CN114124558A - Operation response method and device, electronic equipment and computer readable storage medium - Google Patents
Operation response method and device, electronic equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN114124558A CN114124558A CN202111443278.2A CN202111443278A CN114124558A CN 114124558 A CN114124558 A CN 114124558A CN 202111443278 A CN202111443278 A CN 202111443278A CN 114124558 A CN114124558 A CN 114124558A
- Authority
- CN
- China
- Prior art keywords
- port
- operation request
- host machine
- host
- sandbox
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000004044 response Effects 0.000 title claims abstract description 61
- 238000000034 method Methods 0.000 title claims abstract description 58
- 244000035744 Hura crepitans Species 0.000 claims abstract description 106
- 238000001914 filtration Methods 0.000 claims abstract description 53
- 241000700605 Viruses Species 0.000 claims description 12
- 238000013507 mapping Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 9
- 238000001514 detection method Methods 0.000 claims description 8
- 238000012545 processing Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/16—Obfuscation or hiding, e.g. involving white box
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The application provides an operation response method, an operation response device, electronic equipment and a computer readable storage medium. The method comprises the following steps: receiving an operation request of a user terminal to a host machine through a first port in a preset sandbox in the host machine, wherein the first port is a port which is associated with the type of the operation request in advance; filtering and authenticating the operation request through a first packet filtering firewall and a first authentication strategy in a preset sandbox; and after the operation request is subjected to filtering authentication of the preset sandbox, receiving the operation request through a second port corresponding to the first port in the host machine, and responding to the operation request through the host machine. Therefore, the second port of the host machine for actually receiving the operation request cannot be exposed, and the safety of operation response can be improved. In addition, the preset sandbox is integrated with the host machine, so that the response efficiency is improved.
Description
Technical Field
The present application relates to the technical field of computer information security, and in particular, to an operation response method, an operation response device, an electronic device, and a computer-readable storage medium.
Background
With the development of virtualization technology and cloud computing technology, evasion and repair of bugs of a host and a service machine are gradually emphasized by customers. In general, for a host bug, part of slight bugs can be repaired and avoided by patching and modifying system parameters. In the face of many kernel vulnerabilities, an upgrade of the kernel version is usually required. And the condition is not allowed in most cases when the kernel version of the system is upgraded, because the upgrading of the kernel version wastes time and labor, has a large influence on the running business, and also has a large influence on the existing business data. At present, a honeypot system deployment mode exists to protect a host, but when honeypots are deployed, corresponding virtual machines need to be deployed independently, and in addition, interaction between the honeypot system and the host generally has a certain delay, so that the efficiency of operation response is influenced.
Disclosure of Invention
An object of the embodiments of the present application is to provide an operation response method, an operation response device, an electronic device, and a computer-readable storage medium, which can improve the security of operation response and improve the problem of low response efficiency.
In order to achieve the above object, embodiments of the present application are implemented as follows:
in a first aspect, an embodiment of the present application provides an operation response method, where the method includes: receiving an operation request of a user terminal to a host machine through a first port in a preset sandbox in the host machine, wherein the first port is a port which is associated with the type of the operation request in advance; filtering and authenticating the operation request through a first packet filtering firewall and a first authentication strategy in the preset sandbox; and after the operation request is subjected to filtering authentication of the preset sandbox, receiving the operation request through a second port corresponding to the first port in the host machine, and responding to the operation request through the host machine.
In the above embodiment, the preset sandbox in the host performs filtering authentication on the operation request to the host, and the operation request is input into the host through the second port of the host after the filtering authentication is completed. In addition, the preset sandbox is integrated with the host machine, so that the response efficiency is improved.
With reference to the first aspect, in a possible implementation manner, before receiving, through a first port in a preset sandbox in a host, an operation request of a user terminal to the host, the method further includes: and filtering and authenticating the operation request through a second packet filtering firewall and a second authentication strategy in the host machine.
With reference to the first aspect, in a possible implementation manner, before the receiving the operation request through a second port corresponding to the first port in the host, the method further includes: detecting the operation request through a virus killing database in the preset sandbox, wherein the operation request is received through a second port corresponding to the first port in the host machine, and the method comprises the following steps: and when the operation request passes the detection and the detection passes, receiving the operation request through a second port corresponding to the first port in the host machine.
With reference to the first aspect, in a possible implementation manner, before receiving, through a first port in a preset sandbox in a host, an operation request of a user terminal to the host, the method includes:
mapping the second port corresponding to the type of the request in the host machine to be the first port; based on a preset container engine, creating a sandbox image corresponding to the host machine in the host machine to serve as the preset sandbox, wherein the preset sandbox comprises services corresponding to the first port, and the services comprise SSH services; and establishing connection between the preset sandbox and a response system of the host machine so that the host machine skips the received operation request into the preset sandbox.
With reference to the first aspect, in one possible implementation, the method further includes: and shielding the second port of the host machine.
With reference to the first aspect, in one possible implementation, the method further includes: and configuring management authority aiming at the host machine for the preset sandbox, wherein the management authority comprises an IP address range allowing access.
With reference to the first aspect, in one possible implementation, the method further includes: and deleting a command for acquiring the specified information of the system of the host in the preset sandbox.
In a second aspect, the present application also provides an operation response apparatus, the apparatus comprising:
the device comprises a first receiving unit, a second receiving unit and a control unit, wherein the first receiving unit is used for receiving an operation request of a user terminal to a host machine through a first port in a preset sandbox in the host machine, and the first port is a port which is associated with the type of the operation request in advance;
the filtering authentication unit is used for filtering and authenticating the operation request through a first packet filtering firewall and a first authentication strategy in the preset sandbox;
and the second receiving unit is used for receiving the operation request through a second port corresponding to the first port in the host machine after the operation request is subjected to filtering authentication of the preset sandbox, and responding to the operation request through the host machine.
In a third aspect, the present application further provides an electronic device, which includes a processor and a memory coupled to each other, wherein the memory stores a computer program, and when the computer program is executed by the processor, the electronic device is caused to perform the method described above.
In a fourth aspect, the present application also provides a computer-readable storage medium having stored thereon a computer program which, when run on a computer, causes the computer to perform the method described above.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Fig. 2 is a schematic flowchart of an operation response method according to an embodiment of the present application.
Fig. 3 is a schematic diagram of a path of a response request in an electronic device according to an embodiment of the present application.
Fig. 4 is a block diagram of an operation response device according to an embodiment of the present application.
Icon: 10-an electronic device; 11-a processing module; 12-a storage module; 13-a communication module; 200-an operation response means; 210-a first receiving unit; 220-filtering authentication unit; 230-second receiving unit.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It should be noted that the terms "first," "second," and the like are used merely to distinguish one description from another, and are not intended to indicate or imply relative importance. The embodiments described below and the features of the embodiments can be combined with each other without conflict.
Referring to fig. 1, the present application provides an electronic device 10, which can improve the security of the electronic device 10 responding to an operation request and reduce the possibility of hacking the electronic device 10.
The electronic device 10 may include a processing module 11 and a memory module 12. The memory module 12 stores therein a computer program which, when executed by the processing module 11, enables the electronic device 10 to perform the steps of the operation response method described below. It should be noted that the electronic device 10 may also include other modules, for example, the electronic device 10 may also include a communication module 13 for establishing communication with other devices.
In the present embodiment, the electronic device 10 may be, but is not limited to, a host device, a server, a virtual host, and the like. The virtual host is a host deployed in a cloud server, and is well known to those skilled in the art.
Referring to fig. 2, the present application further provides an operation responding method, which can be applied to the electronic device 10, and each step of the method is executed or implemented by the electronic device 10. The electronic device 10 is a host in the following method, and the method may include the following steps:
step S110, receiving an operation request of a user terminal to a host machine through a first port in a preset sandbox in the host machine, wherein the first port is a port which is associated with the type of the operation request in advance;
step S120, filtering and authenticating the operation request through a first packet filtering firewall and a first authentication strategy in the preset sandbox;
step S130, after the operation request is subjected to the filtering authentication of the preset sandbox, the operation request is received through a second port corresponding to the first port in the host machine, and the operation request is responded through the host machine.
In the above embodiment, the preset sandbox in the host performs filtering authentication on the operation request to the host, and the operation request is input into the host through the second port of the host after the filtering authentication is completed. In addition, the preset sandbox is integrated with the host machine, so that the response efficiency is improved.
The individual steps in the process are explained in detail below, as follows:
prior to step S110, the method may further comprise the step of creating and configuring a preset sandbox on the host. For example, prior to step S110, the method may comprise:
step S101, mapping the second port corresponding to the type of the request in the host machine to be the first port;
step S102, based on a preset container engine, creating a sandbox image corresponding to the host machine in the host machine to serve as the preset sandbox, wherein the preset sandbox comprises services corresponding to the first port, and the services comprise SSH services;
step S103, establishing connection between the preset sandbox and a response system of the host machine, so that the host machine skips the received operation request into the preset sandbox.
In step S101, the type of the request can be flexibly determined according to actual situations. For example, the type includes a management type, a service type. In addition, the management type and the service type may be subdivided according to a specific management type and a specific service type, and are not specifically limited herein.
In a host, a first port may be understood as a "port" for an external device, where the host receives requests. The second port may be understood as the port on which the host actually receives the request, and the second port may be understood as the mapping port of the first port.
Illustratively, in the host, a management port "22" based on an SSH (Secure Shell protocol) service in the host is modified to a port "22222". Namely, in the host, the original request for actually receiving the management class by the port "22" is modified into the current operation request for actually receiving the management class by the port "22222", but the external device still presents the port "22" to receive the management request. That is, port "22222" is the second port, which is the port where the host actually receives the management request; the port with the port number "22" is used as an external management port of the host machine and is a first port. The '22222' port is a mapping port of the '22' port, and an association or mapping relationship exists between the two ports. When the external device sends a management request to the host, the perceived port is the port of "22", and the port of "22222" is not known.
For another example, in the host, the service port based on the service in the host may be modified. For example, the original actual receiving of the service class request by the "80" port of the host is modified to the current actual port "888" to receive the operation request of the service class, but the "80" port receiving management request is still presented to the external device. That is, when the external device sends a service operation request to the host, the perceived port is the port of "80", and the port of "888" is not known.
In this embodiment, the port numbers of the first port and the second port are different, and the first port can be flexibly set according to the actual situation of the second port, which is not specifically limited herein. When port mapping or disconnection modification of a host is completed, the port may be restarted to validate port configuration. For example, SSH services are restarted to validate the modified port. At this point, the service port of SSH has been changed to "22222" and the original established SSH link is not affected. If a connection is to be newly created, port parameters are added for port mapping.
In step S102, the preset container engine may flexibly determine according to actual situations. For example, the preset container engine may be Docker. Docker is an open source application container engine, and developers can pack Docker applications and dependency packages into a portable image and then distribute the image in a host machine based on a Linux or Windows operating system.
Illustratively, a developer may use a minimal secure image (or other image) of the host and create an outbound sandbox image containing SSH services using Docker. In the sandbox image, services corresponding to other service ports may also be included, and the content of the service is not particularly limited herein. Wherein, the created sandbox image can be used as a preset sandbox.
In addition, in the sandbox, the service corresponding to the first port can be flexibly determined according to the actual situation, so that the response flow of the response system in the host machine to the operation request can be simulated in the sandbox. If the operation request threatens or attacks the response system, at this time, after the sandbox receives the operation request, the service in the sandbox may simulate responding to the request and expose the threat or attack behavior of responding to the request in the sandbox without threatening the actual response system in the host.
In step S103, the response system of the host is a system for responding to the operation request, and may be flexibly set according to the actual situation, which is not specifically limited herein. For example, the response system stores corresponding network resources, and the user can upload, download or query specific network resources to the response system by using the user terminal and by means of a request initiated by the user terminal.
In this embodiment, the preset sandbox is connected to the response system, so that the host can jump the received operation request into the preset sandbox. In addition, after the filtering authentication of the operation request is completed in the preset sandbox, the operation request can be input to the response system, so that the response system can perform response operation on the operation.
In this embodiment, through the above steps S101 to S103, a corresponding sandbox may be created on the host as a preset sandbox. After the host computer is deployed with the preset sandbox, the preset sandbox can be used for carrying out security detection on the operation request received by the host computer so as to improve the security of operation response.
As an alternative embodiment, the method may further include other configuration operations during deployment of the sandbox. For example, before step S110, the method may further include:
and shielding the second port of the host machine.
In this embodiment, the first packet in the preset sandbox may be used to filter the firewall and shield the second port of the host. Wherein the shielded second port can be set according to actual conditions. First package filters the protecting wall and can set up according to actual conditions. For example, the first packet filtering firewall may be iptables.
In this embodiment, the iptables may be understood as a client agent, and the user may execute the security setting of the user to the corresponding netfilter through the iptables. Netfilter is a security framework (framework) of a firewall, and is located in kernel space. The Iptables is used as a command line tool and is positioned in a user space, and a security framework which can be operated by the tool is preset for the sandbox, so that the security detection of the requested data is realized.
For example, the preset sandbox may shield an actual SSH port (e.g., port 22222) of the host through iptables of the sandbox, so that the actual SSH port of the host is not exposed, which is beneficial to improving network security of the host.
As an optional implementation manner, before step S110, the method may further include: and configuring management authority aiming at the host machine for the preset sandbox, wherein the management authority comprises an IP address range allowing access.
The management authority and the IP address range allowed to be accessed can be flexibly set according to the actual situation. For example, administrative rights may also include permitting a response system to be run internally to the host through a preset sandbox to facilitate management of the host. For example, the preset sandbox is permitted to establish the SSH connection with the response system through the SSH port of the actual management port of the host, so that an administrator can perform management operation on the host by using the preset sandbox, which is convenient for management and maintenance.
As an optional implementation manner, before step S110, the method may further include: and deleting a command for acquiring the specified information of the system of the host in the preset sandbox.
Understandably, in the preset sandbox, there is a command capable of acquiring the designation information of the system of the host. The designated information is sensitive information in the host machine and can be flexibly determined according to actual conditions. For example, such commands can obtain the kernel version and basic information of the system, which is easy to cause information leakage of the system and affect the security of the host. In this embodiment, by deleting such commands, the way of obtaining the host vulnerability can be further hidden, so that the security of the host can be improved.
As an optional implementation manner, before step S110, the host may perform filtering authentication on the operation request by using a packet filtering firewall and an authentication policy of the host itself. For example, the method may further comprise:
and filtering and authenticating the operation request through a second packet filtering firewall and a second authentication strategy in the host machine.
In this embodiment, the second packet filtering firewall may be an iptables owned by the host. The functional role of the second packet filtering firewall is similar to that of the first packet filtering firewall, and the double-layer filtering is favorable for improving the reliability of filtering and the safety of operation.
The second authentication policy can be flexibly set according to actual conditions, and can be a policy for authenticating the user and password login of the response system of the login host. For example, the second authentication policy is a policy in which a user and a login password that have been securely authenticated are recorded in advance. When the user logs in the response system or executes the service operation, the user needs to input the user name and the login password, and the current login password is the same as the login password of the user recorded in the second authentication strategy, and the authentication is confirmed to be passed. And if the current login password is different from the login password of the user recorded in advance, confirming that the authentication is not passed.
In step S110, an operation request initiated by an external device (e.g., a user terminal) to a host may be received by a first port external to the host. The operation request is generally required to be sent to a response system of the host by using a second port in the host, so that the response system can respond to the operation request. The second port is a port within the host pair and is not exposed. That is, the external device can only acquire information of the first port, but cannot acquire information of the second port.
In this embodiment, the number of the first ports of the host may be multiple, each first port is associated with a corresponding type of the operation request, and different types of the operation requests may correspond to different first ports.
Illustratively, a port "22" in the host corresponds to a management port of the SSH service, associated with the operation request of the management class, for receiving the operation request of the management class. The port "80" in the host is a service port, is associated with the operation request of the service class, and is used for receiving the operation request of the service class.
In step S120, the first packet filtering firewall may be the iptables, and may filter the operation request. For example, the preset sandbox may utilize iptables to perform security detection on the operation request, so as to determine whether the operation request has a security risk or an attack behavior. And if the operation request has potential safety hazard or has attack behavior, directly intercepting the operation request to stop responding to the operation request. If the operation request is safe, the operation request can be authenticated through the first authentication policy.
The manner of security detection is well known to those skilled in the art. The manner in which the operation request is authenticated using the first authentication policy is similar to the manner in which the operation request is authenticated using the second authentication policy described above. The difference is that the first authentication strategy is used for authenticating the user entering the preset sandbox and the login password, and the second authentication strategy is used for authenticating the user logging in the response system of the host and the login password. The operation request may carry a user account and a login password, or, when the operation request is received, a login interface is displayed on the user terminal, and then the user inputs the user account and the login password. The user and the login password for logging in the preset sandbox are different from the user and the login password for logging in the host machine.
When the preset sandbox completes authentication of the operation request by using the first authentication policy, which indicates that the operation request is a secure request, the process may proceed to step S130. If the authentication of the operation request is not finished, namely the authentication is not passed, the operation request is unsafe and needs to be intercepted.
In step S130, after the operation request is authenticated by filtering of the preset sandbox, that is, the operation request is safe, at this time, the operation request may be input to the response system in the host through the second port in the host, so that the response system responds to the operation request. The manner of responding to the operation request may be flexibly determined according to actual situations, and is not specifically limited herein.
Between step S120 to step S130, the method may further include:
and detecting the operation request through a virus searching and killing database in the preset sandbox.
Understandably, the characteristics of various existing network viruses can be recorded in the virus searching and killing database and can be used for comparing with the characteristics of the operation request. If the characteristics in the virus killing database exist in the operation request, the operation request is threatened or attacked, and the interception is needed. If there is no feature corresponding to the operation request in the virus killing database, it indicates that the operation request is safe and does not need to be intercepted, and then the process may proceed to step S130.
After the host is configured with the preset sandbox, the response path of the operation request may be as shown in fig. 3, where the port shown in fig. 3 is an exemplary port, and the port may be flexibly set according to an actual situation, and is not limited to the mapping relationship shown in fig. 3.
For example, referring to fig. 3, it is assumed that the actual management port 22222 of the electronic device 10 is 22, and the port for the external device is 22. After the host is configured with the preset sandbox based on the Docker, if the host receives the operation request, and the operation request is a management request, at this time, the operation request needs to be filtered and detected through a second iptables carried by the host. And if the operation request is safe, authenticating the user and the password of the operation request. And if the authentication is successful, jumping to the sandbox, and enabling a virtualization system formed by the sandbox to perform simulated response and virus killing on the operation request. For example, the operation request is filtered and detected again by using the first iptables in the sandbox, and virus checking and killing are performed on the operation request through antivirus software pre-installed in the sandbox, and it is determined that the operation request is still safe, the user and the password which are corresponding to the operation request and log in the sandbox are authenticated, and after the operation request passes the authentication again, the operation request is sent to the actual system of the host machine through the management port 22222 to be responded, so that security reinforcement on the host machine can be realized, and the security of response operation performed by the host machine is improved.
Based on the design, a new layer of protection is provided for the user host by utilizing the characteristics of the Docker sandbox, the safety of the host is greatly improved, and the attack action by utilizing the loophole can be effectively avoided. In addition, under the condition that kernel upgrading and patch repairing are not additionally carried out, the vulnerability of the bottom-layer system can be effectively avoided, the implementation is convenient and fast, the applicability is strong, and the operation and maintenance cost is low.
Referring to fig. 4, an operation responding apparatus 200 is further provided in the embodiment of the present application, which can be applied to the electronic device 10 for executing the steps of the method. The operation responding unit 200 includes at least one software function module which can be stored in the form of software or Firmware (Firmware) in the storage module 12 or solidified in an Operating System (OS) of the electronic device 10. The processing module 11 is used for executing executable modules stored in the storage module 12, such as software functional modules and computer programs included in the operation response device 200.
In this embodiment, the operation response device 200 may include a first receiving unit 210, a filtering authentication unit 220, and a second receiving unit 220, and each unit may have the following functions:
a first receiving unit 210, configured to receive an operation request from a user terminal to a host through a first port in a preset sandbox in the host, where the first port is a port that is associated with a type of the operation request in advance;
a filtering authentication unit 220 (or referred to as a first filtering authentication unit) configured to filter and authenticate the operation request through a first packet filtering firewall and a first authentication policy in the preset sandbox;
a second receiving unit 220, configured to receive the operation request through a second port of the host corresponding to the first port after the operation request is subjected to filtering authentication of the preset sandbox, and respond to the operation request through the host.
Optionally, the operation response device 200 may further include a second filtering authentication unit. Before the first receiving unit 210 receives an operation request from a user terminal to a host through a first port in a preset sandbox in the host, the second filtering authentication unit is configured to filter and authenticate the operation request through a second packet filtering firewall and a second authentication policy in the host.
Optionally, the operation response device 200 may further include a virus killing unit. Before the first receiving unit 210 receives an operation request from a user terminal to a host through a first port in a preset sandbox in the host, the virus searching and killing unit is configured to detect the operation request through a virus searching and killing database in the preset sandbox.
Optionally, the operation response device 200 may further include a port mapping unit, a creating unit, and a connection establishing unit. Before the first receiving unit 210 receives an operation request from a user terminal to a host through a first port in a preset sandbox in the host, the port mapping unit is configured to map the second port corresponding to the type of the request in the host as the first port; the creating unit is used for creating a sandbox image corresponding to the host machine in the host machine as the preset sandbox based on a preset container engine, wherein the preset sandbox comprises services corresponding to the first port, and the services comprise SSH services; the connection establishing unit is used for establishing the connection between the preset sandbox and a response system of the host machine, so that the host machine can jump the received operation request into the preset sandbox.
Optionally, the operation response device 200 may further include a port shielding unit for shielding the second port of the host.
Optionally, the operation responding apparatus 200 may further include a permission configuring unit, configured to configure, for the preset sandbox, management permission for the host, where the management permission includes an IP address range allowed to be accessed.
Optionally, the operation responding apparatus 200 may further include a deleting unit configured to delete, in the preset sandbox, a command for acquiring the designation information of the system of the host.
In this embodiment, the processing module 11 may be an integrated circuit chip having signal processing capability. The processing module 11 may be a general-purpose processor. For example, the processor may be a Central Processing Unit (CPU), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, and may implement or execute the methods, steps, and logic blocks disclosed in the embodiments of the present Application.
The memory module 12 may be, but is not limited to, a random access memory, a read only memory, a programmable read only memory, an erasable programmable read only memory, an electrically erasable programmable read only memory, and the like. In this embodiment, the storage module 12 may be used to store packet filtering firewalls, authentication policies, and the like. Of course, the storage module 12 may also be used to store a program, and the processing module 11 executes the program after receiving the execution instruction.
The communication module 13 is used for establishing a communication connection between the electronic device 10 and another device (e.g., a user terminal) through a network, and transceiving data through the network.
It is understood that the configuration shown in fig. 1 is only a schematic configuration of the electronic device 10, and that the electronic device 10 may further include more components than those shown in fig. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof.
It should be noted that, as will be clear to those skilled in the art, for convenience and brevity of description, the specific working process of the electronic device 10 described above may refer to the corresponding process of each step in the foregoing method, and will not be described in too much detail herein.
The embodiment of the application also provides a computer readable storage medium. The computer-readable storage medium has stored therein a computer program which, when run on a computer, causes the computer to execute the operation response method as described in the above embodiments.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can be implemented by hardware, or by software plus a necessary general hardware platform, and based on such understanding, the technical solution of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions to enable a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments of the present application.
In summary, in the present solution, the preset sandbox in the host performs filtering authentication on the operation request to the host, and only after the filtering authentication is completed, the operation request is input into the host through the second port of the host, so that the second port of the host, which actually receives the operation request, is not exposed, and the security of the operation response can be improved. In addition, the preset sandbox is integrated with the host machine, so that the response efficiency is improved.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus, system, and method may be implemented in other ways. The apparatus, system, and method embodiments described above are illustrative only, as the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. An operation response method, the method comprising:
receiving an operation request of a user terminal to a host machine through a first port in a preset sandbox in the host machine, wherein the first port is a port which is associated with the type of the operation request in advance;
filtering and authenticating the operation request through a first packet filtering firewall and a first authentication strategy in the preset sandbox;
and after the operation request is subjected to filtering authentication of the preset sandbox, receiving the operation request through a second port corresponding to the first port in the host machine, and responding to the operation request through the host machine.
2. The method of claim 1, before receiving an operation request from a user terminal to a host through a first port in a preset sandbox in the host, the method further comprising:
and filtering and authenticating the operation request through a second packet filtering firewall and a second authentication strategy in the host machine.
3. The method of claim 1, wherein prior to receiving the operation request through a second port in the host corresponding to the first port, the method further comprises:
detecting the operation request through a virus killing database in the preset sandbox, wherein the operation request is received through a second port corresponding to the first port in the host machine, and the method comprises the following steps:
and when the operation request passes the detection and the detection passes, receiving the operation request through a second port corresponding to the first port in the host machine.
4. The method according to claim 1, before receiving an operation request of a user terminal to a host machine through a first port in a preset sandbox in the host machine, the method comprises:
mapping the second port corresponding to the type of the request in the host machine to be the first port;
based on a preset container engine, creating a sandbox image corresponding to the host machine in the host machine to serve as the preset sandbox, wherein the preset sandbox comprises services corresponding to the first port, and the services comprise SSH services;
and establishing connection between the preset sandbox and a response system of the host machine so that the host machine skips the received operation request into the preset sandbox.
5. The method of claim 4, further comprising:
and shielding the second port of the host machine.
6. The method of claim 4, further comprising:
and configuring management authority aiming at the host machine for the preset sandbox, wherein the management authority comprises an IP address range allowing access.
7. The method of claim 4, further comprising:
and deleting a command for acquiring the specified information of the system of the host in the preset sandbox.
8. An operation response device, characterized in that the device comprises:
the device comprises a first receiving unit, a second receiving unit and a control unit, wherein the first receiving unit is used for receiving an operation request of a user terminal to a host machine through a first port in a preset sandbox in the host machine, and the first port is a port which is associated with the type of the operation request in advance;
the filtering authentication unit is used for filtering and authenticating the operation request through a first packet filtering firewall and a first authentication strategy in the preset sandbox;
and the second receiving unit is used for receiving the operation request through a second port corresponding to the first port in the host machine after the operation request is subjected to filtering authentication of the preset sandbox, and responding to the operation request through the host machine.
9. An electronic device, characterized in that the electronic device comprises a processor and a memory coupled to each other, the memory storing a computer program which, when executed by the processor, causes the electronic device to perform the method according to any of claims 1-7.
10. A computer-readable storage medium, in which a computer program is stored which, when run on a computer, causes the computer to carry out the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111443278.2A CN114124558B (en) | 2021-11-30 | 2021-11-30 | Operation response method, device, electronic equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111443278.2A CN114124558B (en) | 2021-11-30 | 2021-11-30 | Operation response method, device, electronic equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114124558A true CN114124558A (en) | 2022-03-01 |
| CN114124558B CN114124558B (en) | 2024-02-06 |
Family
ID=80368830
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111443278.2A Active CN114124558B (en) | 2021-11-30 | 2021-11-30 | Operation response method, device, electronic equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114124558B (en) |
Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101075188A (en) * | 2006-05-17 | 2007-11-21 | 联想(北京)有限公司 | Safety inputting method based on virtual machine |
| CN102254120A (en) * | 2011-08-09 | 2011-11-23 | 成都市华为赛门铁克科技有限公司 | Method, system and relevant device for detecting malicious codes |
| CN103810429A (en) * | 2014-02-28 | 2014-05-21 | 成都长天信息技术有限公司 | Computer virus searching and killing method based on desktop cloud virtualization technology |
| CN105653938A (en) * | 2015-12-31 | 2016-06-08 | 中国电子科技网络信息安全有限公司 | Sandbox protection system and method for virtual machine |
| WO2017031954A1 (en) * | 2015-08-25 | 2017-03-02 | 华为技术有限公司 | Data communication method, user equipment, and server |
| CN106845213A (en) * | 2016-12-26 | 2017-06-13 | 沈阳通用软件有限公司 | A kind of application security system based on Sandboxing |
| CN107122224A (en) * | 2016-02-25 | 2017-09-01 | 中兴通讯股份有限公司 | A kind of data transmission method, virtual machine and host |
| CN107395650A (en) * | 2017-09-07 | 2017-11-24 | 杭州安恒信息技术有限公司 | Even method and device is returned based on sandbox detection file identification wooden horse |
| CN107609396A (en) * | 2017-09-22 | 2018-01-19 | 杭州安恒信息技术有限公司 | A kind of escape detection method based on sandbox virtual machine |
| CN107682333A (en) * | 2017-09-30 | 2018-02-09 | 北京奇虎科技有限公司 | Virtualization safety defense system and method based on cloud computing environment |
| CN107992743A (en) * | 2017-12-04 | 2018-05-04 | 山东渔翁信息技术股份有限公司 | A kind of identity authentication method based on sandbox, device, equipment and storage medium |
| CN109165506A (en) * | 2018-07-05 | 2019-01-08 | 河南中烟工业有限责任公司 | A kind of method of industry control fault-tolerant server online checking and killing virus and antivirus protection |
| CN110022294A (en) * | 2019-02-27 | 2019-07-16 | 广州虎牙信息科技有限公司 | A kind of proxy server, Docker system and its right management method, storage medium |
| CN110516437A (en) * | 2019-08-27 | 2019-11-29 | 中国信息安全测评中心 | Security sweep method and device based on virtualized environment |
| CN111274570A (en) * | 2019-06-25 | 2020-06-12 | 宁波奥克斯电气股份有限公司 | Encryption authentication method and device, server, readable storage medium and air conditioner |
| CN112866244A (en) * | 2021-01-15 | 2021-05-28 | 中国电子科技集团公司第十五研究所 | Network flow sandbox detection method based on virtual network environment |
| US20210200859A1 (en) * | 2019-12-31 | 2021-07-01 | Fortinet, Inc. | Malware detection by a sandbox service by utilizing contextual information |
-
2021
- 2021-11-30 CN CN202111443278.2A patent/CN114124558B/en active Active
Patent Citations (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101075188A (en) * | 2006-05-17 | 2007-11-21 | 联想(北京)有限公司 | Safety inputting method based on virtual machine |
| CN102254120A (en) * | 2011-08-09 | 2011-11-23 | 成都市华为赛门铁克科技有限公司 | Method, system and relevant device for detecting malicious codes |
| CN103810429A (en) * | 2014-02-28 | 2014-05-21 | 成都长天信息技术有限公司 | Computer virus searching and killing method based on desktop cloud virtualization technology |
| WO2017031954A1 (en) * | 2015-08-25 | 2017-03-02 | 华为技术有限公司 | Data communication method, user equipment, and server |
| CN105653938A (en) * | 2015-12-31 | 2016-06-08 | 中国电子科技网络信息安全有限公司 | Sandbox protection system and method for virtual machine |
| CN107122224A (en) * | 2016-02-25 | 2017-09-01 | 中兴通讯股份有限公司 | A kind of data transmission method, virtual machine and host |
| CN106845213A (en) * | 2016-12-26 | 2017-06-13 | 沈阳通用软件有限公司 | A kind of application security system based on Sandboxing |
| CN107395650A (en) * | 2017-09-07 | 2017-11-24 | 杭州安恒信息技术有限公司 | Even method and device is returned based on sandbox detection file identification wooden horse |
| CN107609396A (en) * | 2017-09-22 | 2018-01-19 | 杭州安恒信息技术有限公司 | A kind of escape detection method based on sandbox virtual machine |
| CN107682333A (en) * | 2017-09-30 | 2018-02-09 | 北京奇虎科技有限公司 | Virtualization safety defense system and method based on cloud computing environment |
| CN107992743A (en) * | 2017-12-04 | 2018-05-04 | 山东渔翁信息技术股份有限公司 | A kind of identity authentication method based on sandbox, device, equipment and storage medium |
| CN109165506A (en) * | 2018-07-05 | 2019-01-08 | 河南中烟工业有限责任公司 | A kind of method of industry control fault-tolerant server online checking and killing virus and antivirus protection |
| CN110022294A (en) * | 2019-02-27 | 2019-07-16 | 广州虎牙信息科技有限公司 | A kind of proxy server, Docker system and its right management method, storage medium |
| CN111274570A (en) * | 2019-06-25 | 2020-06-12 | 宁波奥克斯电气股份有限公司 | Encryption authentication method and device, server, readable storage medium and air conditioner |
| CN110516437A (en) * | 2019-08-27 | 2019-11-29 | 中国信息安全测评中心 | Security sweep method and device based on virtualized environment |
| US20210200859A1 (en) * | 2019-12-31 | 2021-07-01 | Fortinet, Inc. | Malware detection by a sandbox service by utilizing contextual information |
| CN112866244A (en) * | 2021-01-15 | 2021-05-28 | 中国电子科技集团公司第十五研究所 | Network flow sandbox detection method based on virtual network environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114124558B (en) | 2024-02-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102301721B1 (en) | Dual memory introspection to protect multiple network endpoints | |
| US11625489B2 (en) | Techniques for securing execution environments by quarantining software containers | |
| US10242186B2 (en) | System and method for detecting malicious code in address space of a process | |
| US9251343B1 (en) | Detecting bootkits resident on compromised computers | |
| US8954897B2 (en) | Protecting a virtual guest machine from attacks by an infected host | |
| Angel et al. | Defending against malicious peripherals with Cinch | |
| US8281363B1 (en) | Methods and systems for enforcing network access control in a virtual environment | |
| US10216931B2 (en) | Detecting an attempt to exploit a memory allocation vulnerability | |
| WO2017160765A1 (en) | System and method for process hollowing detection | |
| US11438349B2 (en) | Systems and methods for protecting devices from malware | |
| US10505975B2 (en) | Automatic repair of corrupt files for a detonation engine | |
| WO2009094371A1 (en) | Trusted secure desktop | |
| CN110119619B (en) | System and method for creating anti-virus records | |
| US9584550B2 (en) | Exploit detection based on heap spray detection | |
| RU2460133C1 (en) | System and method of protecting computer applications | |
| CN114124558B (en) | Operation response method, device, electronic equipment and computer readable storage medium | |
| Nazar et al. | Rooting Android–Extending the ADB by an auto-connecting WiFi-accessible service | |
| Ramachandran et al. | Rapid and proactive approach on exploration of vulnerabilities in cloud based operating systems | |
| CN116961977A (en) | Security detection method, apparatus, device and computer program product | |
| Awade et al. | WallDroid: Firewalls for the Android OS | |
| Xu | Security enhancement of secure USB debugging in Android system | |
| Yadav et al. | Attack Vector Analysis with a New Benchmark |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |