CN114221775A - Early warning method and device for dangerous port, cloud server and storage medium - Google Patents

Early warning method and device for dangerous port, cloud server and storage medium Download PDF

Info

Publication number
CN114221775A
CN114221775A CN202010987633.1A CN202010987633A CN114221775A CN 114221775 A CN114221775 A CN 114221775A CN 202010987633 A CN202010987633 A CN 202010987633A CN 114221775 A CN114221775 A CN 114221775A
Authority
CN
China
Prior art keywords
port
dangerous
target
information
detection model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010987633.1A
Other languages
Chinese (zh)
Inventor
宋灏志
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Cloud Network Technology Co Ltd
Original Assignee
Beijing Kingsoft Cloud Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Cloud Network Technology Co Ltd filed Critical Beijing Kingsoft Cloud Network Technology Co Ltd
Priority to CN202010987633.1A priority Critical patent/CN114221775A/en
Publication of CN114221775A publication Critical patent/CN114221775A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Abstract

The embodiment of the invention provides a method and a device for early warning of a dangerous port, a cloud server and a storage medium, wherein the method is applied to the cloud server and comprises the following steps: detecting a target port to obtain port information of the target port, wherein the target port comprises an intranet port and/or an extranet port; determining whether a dangerous port exists in the target ports according to the port information; if so, sending a defense instruction to the deployed defense system so that the defense system starts a defense function. On one hand, the cloud server can eliminate potential safety hazards caused by the dangerous port before the attacker invades the system, on the other hand, the cloud server can start the defense function when the dangerous port exists, and the response time of the defense system can be shortened when the attacker is invaded, so that the defense system can be started to conduct defense before the attacker successfully invades the system.

Description

Early warning method and device for dangerous port, cloud server and storage medium
Technical Field
The invention relates to the technical field of cloud security, in particular to a method and a device for early warning of a dangerous port, a cloud server and a storage medium.
Background
In order to ensure the security of the cloud service, the cloud service generally has some defensive measures, for example, DDoS attack defense, brute force attack prevention, and the like. These defensive measures are implemented by a defensive system deployed in the cloud server.
After the cloud service is deployed, some external network ports are open by default and become exposure points which can be attacked, and an attacker detects the open ports, can acquire the authority of the cloud server by means of penetration and the like, steals data information of a user and can cause great loss to the user. Some commonly used intranet ports are default ports, for example, a commonly used mysql database port is 3306, and a commonly used redis cache database port is 6379. These intranet ports may also become an exposed point that may be attacked, and are likely to be the subject of attack.
The existing defense systems all defend when attacked, and can not early warn some ports with potential safety hazards. For example, when an attacker invades the intranet, some default ports are scanned, and the defense system response requires a certain response time, while the intranet ports are default ports, so that the invasion time of the attacker is greatly shortened, and the attacker may succeed in attacking before the defense system responds.
Disclosure of Invention
The embodiment of the invention aims to provide a method and a device for early warning of a dangerous port, a cloud server and a storage medium, so as to realize early warning of the dangerous port. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides an early warning method for a dangerous port, which is applied to a cloud server, and the method includes:
detecting a target port to obtain port information of the target port, wherein the target port comprises an intranet port and/or an extranet port;
determining whether a dangerous port exists in the target ports according to the port information;
if so, sending a defense instruction to the deployed defense system so that the defense system starts a defense function.
Optionally, in the case that there is a dangerous port, the method further includes:
sending the identification of the dangerous port to a user;
when an ignoring message sent by the user is received, recording the identifier of the dangerous port; and/or closing the dangerous port if a closing instruction for indicating to close the dangerous port is received.
Optionally, the step of determining whether a dangerous port exists in the target ports according to the port information includes:
inputting the port information into a detection model which is trained in advance, and determining whether a dangerous port exists in the target port by using the detection model;
or sending the port information to the device to which the detection model belongs, so that the device determines whether a dangerous port exists in the target port based on the port information and the detection model;
and the detection model is trained according to the corresponding relation between the dangerous port and the port information.
Optionally, the step of determining whether a dangerous port exists in the target ports by using the detection model includes:
if the port information indicates that the external network port is an open port, determining that the external network port is a dangerous port;
if the port information indicates that the intranet port is a default port, determining that the intranet port is a dangerous port;
and if the port information indicates that the external network port or the internal network port is a preset port, determining that the port is a dangerous port, wherein the preset port is a port with potential danger determined according to dangerous port information collected in advance.
Optionally, the method further includes:
collecting published dangerous port information;
and adding the information of the dangerous port into a training set of the detection model, and updating the detection model through the training set.
Optionally, the step of determining whether a dangerous port exists in the target ports according to the port information includes:
determining a suspected danger port in the target port according to the port information;
and when the number of continuous occurrences of the suspected dangerous port reaches a preset number threshold, determining that the suspected dangerous port is a dangerous port.
Optionally, the step of detecting the target port to obtain port information of each port includes:
and traversing the target external network port and the target internal network port through a pre-written script code to obtain port information of each port, wherein the target external network port and the target internal network port are preset ports needing to be traversed.
In a second aspect, an embodiment of the present invention provides an early warning device for a dangerous port, which is applied to a cloud server, and the device includes:
the port information detection module is used for detecting a target port to obtain port information of the target port, wherein the target port comprises an intranet port and/or an extranet port;
a dangerous port determining module, configured to determine whether a dangerous port exists in the target port according to the port information;
and the danger early warning module is used for sending a defense instruction to a deployed defense system if a danger port exists so as to enable the defense system to start a defense function.
Optionally, the apparatus further comprises:
the early warning information sending module is used for sending the identification of the dangerous port to a user under the condition that the dangerous port exists;
the port processing module is used for recording the identification of the dangerous port when receiving the neglect message sent by the user; and/or closing the dangerous port if a closing instruction for indicating to close the dangerous port is received.
Optionally, the dangerous port determining module includes:
a first dangerous port determining unit, configured to input the port information into a detection model that is trained in advance, and determine whether a dangerous port exists in the target port by using the detection model, or send the port information to a device to which the detection model belongs, so that the device determines whether a dangerous port exists in the target port based on the port information and the detection model;
and the detection model is trained according to the corresponding relation between the dangerous port and the port information.
Optionally, the first dangerous port determining unit is specifically configured to determine that the external network port is a dangerous port if the port information indicates that the external network port is an open port; if the port information indicates that the intranet port is a default port, determining that the intranet port is a dangerous port; and if the port information indicates that the external network port or the internal network port is a preset port, determining that the port is a dangerous port, wherein the preset port is a port with potential danger determined according to dangerous port information collected in advance.
Optionally, the apparatus further comprises:
the information collection module is used for collecting published dangerous port information;
and the training set updating module is used for adding the dangerous port information into a training set of the detection model and updating the detection model through the training set.
Optionally, the dangerous port determining module includes:
a suspected port determining unit, configured to determine a suspected dangerous port in the target port according to the port information;
and the second dangerous port determining unit is used for determining the suspected dangerous port as a dangerous port when the number of continuous occurrences of the suspected dangerous port reaches a preset number threshold.
Optionally, the port information detecting module includes:
and the second port information detection unit is used for traversing the target external network port and the target internal network port through a pre-programmed script code to obtain port information of each port, wherein the target external network port and the target internal network port are preset ports needing to be traversed.
In a third aspect, an embodiment of the present invention provides a cloud server, including a processor, a communication interface, a memory, and a communication bus, where the processor and the communication interface complete communication between the memory and the processor through the communication bus;
a memory for storing a computer program;
a processor adapted to perform the method steps of any of the above first aspects when executing a program stored in the memory.
In a fourth aspect, the present invention provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements the method steps of any one of the above first aspects.
In a fifth aspect, embodiments of the present invention provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method steps of any of the first aspects described above.
The embodiment of the invention has the following beneficial effects:
in the scheme provided by the embodiment of the invention, the cloud server can detect the target port to obtain the port information of the target port, wherein the target port comprises an intranet port and/or an extranet port, whether a dangerous port exists in the target port is determined according to the port information, and if the dangerous port exists, a defense instruction is sent to the deployed defense system so that the defense system starts a defense function. On one hand, the cloud server can eliminate potential safety hazards caused by the dangerous port before the attacker invades the system, on the other hand, the cloud server can start the defense function when the dangerous port exists, and the response time of the defense system can be shortened when the attacker is invaded, so that the defense system can be started to conduct defense before the attacker successfully invades the system. Of course, not all of the advantages described above need to be achieved at the same time in the practice of any one product or method of the invention.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other embodiments can be obtained by using the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a cloud server according to an embodiment of the present invention;
fig. 2 is a flowchart of an early warning method for a dangerous port according to an embodiment of the present invention;
FIG. 3 is a flowchart of a manner of prompting a user based on the embodiment shown in FIG. 1;
FIG. 4 is a flow chart of a way of updating a training set based on the embodiment shown in FIG. 1;
fig. 5 is another flowchart of an early warning method for a dangerous port according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an early warning device for a dangerous port according to an embodiment of the present invention;
fig. 7 is another schematic structural diagram of an early warning device for a hazard port according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a cloud server according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to implement early warning on a dangerous port, embodiments of the present invention provide an early warning method and apparatus for a dangerous port, a cloud server, a computer-readable storage medium, and a computer program product. First, a method for early warning a dangerous port according to an embodiment of the present invention is described below.
The early warning method for the dangerous port provided by the embodiment of the invention can be applied to a cloud server in a cloud service system, as shown in fig. 1, a defense system 101 can be deployed in the cloud server 100, and the defense system 101 is used for defending attacks of intruders. In order to timely discover a dangerous port that may be attacked by an intruder, the cloud server 100 may further deploy the early warning system 102, so that the cloud server 100 may execute the early warning method for the dangerous port provided by the embodiment of the present invention through the early warning system 102.
As shown in fig. 2, an early warning method for a dangerous port is applied to a cloud server, and the method includes:
s201, detecting a target port to obtain port information of the target port;
wherein the target port comprises an intranet port and/or an extranet port.
S202, determining whether a dangerous port exists in the target ports according to the port information;
s203, if the defense system exists, a defense instruction is sent to the deployed defense system, so that the defense system starts a defense function.
If there is no dangerous port, the detection of the extranet port and/or the intranet port may be continued, so as to execute the above step S203 when a dangerous port is present.
Therefore, in the scheme provided by the embodiment of the invention, the cloud server can detect the target port to obtain the port information of the target port, wherein the target port comprises an intranet port and/or an extranet port, determine whether a dangerous port exists in the target port according to the port information, and send a defense instruction to the deployed defense system if the dangerous port exists so that the defense system starts a defense function. On one hand, the cloud server can eliminate potential safety hazards caused by the dangerous port before the attacker invades the system, on the other hand, the cloud server can start the defense function when the dangerous port exists, and the response time of the defense system can be shortened when the attacker is invaded, so that the defense system can be started to conduct defense before the attacker successfully invades the system.
In order to timely discover a dangerous port that may be attacked by an intruder, the cloud server may perform step S201, that is, detect a target port to obtain port information of each target port. The target port comprises an internal network port and/or an external network port. In one embodiment, the cloud server may detect the external network port and/or the internal network port at regular time to obtain port information of each target port. For example, the timing detection of the extranet port and/or the intranet port can be realized through a set timing task.
Of course, the cloud server may detect the external network port and/or the internal network port at irregular time. For example, the external network port and/or the internal network port may be detected when a detection instruction is received, the detection instruction may be sent by a user, and the user may send the detection instruction through a preset user interface when it is required to detect whether a dangerous port exists. The detection instruction may also be sent to the cloud server by other electronic devices, and is not specifically limited herein.
The port information may be information capable of characterizing a port state, for example, for an external network port, the port information may be information capable of characterizing whether the external network port is an open port; for an intranet port, the port information may be information that can characterize whether the intranet port is a default port.
When the external network port and/or the internal network port are/is detected, the cloud server can send a detection message to the external network port aiming at the external network port, if the external network port is an open port, the external network port returns fixed port information, and the cloud server can determine that the external network port is the open port. For the intranet port, the cloud server may read the configuration information thereof as port information, and if the configuration information thereof is default configuration information, it may be determined that it is a default port.
After obtaining the port information of each target port, the cloud server may determine whether a dangerous port exists in the extranet port and/or the intranet port according to the port information, that is, execute the step S202. Since the open port and the default port are likely to be targets of attack by an intruder, if the port information represents that the corresponding port is an open port or a default port, the cloud server may determine that the port is a dangerous port.
Furthermore, the cloud server may execute step S103, that is, send a defense instruction to the deployed defense system, and the defense system may start the defense function after receiving the defense instruction, so as to prepare to start defense on the dangerous port.
As an implementation manner of the embodiment of the present invention, as shown in fig. 3, in the case that there is a dangerous port, the method may further include:
s301, the identification of the dangerous port is sent to a user;
when the dangerous port is determined to exist, in order to inform a user of potential safety hazard of the cloud service, the cloud server can send the identifier of the dangerous port to the user, and can send the identifier of the dangerous port to the user and simultaneously send related information of the dangerous port to the user, so that the user can perform corresponding processing on the dangerous port.
The cloud server may send the identifier of the dangerous port to the user in a manner of APP (Application), short message notification, email notification, or the like, which is not specifically limited herein.
After the user knows the identification of the dangerous port, the user can process the dangerous port in a corresponding mode so as to eliminate potential safety hazards. It is reasonable that the user can handle the dangerous port through manual operation, and can also handle the dangerous port through the cloud server.
For example, the parameters of the dangerous port can be modified, the connection mode of the dangerous port can be modified, or the dangerous port can be closed. For the case that the dangerous port is an external Network port, the potential safety hazard may be eliminated by adding a CDN (Content Delivery Network) server, and the specific processing method is not specifically limited and described here.
When the dangerous port is an external network port, the user can be a tenant of the cloud service; when the dangerous port is an intranet port, the user may be a manager of cloud service, and the like.
S302, when an ignoring message sent by the user is received, recording the identifier of the dangerous port; and/or closing the dangerous port if a closing instruction for indicating to close the dangerous port is received.
Certainly, in an implementation manner, the user may also not want to process the dangerous port, nor does the user want to receive the reminder sent by the cloud server, so that the user may feed back an ignore message to the cloud server in order to not disturb the user and ensure the user experience, where the ignore message may include the identifier of the dangerous port. Then, after receiving the ignore message, the cloud server may record the identifier of the dangerous port, and no longer send a reminder about the dangerous port to the user.
As an embodiment, the ignore message sent by the user may further include a time identifier, which is used to indicate the duration of time when the reminder is no longer received. The cloud server may start timing after receiving the ignore message, and when the timing duration does not reach the duration, no reminder about the dangerous port is sent to the user any more, and after the timing duration reaches the duration, the reminder about the dangerous port may be continuously sent to the user.
In another embodiment, a user may delegate a cloud server to perform an operation of closing a dangerous port, that is, after receiving an identifier of a dangerous port, if the user wants to close the dangerous port corresponding to the identifier, a closing instruction may be sent, where the closing instruction is used to instruct to close the dangerous port, and then the cloud server may receive the closing instruction, and further close the dangerous port.
Therefore, in this embodiment, under the condition that a dangerous port exists, the cloud server may send the identifier of the dangerous port to the user to inform the user that a potential safety hazard exists. When an ignoring message sent by a user is received, recording the identifier of the dangerous port, and no longer sending a prompt about the dangerous port to the user; if a closing instruction for indicating to close the dangerous port is received, the dangerous port is closed, a flexible reminding mode and a flexible processing mode can be adopted according to user requirements, and the user is reminded of potential safety hazards and user experience is improved.
As an implementation manner of the embodiment of the present invention, the step of determining whether a dangerous port exists in the target ports according to the port information may include:
and inputting the port information into a detection model which is trained in advance, and determining whether dangerous ports exist in the external network port and the internal network port or not by using the detection model, or sending the port information to equipment to which the detection model belongs so that the equipment can determine whether dangerous ports exist in the target ports or not based on the port information and the detection model.
In order to quickly and accurately determine whether dangerous ports exist in the external network port and the internal network port, a detection model can be trained in advance, and the detection model can be a deep learning model such as a convolutional neural network and a cyclic neural network, and is not particularly limited herein. The detection model is formed by training according to the corresponding relation between the dangerous port and the port information.
In order to train and obtain the detection model, an initial network model and a training set may be obtained in advance, where the training set includes a plurality of port information samples, and the plurality of port information samples may be obtained by collecting in advance. Next, whether the port corresponding to each port information sample is a dangerous port or not may be marked, so as to obtain a calibration label of each port information sample. In one embodiment, 1 may be used as the label for the hazardous port and 0 may be used as the label for the non-hazardous port.
Furthermore, the port information sample may be input into an initial network model for processing, and the initial network model may perform convolution, pooling and other processing on the port information sample based on the current network parameter, and further output a prediction tag, that is, a tag for predicting whether the port information sample is port information of a dangerous port, which is obtained by processing the initial network model based on the current network parameter.
Since the initial network model may not output accurate dangerous port information at present, the network parameters of the initial network model may be continuously adjusted based on the difference between the predicted tag and the calibration tag of each port information sample, so that the accuracy of the outputted dangerous port information may be higher and higher along with the continuous adjustment of the network parameters of the initial network model, that is, the difference between the predicted tag and the calibration tag may be smaller and smaller.
And (3) until the initial network model converges after the iteration times reach a certain number, namely the loss function value of the initial network model reaches the minimum and converges, at the moment, the converged initial network model can accurately process the port information to obtain accurate dangerous port information, so that the training can be stopped, and the initial network model at the moment is the detection model.
The training mode of the initial network model may specifically adopt a gradient descent method, a random gradient descent method, and the like, which is not specifically limited herein. In one embodiment, the loss function may be a cross-entropy function or the like, and is not particularly limited herein.
If the detection model is deployed in the cloud server, the cloud server can input port information into the detection model which is trained in advance, and whether dangerous ports exist in the external network port and the internal network port is determined by using the detection model.
If the detection model is deployed in other equipment, the cloud server can send the port information to the equipment to which the detection model belongs, and the equipment can determine whether a dangerous port exists in the target port by using the port information and the detection model. And then, the determination result can be returned to the cloud server, and the cloud server can determine whether a dangerous port exists in the target port.
As can be seen, in this embodiment, the cloud server may input the port information into a detection model that is trained in advance, determine whether a dangerous port exists in the target port by using the detection model, and may also send the port information to the device to which the detection model belongs, so that the device determines whether a dangerous port exists in the target port based on the port information and the detection model. In any case, the dangerous port can be accurately determined, and the degree of intelligence of the processing procedure can be improved.
As an implementation manner of the embodiment of the present invention, the step of determining whether a dangerous port exists in the target ports by using the detection model may include:
if the port information indicates that the external network port is an open port, determining that the external network port is a dangerous port; if the port information indicates that the intranet port is a default port, determining that the intranet port is a dangerous port; and if the port information indicates that the external network port or the internal network port is a preset port, determining that the port is a dangerous port.
In this embodiment, the dangerous ports include at least three cases, which are respectively an open port, a default port and a preset port, where the preset port is a port having a potential danger determined according to the dangerous port information collected in advance. The dangerous port information may be dangerous port information published on the market or dangerous port information acquired through other channels, which is reasonable and not specifically limited herein.
Therefore, when the port information meets the following three conditions, the cloud server may determine, by using the detection model, that the port information is the port information of the dangerous port, that is, the port may be determined to be the dangerous port. In the first case: when the port information of a certain external network port indicates that the external network port is an open port, the open port is easily invaded by an attacker, so that the external network port can be determined to be a dangerous port.
In the second case: when the port information of an intranet port indicates that the intranet port is a default port, configuration parameters and the like of the default port are all default and are easy to be invaded by an attacker, so that the intranet port can be determined to be a dangerous port.
In the third case: although some ports are not open ports or default ports, since some vulnerabilities may exist in a computer system, these ports may also be vulnerable to attacks. For these ports, professionals often collect and organize the information, and issue the information related to these ports with potential safety hazards, so as to facilitate defense, and such ports can be used as preset ports. When the detection model detects that the port information indicates that the external network port or the internal network port is a preset port, the port can be determined to be a dangerous port.
Therefore, in this embodiment, the detection model can identify various ports with potential safety hazards, including an open port, a default port and a preset port, and can comprehensively determine dangerous ports so as to perform comprehensive early warning.
As an implementation manner of the embodiment of the present invention, as shown in fig. 4, the method may further include:
s401, collecting published dangerous port information;
since the dangerous port information may be updated regularly or irregularly, the published dangerous port information may be collected regularly or irregularly in order to update the training set of the detection model in time and ensure the accuracy of the output result of the detection model.
S402, adding the dangerous port information into a training set of the detection model, and updating the detection model through the training set.
After the published dangerous port information is collected, the dangerous port information can be added into a training set of the detection model, and the training set is updated and expanded. The detection model may then be trained based on the training set to update parameters of the detection model. The specific training has already been described in the above embodiments, and will not be described herein.
Therefore, in the embodiment, the port corresponding to the published new dangerous port information can be identified based on the detection model obtained by training the updated training set, so that the dangerous port can be detected more comprehensively, and the safety of the cloud service is ensured.
As an implementation manner of the embodiment of the present invention, as shown in fig. 5, the method for early warning a dangerous port may include:
s501, detecting a target port to obtain port information of the target port.
The cloud server can detect the target ports at regular time or at irregular time to obtain the port information of each target port.
S502, according to the port information, determining suspected dangerous ports in the outer network port and the inner network port;
the cloud server may determine whether each target port is a suspected dangerous port according to the port information, where the suspected dangerous port may include an open port, a default port, and a preset port. The specific determination method has been described in the above embodiments, and is not described herein again.
S503, when the number of continuous occurrences of the suspected dangerous port reaches a preset number threshold, determining that the suspected dangerous port is a dangerous port;
since the possibility of being attacked is not very high when a certain target port is determined to be a suspected dangerous port in one detection, a preset time threshold may be set in order to avoid frequent determination of a certain target port as a dangerous port and to avoid inaccuracy caused by a detection error of a certain time. The preset time threshold may be 3 times, 5 times, 6 times, etc., and may be set according to factors such as a detection time interval, a safety requirement, etc., and is not specifically limited herein.
If the number of continuous occurrences of a certain suspected dangerous port reaches a preset number threshold, that is, the suspected dangerous port is determined as a suspected dangerous port in a plurality of continuous detections, which indicates that the suspected dangerous port is highly likely to be attacked, the cloud server may determine that the suspected dangerous port is a dangerous port.
If the number of continuous occurrences of a certain suspected dangerous port does not reach the preset number threshold, that is, the suspected dangerous port is not determined as a suspected dangerous port in the continuous detections of several times, which indicates that the suspected dangerous port is low in possibility of being attacked and may have false detections, the cloud server may determine that the suspected dangerous port is not a dangerous port.
S504, a defense instruction is sent to the deployed defense system, so that the defense system starts a defense function.
Step S504 is the same as step S203, and reference may be made to the description of step S203, which is not repeated herein.
As can be seen, in this embodiment, the cloud server may detect the target ports to obtain port information of each target port, determine a suspected dangerous port in the target ports according to the port information, and determine the suspected dangerous port as a dangerous port when the number of times that the suspected dangerous port continuously appears reaches a preset number threshold. The method can avoid frequently determining a certain port as a dangerous port in a short time, and simultaneously avoid inaccuracy caused by a certain detection error, thereby further improving the detection accuracy.
As an implementation manner of the embodiment of the present invention, the step of detecting the target port to obtain the port information of the target port may include:
and traversing the target external network port and the target internal network port through a pre-written script code to obtain the port information of each port.
Because the security of some ports in all ports of the cloud server is relatively high and is hardly attacked by an intruder, in order to improve the detection efficiency and reduce the required computing resources, the ports to be traversed, that is, the target extranet port and the target intranet port, can be preset.
The target extranet and intranet ports may include the above-mentioned open ports, default ports, and some ports that have been determined to be vulnerable, etc. The cloud server may add the ports to the traversal target in advance, and in one embodiment, the ports to be traversed may be recorded by using a table, that is, the traversal target. For example as shown in the following table:
serial number Port identification
Traversal target 1 3306
Traversal target 2 6379
Traversal target n 2486
Certainly, under the conditions of higher security requirement and the like, all ports of the cloud server can also be taken as traversal targets, which is reasonable, so that the cloud server can add all the ports into the traversal targets.
In one embodiment, when some ports need to be added or reduced, the traversal targets can be modified to add or reduce the corresponding traversal targets, and the traversal targets can be flexibly modified as needed. After the traversal target is modified, the cloud server detects the port information according to the modified traversal target.
When detecting a target external network port and a target internal network port, the cloud server may run a pre-written script code to traverse each traversal target, thereby obtaining port information of each port.
It can be seen that, in this embodiment, the cloud server may traverse the target extranet port and the target intranet port through a pre-written script code to obtain port information of each port, may select some ports that need to be traversed as traversal targets, may also use all ports as traversal targets, may also change the traversal targets at any time, and the cloud server may flexibly detect the target extranet port and the target intranet port as needed.
Corresponding to the early warning method of the dangerous port, the embodiment of the invention also provides an early warning device of the dangerous port. The following describes an early warning device for a dangerous port provided in an embodiment of the present invention.
As shown in fig. 6, an early warning apparatus for a dangerous port is applied to a cloud server, and the apparatus includes:
a port information detection module 610, configured to detect a target port to obtain port information of the target port;
wherein the target port comprises an intranet port and/or an extranet port.
A dangerous port determining module 620, configured to determine whether a dangerous port exists in the target port according to the port information;
and a danger early warning module 630, configured to send a defense instruction to a deployed defense system if a danger port exists, so that the defense system starts a defense function.
Therefore, in the scheme provided by the embodiment of the invention, the cloud server can detect the target port to obtain the port information of the target port, wherein the target port comprises an intranet port and/or an extranet port, determine whether a dangerous port exists in the target port according to the port information, and send a defense instruction to the deployed defense system if the dangerous port exists so that the defense system starts a defense function. On one hand, the cloud server can eliminate potential safety hazards caused by the dangerous port before the attacker invades the system, on the other hand, the cloud server can start the defense function when the dangerous port exists, and the response time of the defense system can be shortened when the attacker is invaded, so that the defense system can be started to conduct defense before the attacker successfully invades the system.
As an implementation manner of the embodiment of the present invention, as shown in fig. 7, the apparatus may further include:
the early warning information sending module 640 is used for sending the identifier of the dangerous port to a user under the condition that the dangerous port exists;
the port processing module 650 is configured to record an identifier of the dangerous port when receiving an ignore message sent by the user; and/or closing the dangerous port if a closing instruction for indicating to close the dangerous port is received.
As an implementation manner of the embodiment of the present invention, the dangerous port determining module 620 may include:
and the first dangerous port determining unit is used for inputting the port information into a detection model which is trained in advance, and determining whether a dangerous port exists in the target port or not by using the detection model, or sending the port information to equipment to which the detection model belongs, so that the equipment can determine whether a dangerous port exists in the target port or not based on the port information and the detection model.
And the detection model is trained according to the corresponding relation between the dangerous port and the port information.
As an implementation manner of the embodiment of the present invention, the first dangerous port determining unit may be specifically configured to determine that the external network port is a dangerous port if the port information indicates that the external network port is an open port; if the port information indicates that the intranet port is a default port, determining that the intranet port is a dangerous port; and if the port information indicates that the external network port or the internal network port is a preset port, determining that the port is a dangerous port, wherein the preset port is a port with potential danger determined according to dangerous port information collected in advance.
As an implementation manner of the embodiment of the present invention, the apparatus may further include:
the information collection module is used for collecting published dangerous port information at regular time or irregular time;
and the training set updating module is used for adding the dangerous port information into a training set of the detection model and updating the detection model through the training set.
As an implementation manner of the embodiment of the present invention, the dangerous port determining module 620 may include:
a suspected port determining unit, configured to determine a suspected dangerous port in the target port according to the port information;
and the second dangerous port determining unit is used for determining the suspected dangerous port as a dangerous port when the number of continuous occurrences of the suspected dangerous port reaches a preset number threshold.
As an implementation manner of the embodiment of the present invention, the port information detecting module 610 may include:
and the second port information detection unit is used for traversing the target external network port and the target internal network port through a pre-written script code to obtain the port information of each port.
The target external network port and the target internal network port are preset ports needing to be traversed.
The embodiment of the present invention further provides a cloud server, as shown in fig. 8, which includes a processor 801, a communication interface 802, a memory 803, and a communication bus 804, where the processor 801, the communication interface 802, and the memory 803 complete mutual communication through the communication bus 804,
a memory 803 for storing a computer program;
the processor 801 is configured to implement the steps of the warning method for the dangerous port according to any of the above embodiments when executing the program stored in the memory 803.
Therefore, in the scheme provided by the embodiment of the invention, the cloud server can detect the target port to obtain the port information of the target port, wherein the target port comprises an intranet port and/or an extranet port, determine whether a dangerous port exists in the target port according to the port information, and send a defense instruction to the deployed defense system if the dangerous port exists so that the defense system starts a defense function. On one hand, the cloud server can eliminate potential safety hazards caused by the dangerous port before the attacker invades the system, on the other hand, the cloud server can start the defense function when the dangerous port exists, and the response time of the defense system can be shortened when the attacker is invaded, so that the defense system can be started to conduct defense before the attacker successfully invades the system.
The communication bus mentioned in the cloud server may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the cloud server and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In another embodiment of the present invention, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the method for early warning of a dangerous port according to any of the above embodiments.
It can be seen that, in the solution provided in the embodiment of the present invention, when being executed by a processor, a computer program may detect a target port to obtain port information of the target port, where the target port includes an intranet port and/or an extranet port, determine whether a dangerous port exists in the target port according to the port information, and if so, send a defense instruction to a deployed defense system to enable the defense system to start a defense function. On one hand, the cloud server can eliminate potential safety hazards caused by the dangerous port before the attacker invades the system, on the other hand, the cloud server can start the defense function when the dangerous port exists, and the response time of the defense system can be shortened when the attacker is invaded, so that the defense system can be started to conduct defense before the attacker successfully invades the system.
In a further embodiment of the present invention, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the steps of the method for pre-warning a hazardous port according to any of the above embodiments.
It can be seen that, in the solution provided in the embodiment of the present invention, when the computer program product including the instruction runs on a computer, the computer program product may detect a target port to obtain port information of the target port, where the target port includes an intranet port and/or an extranet port, determine whether a dangerous port exists in the target port according to the port information, and if so, send a defense instruction to a deployed defense system to enable the defense system to start a defense function. On one hand, the cloud server can eliminate potential safety hazards caused by the dangerous port before the attacker invades the system, on the other hand, the cloud server can start the defense function when the dangerous port exists, and the response time of the defense system can be shortened when the attacker is invaded, so that the defense system can be started to conduct defense before the attacker successfully invades the system.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus, the cloud server, the computer-readable storage medium, and the computer program product embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and in relation to the description, reference may be made to some of the description of the method embodiments.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (16)

1. The early warning method for the dangerous port is applied to a cloud server, and comprises the following steps:
detecting a target port to obtain port information of the target port, wherein the target port comprises an intranet port and/or an extranet port;
determining whether a dangerous port exists in the target ports according to the port information;
if so, sending a defense instruction to the deployed defense system so that the defense system starts a defense function.
2. The method of claim 1, wherein in the presence of a hazardous port, the method further comprises:
sending the identification of the dangerous port to a user;
if receiving the neglect message sent by the user, recording the identifier of the dangerous port; and/or closing the dangerous port if a closing instruction for indicating to close the dangerous port is received.
3. The method of claim 1, wherein the step of determining whether a dangerous port exists in the target ports according to the port information comprises:
inputting the port information into a detection model which is trained in advance, and determining whether a dangerous port exists in the target port by using the detection model;
or sending the port information to the device to which the detection model belongs, so that the device determines whether a dangerous port exists in the target port based on the port information and the detection model;
and the detection model is trained according to the corresponding relation between the dangerous port and the port information.
4. The method of claim 3, wherein the step of using the detection model to determine whether a dangerous port exists in the target ports comprises:
if the port information indicates that the external network port is an open port, determining that the external network port is a dangerous port;
if the port information indicates that the intranet port is a default port, determining that the intranet port is a dangerous port;
and if the port information indicates that the external network port or the internal network port is a preset port, determining that the port is a dangerous port, wherein the preset port is a port with potential danger determined according to dangerous port information collected in advance.
5. The method of claim 3, wherein the method further comprises:
collecting published dangerous port information;
and adding the information of the dangerous port into a training set of the detection model, and updating the detection model through the training set.
6. The method according to claim 1 or 2, wherein the step of determining whether a dangerous port exists in the target ports according to the port information comprises:
determining a suspected danger port in the target port according to the port information;
and when the number of continuous occurrences of the suspected dangerous port reaches a preset number threshold, determining that the suspected dangerous port is a dangerous port.
7. The method according to any one of claims 1 to 5, wherein the step of detecting the target port to obtain the port information of the target port comprises:
and traversing the target external network port and the target internal network port through a pre-written script code to obtain port information of each port, wherein the target external network port and the target internal network port are preset ports needing to be traversed.
8. The early warning device of dangerous port, its characterized in that is applied to cloud ware, the device includes:
the port information detection module is used for detecting a target port to obtain port information of the target port, wherein the target port comprises an intranet port and/or an extranet port;
a dangerous port determining module, configured to determine whether a dangerous port exists in the target port according to the port information;
and the danger early warning module is used for sending a defense instruction to a deployed defense system if a danger port exists so as to enable the defense system to start a defense function.
9. The apparatus of claim 8, wherein the apparatus further comprises:
the early warning information sending module is used for sending the identification of the dangerous port to a user under the condition that the dangerous port exists;
the port processing module is used for recording the identifier of the dangerous port if receiving the neglect message sent by the user; and/or closing the dangerous port if a closing instruction for indicating to close the dangerous port is received.
10. The apparatus of claim 8, wherein the hazardous port determining module comprises:
a first dangerous port determining unit, configured to input the port information into a detection model that is trained in advance, and determine whether a dangerous port exists in the target port by using the detection model, or send the port information to a device to which the detection model belongs, so that the device determines whether a dangerous port exists in the target port based on the port information and the detection model;
and the detection model is trained according to the corresponding relation between the dangerous port and the port information.
11. The apparatus of claim 10,
the first dangerous port determining unit is specifically configured to determine that the external network port is a dangerous port if the port information indicates that the external network port is an open port; if the port information indicates that the intranet port is a default port, determining that the intranet port is a dangerous port; and if the port information indicates that the external network port or the internal network port is a preset port, determining that the port is a dangerous port, wherein the preset port is a port with potential danger determined according to dangerous port information collected in advance.
12. The apparatus of claim 10, wherein the apparatus further comprises:
the information collection module is used for collecting published dangerous port information;
and the training set updating module is used for adding the dangerous port information into a training set of the detection model and updating the detection model through the training set.
13. The apparatus of claim 8 or 9, wherein the hazard port determination module comprises:
a suspected port determining unit, configured to determine a suspected dangerous port in the target port according to the port information;
and the second dangerous port determining unit is used for determining the suspected dangerous port as a dangerous port when the number of continuous occurrences of the suspected dangerous port reaches a preset number threshold.
14. The apparatus of any one of claims 8-12, wherein the port information detection module comprises:
and the second port information detection unit is used for traversing the target external network port and the target internal network port through a pre-programmed script code to obtain port information of each port, wherein the target external network port and the target internal network port are preset ports needing to be traversed.
15. The cloud server is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication through the communication bus by the memory;
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 1 to 7 when executing a program stored in the memory.
16. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of claims 1 to 7.
CN202010987633.1A 2020-09-18 2020-09-18 Early warning method and device for dangerous port, cloud server and storage medium Pending CN114221775A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010987633.1A CN114221775A (en) 2020-09-18 2020-09-18 Early warning method and device for dangerous port, cloud server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010987633.1A CN114221775A (en) 2020-09-18 2020-09-18 Early warning method and device for dangerous port, cloud server and storage medium

Publications (1)

Publication Number Publication Date
CN114221775A true CN114221775A (en) 2022-03-22

Family

ID=80695752

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010987633.1A Pending CN114221775A (en) 2020-09-18 2020-09-18 Early warning method and device for dangerous port, cloud server and storage medium

Country Status (1)

Country Link
CN (1) CN114221775A (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002268985A (en) * 2001-03-13 2002-09-20 Yokogawa Electric Corp Vulnerability corresponding system
WO2004100011A1 (en) * 2003-04-29 2004-11-18 Threatguard, Inc. System and method for network security scanning
CN103685279A (en) * 2013-12-18 2014-03-26 东南大学 Self-adapting-based network port fast scanning method
CN104301183A (en) * 2014-10-23 2015-01-21 北京知道创宇信息技术有限公司 WEB container detection method and device based on IP section scanning
CN105306414A (en) * 2014-06-13 2016-02-03 腾讯科技(深圳)有限公司 Port vulnerability detection method, device and system
CN105592063A (en) * 2015-10-30 2016-05-18 杭州华三通信技术有限公司 Multicast anti-attack method and device
CN108965286A (en) * 2018-07-09 2018-12-07 国网重庆市电力公司电力科学研究院 A kind of lightweight network equipment port detection method based on python
CN109039812A (en) * 2018-07-20 2018-12-18 深圳前海微众银行股份有限公司 port detecting method, system and computer readable storage medium
CN109639631A (en) * 2018-10-30 2019-04-16 国网陕西省电力公司信息通信公司 A kind of network security cruising inspection system and method for inspecting
CN109639630A (en) * 2018-10-30 2019-04-16 国网陕西省电力公司信息通信公司 A kind of terminal prot managing and control system and management-control method
CN110990841A (en) * 2019-12-04 2020-04-10 广东电网有限责任公司 Method for building terminal safety operation and maintenance platform
CN111404956A (en) * 2020-03-25 2020-07-10 深信服科技股份有限公司 Risk information acquisition method and device, electronic equipment and storage medium

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002268985A (en) * 2001-03-13 2002-09-20 Yokogawa Electric Corp Vulnerability corresponding system
WO2004100011A1 (en) * 2003-04-29 2004-11-18 Threatguard, Inc. System and method for network security scanning
CN103685279A (en) * 2013-12-18 2014-03-26 东南大学 Self-adapting-based network port fast scanning method
CN105306414A (en) * 2014-06-13 2016-02-03 腾讯科技(深圳)有限公司 Port vulnerability detection method, device and system
CN104301183A (en) * 2014-10-23 2015-01-21 北京知道创宇信息技术有限公司 WEB container detection method and device based on IP section scanning
CN105592063A (en) * 2015-10-30 2016-05-18 杭州华三通信技术有限公司 Multicast anti-attack method and device
CN108965286A (en) * 2018-07-09 2018-12-07 国网重庆市电力公司电力科学研究院 A kind of lightweight network equipment port detection method based on python
CN109039812A (en) * 2018-07-20 2018-12-18 深圳前海微众银行股份有限公司 port detecting method, system and computer readable storage medium
CN109639631A (en) * 2018-10-30 2019-04-16 国网陕西省电力公司信息通信公司 A kind of network security cruising inspection system and method for inspecting
CN109639630A (en) * 2018-10-30 2019-04-16 国网陕西省电力公司信息通信公司 A kind of terminal prot managing and control system and management-control method
CN110990841A (en) * 2019-12-04 2020-04-10 广东电网有限责任公司 Method for building terminal safety operation and maintenance platform
CN111404956A (en) * 2020-03-25 2020-07-10 深信服科技股份有限公司 Risk information acquisition method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
EP3588898A1 (en) Defense against apt attack
US10505960B2 (en) Malware detection by exploiting malware re-composition variations using feature evolutions and confusions
US9842208B2 (en) Method, apparatus and system for detecting malicious process behavior
CN110572409B (en) Industrial Internet security risk prediction method, device, equipment and storage medium
CN107992738B (en) Account login abnormity detection method and device and electronic equipment
US20160080401A1 (en) Method and system for detecting unauthorized access attack
WO2022126981A1 (en) Malicious code recognition method and apparatus, and computer device and medium
CN109714346B (en) Searching and killing method and device for back door files
CN106548075B (en) Vulnerability detection method and device
US10505986B1 (en) Sensor based rules for responding to malicious activity
CN107426196B (en) Method and system for identifying WEB invasion
CN112003838A (en) Network threat detection method, device, electronic device and storage medium
CN103279710A (en) Method and system for detecting malicious codes of Internet information system
CN112769803B (en) Network threat detection method and device and electronic equipment
CN105959294B (en) A kind of malice domain name discrimination method and device
US10320823B2 (en) Discovering yet unknown malicious entities using relational data
US10075454B1 (en) Using telemetry data to detect false positives
EP3331210A1 (en) Apparatus, method, and non-transitory computer-readable storage medium for network attack pattern determination
CN114329469A (en) API abnormal calling behavior detection method, device, equipment and storage medium
CN114221775A (en) Early warning method and device for dangerous port, cloud server and storage medium
CN111104670B (en) APT attack identification and protection method
CN108229585B (en) Log classification method and system
CN115643044A (en) Data processing method, device, server and storage medium
CN114445669A (en) Smoke and fire alarm method and device, electronic equipment and storage medium
CN116155519A (en) Threat alert information processing method, threat alert information processing device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination