encrypted traffic, malicious encrypted traffic or suspicious encrypted traffic;
releasing the normal encrypted traffic; blocking malicious encrypted traffic; for suspicious encrypted traffic, inputting the suspicious encrypted traffic into a suspicious encrypted traffic database for temporary storage, setting corresponding differentiated response time for the suspicious encrypted traffic according to the sensitivity of a server to be accessed by the suspicious encrypted traffic, and confirming the suspicious encrypted traffic again within the response time;
the setting of the corresponding differentiated response time for the server to be accessed by combining the sensitivity of the suspicious encrypted traffic comprises the following steps:
dividing the sensitivity level of the server into a plurality of sensitivity levels from low to high, and synchronizing the sensitivity levels to a sandbox;
setting corresponding differentiated response time for suspicious encrypted traffic to access the server according to the sensitivity level of the server, wherein the higher the sensitivity level of the server is, the longer the corresponding response time is, and the response time of all the differences is larger than the normal response time.
2. The method according to claim 1, wherein the method further comprises:
if the suspicious encrypted traffic cannot be confirmed at the end of the response time timing, identifying a source IP address accessed by the suspicious encrypted traffic, wherein the identification content comprises the source IP address;
and inputting the identification content as basic data of tracing positioning into an initial tracing situation map based on suspicious IP addresses, and forming a complete tracing situation map based on the suspicious IP addresses by inputting a certain number of suspicious IP addresses.
3. The method according to claim 1, wherein the method further comprises:
and if the suspicious encrypted traffic cannot be confirmed at the end of the response time counting, manually identifying the suspicious encrypted traffic.
4. The method of claim 1, wherein identifying encrypted traffic handled within the sandbox by a preset identification rule comprises:
and identifying the encrypted traffic processed in the sandbox through cooperation of a preset malicious feature library, certificate features and ensemble learning.
5. The method according to claim 4, wherein the method further comprises:
and if the malicious encrypted traffic is novel malicious encrypted traffic, extracting the characteristics of the malicious encrypted traffic and updating the characteristics to a malicious characteristic library.
6. The method of claim 1, wherein said reconfirming the suspected encrypted traffic comprises:
and comprehensively judging the suspicious encrypted traffic by combining manual work with the identification analysis of the mixed characteristics, the ciphertext retrieval and the multidimensional characteristics, and confirming whether the suspicious encrypted traffic is normal encrypted traffic.
7. A sandbox-based encrypted traffic processing system, comprising a server and a sandbox, the sandbox comprising:
the identification judging module is used for identifying the encrypted traffic processed in the sandbox through a preset identification rule and identifying the encrypted traffic as normal encrypted traffic, malicious encrypted traffic or suspicious encrypted traffic; the method comprises the steps of,
a disposal module arranged to pass through normal encrypted traffic; blocking malicious encrypted traffic; and inputting the suspicious encrypted traffic into a suspicious encrypted traffic database for temporary storage, setting corresponding differentiated response time for the suspicious encrypted traffic according to the sensitivity of a server to be accessed by the suspicious encrypted traffic, and confirming the suspicious encrypted traffic again within the response time.
8. An electronic device comprising a memory and a processor, the memory having a computer program stored therein, the processor performing the sandbox-based encrypted traffic processing method of any of claims 1 to 6 when the processor runs the computer program stored in the memory.
9. A computer readable storage medium having stored thereon a computer program, which when executed by a processor implements a sandbox-based encrypted traffic processing method according to any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111175660.XA CN113923021B (en) | 2021-10-09 | 2021-10-09 | Sandbox-based encrypted traffic processing method, system, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111175660.XA CN113923021B (en) | 2021-10-09 | 2021-10-09 | Sandbox-based encrypted traffic processing method, system, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113923021A CN113923021A (en) | 2022-01-11 |
| CN113923021B true CN113923021B (en) | 2023-09-22 |
Family
ID=79238681
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111175660.XA Active CN113923021B (en) | 2021-10-09 | 2021-10-09 | Sandbox-based encrypted traffic processing method, system, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113923021B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114465823B (en) * | 2022-04-08 | 2022-08-19 | 杭州海康威视数字技术股份有限公司 | Industrial Internet terminal encrypted flow data security detection method, device and equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106850549A (en) * | 2016-12-16 | 2017-06-13 | 北京江南博仁科技有限公司 | A kind of distributed cryptographic services gateway and implementation method |
| CN111010409A (en) * | 2020-01-07 | 2020-04-14 | 南京林业大学 | Encryption attack network flow detection method |
| CN111277598A (en) * | 2020-01-21 | 2020-06-12 | 北京天琴合创技术有限公司 | Traffic-based application attack identification method and system |
| CN111641620A (en) * | 2020-05-21 | 2020-09-08 | 黄筱俊 | Novel cloud honeypot method and framework for detecting evolution DDoS attack |
| CN112311814A (en) * | 2020-12-23 | 2021-02-02 | 中国航空油料集团有限公司 | Malicious encrypted traffic identification method and system based on deep learning and electronic equipment |
| CN113014549A (en) * | 2021-02-01 | 2021-06-22 | 北京邮电大学 | HTTP-based malicious traffic classification method and related equipment |
| CN113469366A (en) * | 2020-03-31 | 2021-10-01 | 北京观成科技有限公司 | Encrypted flow identification method, device and equipment |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9992217B2 (en) * | 2015-12-31 | 2018-06-05 | The University Of North Carolina At Chapel Hill | Methods, systems, and computer readable media for detecting malicious network traffic |
| KR102348078B1 (en) * | 2018-01-12 | 2022-01-10 | 삼성전자주식회사 | User terminal device, electronic device, system comprising the same and control method thereof |
-
2021
- 2021-10-09 CN CN202111175660.XA patent/CN113923021B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106850549A (en) * | 2016-12-16 | 2017-06-13 | 北京江南博仁科技有限公司 | A kind of distributed cryptographic services gateway and implementation method |
| CN111010409A (en) * | 2020-01-07 | 2020-04-14 | 南京林业大学 | Encryption attack network flow detection method |
| CN111277598A (en) * | 2020-01-21 | 2020-06-12 | 北京天琴合创技术有限公司 | Traffic-based application attack identification method and system |
| CN113469366A (en) * | 2020-03-31 | 2021-10-01 | 北京观成科技有限公司 | Encrypted flow identification method, device and equipment |
| CN111641620A (en) * | 2020-05-21 | 2020-09-08 | 黄筱俊 | Novel cloud honeypot method and framework for detecting evolution DDoS attack |
| CN112311814A (en) * | 2020-12-23 | 2021-02-02 | 中国航空油料集团有限公司 | Malicious encrypted traffic identification method and system based on deep learning and electronic equipment |
| CN113014549A (en) * | 2021-02-01 | 2021-06-22 | 北京邮电大学 | HTTP-based malicious traffic classification method and related equipment |
Non-Patent Citations (1)
| Title |
|---|
| 基于LSTM循环神经网络的恶意加密流量检测;邹源;张甲;江滨;;计算机应用与软件(第02期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113923021A (en) | 2022-01-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3588898B1 (en) | Defense against apt attack | |
| US20220014560A1 (en) | Correlating network event anomalies using active and passive external reconnaissance to identify attack information | |
| Hoque et al. | An implementation of intrusion detection system using genetic algorithm | |
| CN111327601B (en) | Abnormal data response method, system, device, computer equipment and storage medium | |
| US11647037B2 (en) | Penetration tests of systems under test | |
| CN110868403B (en) | Method and equipment for identifying advanced persistent Attack (APT) | |
| Zhang et al. | User intention-based traffic dependence analysis for anomaly detection | |
| CN113079185B (en) | Industrial firewall control method and equipment for realizing deep data packet detection control | |
| CN113992386A (en) | Method and device for evaluating defense ability, storage medium and electronic equipment | |
| CN113923021B (en) | Sandbox-based encrypted traffic processing method, system, equipment and medium | |
| CN113746781A (en) | Network security detection method, device, equipment and readable storage medium | |
| Devarajan et al. | An efficient intrusion detection system by using behaviour profiling and statistical approach model. | |
| RU2769075C1 (en) | System and method for active detection of malicious network resources | |
| Chakir et al. | Evaluation of open-source web application firewalls for cyber threat intelligence | |
| Agrawal et al. | A SURVEY ON ATTACKS AND APPROACHES OF INTRUSION DETECTION SYSTEMS. | |
| Rastogi et al. | Network anomalies detection using statistical technique: A chi-square approach | |
| Phutane et al. | A survey of intrusion detection system using different data mining techniques | |
| Anand et al. | Enchanced multiclass intrusion detection using supervised learning methods | |
| Kishore et al. | Intrusion Detection System a Need | |
| Kang et al. | Whitelist generation technique for industrial firewall in SCADA networks | |
| CN112637217B (en) | Active defense method and device of cloud computing system based on bait generation | |
| Prajapati et al. | Host-based forensic artefacts of botnet infection | |
| Patel et al. | An approach to detect and prevent distributed denial of service attacks using blockchain technology in cloud environment | |
| Ye et al. | An attack-norm separation approach for detecting cyber attacks | |
| Cantanhede et al. | Computer network forensics assistance methodology focused on denial of service attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |