CN114244543B - Network security defense method, device, computing equipment and computer storage medium - Google Patents
Network security defense method, device, computing equipment and computer storage medium Download PDFInfo
- Publication number
- CN114244543B CN114244543B CN202010935335.8A CN202010935335A CN114244543B CN 114244543 B CN114244543 B CN 114244543B CN 202010935335 A CN202010935335 A CN 202010935335A CN 114244543 B CN114244543 B CN 114244543B
- Authority
- CN
- China
- Prior art keywords
- scanning
- source
- attack
- port
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 230000007123 defense Effects 0.000 title claims abstract description 44
- 230000006399 behavior Effects 0.000 claims abstract description 138
- 230000003993 interaction Effects 0.000 claims abstract description 25
- 238000012544 monitoring process Methods 0.000 claims abstract description 10
- 238000004891 communication Methods 0.000 claims description 17
- 230000009545 invasion Effects 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 5
- 230000007547 defect Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000011084 recovery Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 206010001488 Aggression Diseases 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 208000012761 aggressive behavior Diseases 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a network security defense method, a network security defense device, a computing device and a computer storage medium. The method comprises the following steps: configuring at least one redundant port, and enabling the redundant port and the service port to be in an open state; monitoring scanning behaviors for redundant ports; judging whether a scanning source of the scanning behavior is an attack source according to the scanning behavior; if yes, closing the service port to service the scanning source, and performing false service interaction with the scanning source through the redundant port. The method has low defending cost, can accurately determine the attack source, can close the service port after determining the attack source to serve the service of the attack source so as to avoid the invasion of a network system, and utilizes the redundant port to perform false service interaction with the attack source on the basis, thereby prolonging the attack time of the attack source, consuming the attack source attack resource, and obtaining the related information of the attack source so as to further defend the attack source subsequently.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a network security defense method, a device, a computing device, and a computer storage medium.
Background
With the continuous development of information technology, network space becomes an important support for the current social functions and social activities. However, malicious attacks against network space are increasing, and in order to ensure network space security, two types of network security defense methods are generally adopted in the prior art: one is a static passive defense method, such as firewall, antivirus software, feature-based intrusion detection, etc.; and secondly, a dynamic active defense method, such as intrusion tolerance, moving targets, mimicry defense and the like.
However, the inventors found in practice that the following drawbacks exist in the prior art: the existing passive defense method has larger hysteresis and has poor defense effect on unknown vulnerabilities; the existing dynamic active defense method has high system redundancy, so that the defense cost is greatly increased, the initiative of the defense method is limited, and the defense effect is poor.
Disclosure of Invention
The present invention has been made in view of the above problems, and provides a network security defense method, apparatus, computing device, and computer storage medium that overcome or at least partially solve the above problems.
According to one aspect of the present invention, there is provided a network security defense method, comprising:
Configuring at least one redundant port, and enabling the redundant port and a service port to be in an open state;
monitoring scanning behaviors for the redundant ports;
judging whether a scanning source of the scanning behavior is an attack source or not according to the scanning behavior;
If yes, closing the service port to perform service on the scanning source, and performing false service interaction with the scanning source through the redundant port.
Optionally, the determining, according to the scanning behavior, whether the scanning source of the scanning behavior is an attack source further includes:
judging whether a scanning source of the scanning behavior is an attack source or not according to the number of redundant ports corresponding to the scanning behavior;
and/or judging whether the scanning source of the scanning behavior is an attack source according to the scanning path corresponding to the scanning behavior.
Optionally, the determining whether the scan source of the scan behavior is an attack source according to the number of redundant ports corresponding to the scan behavior further includes:
And if the number of the redundant ports corresponding to the scanning behaviors exceeds a first preset threshold, determining the scanning source of the scanning behaviors as an attack source.
Optionally, the determining whether the scan source of the scan behavior is an attack source according to the scan path corresponding to the scan behavior further includes:
And if the scanning path corresponding to the scanning behavior is a preset path, determining a scanning source of the scanning behavior as an attack source.
Optionally, the preset path includes at least one of the following paths:
the method comprises the steps of sequentially scanning ports of different categories of the same IP, sequentially scanning ports of the same category of different IPs, and scanning according to the priority order of the ports.
Optionally, after the closing the service port for the service of the scan source and performing the false service interaction with the scan source through the redundant port, the method further includes:
determining the last access time of the scanning source, and judging whether the difference value between the access time and the current time exceeds a second preset threshold value;
if yes, opening the service port to service the scanning source.
Optionally, the configuring at least one redundant port further includes:
Acquiring historical attack behavior data, and counting attack frequencies of candidate ports according to the historical attack behavior data;
and selecting at least one port from the candidate ports as a redundant port according to the attack frequency.
According to another aspect of the present invention, there is provided a network security defense device including:
The configuration module is suitable for configuring at least one redundant port and enabling the redundant port and the service port to be in an open state;
a monitoring module adapted to monitor scanning behavior for the redundant ports;
the judging module is suitable for judging whether a scanning source of the scanning behavior is an attack source according to the scanning behavior;
And the defense module is suitable for closing the service port to service the scanning source if the scanning source of the scanning behavior is an attack source and performing false service interaction with the scanning source through the redundant port.
Optionally, the judging module is further adapted to: judging whether a scanning source of the scanning behavior is an attack source or not according to the number of redundant ports corresponding to the scanning behavior;
and/or judging whether the scanning source of the scanning behavior is an attack source according to the scanning path corresponding to the scanning behavior.
Optionally, the judging module is further adapted to: and if the number of the redundant ports corresponding to the scanning behaviors exceeds a first preset threshold, determining the scanning source of the scanning behaviors as an attack source.
Optionally, the judging module is further adapted to: and if the scanning path corresponding to the scanning behavior is a preset path, determining a scanning source of the scanning behavior as an attack source.
Optionally, the preset path includes at least one of the following paths:
the method comprises the steps of sequentially scanning ports of different categories of the same IP, sequentially scanning ports of the same category of different IPs, and scanning according to the priority order of the ports.
Optionally, the apparatus further includes: the service recovery module is suitable for determining the access time of the last access of the scanning source after the service port is closed to service of the scanning source and false service interaction is carried out between the service port and the scanning source through the redundant port, and judging whether the difference value between the access time and the current time exceeds a second preset threshold value; if yes, opening the service port to service the scanning source.
Optionally, the configuration module is further adapted to:
Acquiring historical attack behavior data, and counting attack frequencies of candidate ports according to the historical attack behavior data;
and selecting at least one port from the candidate ports as a redundant port according to the attack frequency.
According to yet another aspect of the present invention, there is provided a computing device comprising: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the network security defense method.
According to still another aspect of the present invention, there is provided a computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the network security defense method described above.
According to the network security defense method, the network security defense device, the computing equipment and the computer storage medium provided by the invention, at least one redundant port is configured, and the redundant port and the service port are in an open state; monitoring scanning behaviors for redundant ports; judging whether a scanning source of the scanning behavior is an attack source according to the scanning behavior; if yes, closing the service port to service the scanning source, and performing false service interaction with the scanning source through the redundant port. According to the scheme, only redundant ports are configured on the basis of a network system, so that the defending cost is low; the attack source is accurately determined according to the attack behaviors aiming at the redundant ports; after determining the attack source, closing the service port to service the attack source so as to avoid the intrusion of the original network system, and performing false service interaction with the attack source by using the redundant port on the basis, thereby obtaining the relevant information of the attack source on the basis of delaying the attack time of the attack source and consuming the attack resource of the attack source so as to further defend the attack source subsequently.
The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
fig. 1 is a schematic flow chart of a network security defense method according to a first embodiment of the present invention;
FIG. 2 is a flow chart of a redundant port configuration method applied to the first embodiment of the present invention;
FIG. 3 shows a schematic diagram of a redundant port used in a first embodiment of the present invention;
Fig. 4 is a schematic flow chart of a service recovery method applied to the first embodiment of the present invention;
fig. 5 is a schematic functional structural diagram of a network security defense device according to a second embodiment of the present invention;
Fig. 6 shows a schematic structural diagram of a computing device according to a fourth embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Example 1
Fig. 1 is a schematic flow chart of a network security defense method according to a first embodiment of the present invention. The method can be applied to security defense of various network spaces. The embodiment is not limited to a specific implementation device of the method.
As shown in fig. 1, the method includes:
step S110: at least one redundant port is configured, and the redundant port and the service port are in an open state.
The service port is a real port provided by the original network system, and normal service can be provided for the user through the service port. The redundant port is a false port added on the basis of the original network system in the embodiment, and real service information cannot be obtained through the redundant port. In the initial state, both the redundant ports and the service ports are in an open state, and both the service ports and the redundant ports can be accessed in the open state.
The specific configuration of the redundant ports is not limited in this embodiment. For example, at least one non-traffic port may be randomly selected as a redundant port in a random configuration.
In a preferred embodiment, to enhance security defenses, historical data may be employed to configure redundant ports. As shown in fig. 2, the specific configuration process includes the following steps S111 to S113:
Step S111: historical attack behavior data is obtained.
The historical attack behavior data may relate to the present network system, for example, the historical attack behavior data may be historical attack behavior data for the present network system, or may be historical attack behavior data for a system associated with the present network system. The customized attack information of the network system can be obtained by obtaining the historical attack behavior data, so that a foundation is provided for the customized configuration of the subsequent redundant ports, the configured redundant ports are high in matching degree with the network system to be protected, and the improvement of the security defense effect is facilitated; in addition, the historical attack behavior data can also be irrelevant to the network system, for example, relevant attack behavior data provided by a corresponding open platform (such as forum and the like) can be obtained.
Step S112: and counting attack frequencies of the candidate ports according to the historical attack behavior data.
The candidate ports are non-service ports which can be used as redundant ports by the current network system. Specifically, the data cleaning can be performed on the historical attack behavior data, and attack frequency of each candidate port is counted.
Step S113: and selecting at least one port from the candidate ports as a redundant port according to the attack frequency.
Specifically, the method can sort according to the order of the attack frequency, determine the candidate ports with higher attack frequency, and then take the candidate ports with higher attack frequency as redundant ports. For example, if the 80 ports are determined to be the most frequently attacked ports after analysis of the historical attack behavior data, the 80 ports of the plurality of IPs can be used as redundant ports.
For example, as shown in fig. 3, the 443 port of the IP3 is a real service port, and the 22 port of the IP1 is a redundant port configured in this embodiment.
Step S120: scanning behavior for redundant ports is monitored.
In an actual scenario, if the access request is a non-aggressive access request, the access request is typically parsed to obtain the actual service port information, so that it does not scan the redundant ports. If it is an aggressive access, it will typically scan ports in the network system for subsequent aggressive behavior. Based on this, the present embodiment can monitor the scanning behavior for redundant ports to screen out aggressive access requests.
Step S130: judging whether a scanning source of the scanning behavior is an attack source according to the scanning behavior; if yes, go to step S140.
The corresponding scan source can be determined according to the scan behavior in step S120, and then a corresponding attack source determination mode is adopted to determine whether the scan source is an attack source. The specific attack source determination method is not limited in this embodiment.
In an alternative embodiment, whether the scan source of the scan behavior is an attack source may be determined according to the number of redundant ports corresponding to the scan behavior. Specifically, if the number of redundant ports corresponding to the scanning behavior exceeds a first preset threshold, determining the scanning source of the scanning behavior as an attack source. The redundant ports corresponding to the scanning behaviors are specifically redundant ports of the current scanning source scanning. Optionally, the value of the first preset threshold may be determined according to the number of configured redundant ports. For example, if the number of configured redundant ports is 10, the first preset threshold may be 6 (i.e. a preset proportion of the total number of redundant ports), and if a current scan source scans 7 redundant ports, the scan source may be determined to be an attack source.
In yet another alternative embodiment, it may be determined whether the scan source of the scan behavior is an attack source according to the scan path corresponding to the scan behavior. Specifically, if the scan path corresponding to the scan behavior is a preset path, determining the scan source of the scan behavior as an attack source. Wherein the preset path includes at least one of the following paths: the method comprises the steps of sequentially scanning ports of different categories of the same IP, sequentially scanning ports of the same category of different IPs, and scanning according to the priority order of the ports.
Taking fig. 3 as an example, if the scanning source scans the 22 ports of IP1, the 22 ports of IP2, the 22 ports of IP3, the 22 ports of IP4 and the 22 ports of IP5 in sequence, the scanning paths are "IP1-22→ip2-22→ip3-22→ip4-22→ip5-22", that is, the transverse scanning mode, it is indicated that the scanning source scans the same type of ports of different IPs in sequence, and if the preset path scans the same type of ports of different IPs in sequence, it is determined that the scanning source is an attack source; if the scanning source scans 22 ports of the IP1, 80 ports of the IP1, 443 ports of the IP1 and 8080 ports of the IP1 in sequence, the scanning path is 'IP 1-22- & gt-IP 1-80- & gt-IP 1-443- & gt-IP 1-8080', namely a longitudinal scanning mode, the scanning source is indicated to sequentially scan different types of ports of the same IP, and if the preset path is the port of the same IP, the scanning source is determined to be an attack source; in addition, the priority of each redundant port can be determined according to the historical attack frequency of each redundant port, and in fig. 3, the priority order may be: IP1-22 > IP2-80 > IP3-8080 … …, if the scan source scans 22 ports of IP1, 80 ports of IP2 and 8080 ports of IP3 successively, and the preset path scans according to the priority order of the ports, the scan source is determined to be an attack source.
In yet another alternative embodiment, whether the scan source of the scan behavior is an attack source may be comprehensively determined according to the number of redundant ports corresponding to the scan behavior and the scan path. For example, if the number of redundant ports corresponding to the scanning behavior exceeds a first preset threshold and the scanning path is a preset path, determining the scanning source of the scanning behavior as an attack source. By adopting the judging mode, the attack source can be accurately judged, the misjudgment rate is reduced, and the improvement of the safety defense effect is facilitated.
Step S140: and closing the service port to service the scanning source, and performing false service interaction with the scanning source through the redundant port.
After the scanning source is determined to be the attack source, the service port can be closed to service the scanning source in time, so that the attack source is prevented from invading the original network system. On the basis, the virtual service interaction is further carried out between the redundant port and the scanning source, so that on one hand, the attack time of the attack source is prolonged, the attack resource of the attack source is consumed, and on the other hand, the related information of the attack source can be obtained through the virtual service interaction between the redundant port and the scanning source, so that the attack source can be defended later.
Further optionally, redundant ports not scanned by the scan source may also be turned off to save system resources.
The method of performing the false service interaction between the redundant port and the scan source is not limited in this embodiment. For example, the corresponding dummy service information may be compiled in advance, and when the attack source accesses, the dummy service information is fed back to the attack source through the redundant port scanned by the attack source.
In addition, in an alternative implementation manner, in order to avoid affecting the service usage experience of the normal user, this embodiment may further implement the service recovery through step S150-step S170 in fig. 4 after closing the service port to service the scanning source and performing the false service interaction with the scanning source through the redundant port, specifically:
Step S150: an access time of the last access of the scan source is determined.
Step S160: judging whether the difference value between the access time and the current time exceeds a second preset threshold value or not; if yes, go to step S170.
Step S170: the service port is opened for service of the scanning source.
Specifically, the access time of each scanning source for the scanned redundant port is recorded, and when the difference value between the last access time and the current time exceeds a second preset threshold value, the attack source is indicated to give up the attack for the network system, so that the service of the service port for the scanning source can be reopened.
Optionally, if the redundant ports not scanned by the scan source are closed in step S140, the closed redundant ports may be further opened in this step, so that the state of each port is restored to the initial state, so as to defend against the next attack.
Therefore, the embodiment is only provided with redundant ports on the basis of the network system, and the defending cost is low; the attack source is accurately determined according to the attack behaviors aiming at the redundant ports; after determining the attack source, closing the service port to service the attack source so as to avoid the intrusion of the original network system, and performing false service interaction with the attack source by using the redundant port on the basis, thereby obtaining the relevant information of the attack source on the basis of prolonging the attack time of the attack source and consuming the attack resource of the attack source so as to defend the attack source subsequently; in a word, the embodiment can realize active defense, and avoid the defect of high hysteresis caused by passive defense in the prior art.
Example two
Fig. 5 is a schematic functional structural diagram of a network security defense device according to a second embodiment of the present invention. Wherein the device includes: configuration module 51, monitoring module 52, judgment module 53, and defense module 54.
A configuration module 51 adapted to configure at least one redundant port and to put the redundant port and the service port in an open state;
A monitoring module 52 adapted to monitor scanning behaviour for the redundant ports;
the judging module 53 is adapted to judge whether the scanning source of the scanning behavior is an attack source according to the scanning behavior;
and the defending module 54 is adapted to close the service port to service the scanning source if the scanning source of the scanning behavior is an attack source, and perform false service interaction with the scanning source through the redundant port.
Optionally, the judging module is further adapted to: judging whether a scanning source of the scanning behavior is an attack source or not according to the number of redundant ports corresponding to the scanning behavior;
and/or judging whether the scanning source of the scanning behavior is an attack source according to the scanning path corresponding to the scanning behavior.
Optionally, the judging module is further adapted to: and if the number of the redundant ports corresponding to the scanning behaviors exceeds a first preset threshold, determining the scanning source of the scanning behaviors as an attack source.
Optionally, the judging module is further adapted to: and if the scanning path corresponding to the scanning behavior is a preset path, determining a scanning source of the scanning behavior as an attack source.
Optionally, the preset path includes at least one of the following paths:
the method comprises the steps of sequentially scanning ports of different categories of the same IP, sequentially scanning ports of the same category of different IPs, and scanning according to the priority order of the ports.
Optionally, the apparatus further includes: the service recovery module is suitable for determining the access time of the last access of the scanning source after the service port is closed to service of the scanning source and false service interaction is carried out between the service port and the scanning source through the redundant port, and judging whether the difference value between the access time and the current time exceeds a second preset threshold value; if yes, opening the service port to service the scanning source.
Optionally, the configuration module is further adapted to:
Acquiring historical attack behavior data, and counting attack frequencies of candidate ports according to the historical attack behavior data;
and selecting at least one port from the candidate ports as a redundant port according to the attack frequency.
The specific implementation process of each module in this embodiment may refer to the description of the corresponding portion in the first embodiment, which is not described herein.
Therefore, the embodiment is only provided with redundant ports on the basis of the network system, and the defending cost is low; the attack source is accurately determined according to the attack behaviors aiming at the redundant ports; after determining the attack source, closing the service port to service the attack source so as to avoid the intrusion of the original network system, and performing false service interaction with the attack source by using the redundant port on the basis, thereby obtaining the relevant information of the attack source on the basis of prolonging the attack time of the attack source and consuming the attack resource of the attack source so as to defend the attack source subsequently; in a word, the embodiment can realize active defense, and avoid the defect of high hysteresis caused by passive defense in the prior art.
Example III
A third embodiment of the present invention provides a non-volatile computer storage medium storing at least one executable instruction for performing the method of any of the above-described method embodiments.
The executable instructions may be particularly useful for causing a processor to:
Configuring at least one redundant port, and enabling the redundant port and a service port to be in an open state;
monitoring scanning behaviors for the redundant ports;
judging whether a scanning source of the scanning behavior is an attack source or not according to the scanning behavior;
If yes, closing the service port to perform service on the scanning source, and performing false service interaction with the scanning source through the redundant port.
In an alternative embodiment, the executable instructions may be specifically configured to cause a processor to:
judging whether a scanning source of the scanning behavior is an attack source or not according to the number of redundant ports corresponding to the scanning behavior;
and/or judging whether the scanning source of the scanning behavior is an attack source according to the scanning path corresponding to the scanning behavior.
In an alternative embodiment, the executable instructions may be specifically configured to cause a processor to:
And if the number of the redundant ports corresponding to the scanning behaviors exceeds a first preset threshold, determining the scanning source of the scanning behaviors as an attack source.
In an alternative embodiment, the executable instructions may be specifically configured to cause a processor to:
And if the scanning path corresponding to the scanning behavior is a preset path, determining a scanning source of the scanning behavior as an attack source.
In an alternative embodiment, the preset path includes at least one of the following paths:
the method comprises the steps of sequentially scanning ports of different categories of the same IP, sequentially scanning ports of the same category of different IPs, and scanning according to the priority order of the ports.
In an alternative embodiment, the executable instructions may be specifically configured to cause a processor to:
After the service port is closed to perform false service interaction on the service of the scanning source and the scanning source through the redundant port, determining the access time of the last access of the scanning source, and judging whether the difference value between the access time and the current time exceeds a second preset threshold value;
if yes, opening the service port to service the scanning source.
In an alternative embodiment, the executable instructions may be specifically configured to cause a processor to:
Acquiring historical attack behavior data, and counting attack frequencies of candidate ports according to the historical attack behavior data;
and selecting at least one port from the candidate ports as a redundant port according to the attack frequency.
Therefore, the embodiment is only provided with redundant ports on the basis of the network system, and the defending cost is low; the attack source is accurately determined according to the attack behaviors aiming at the redundant ports; after determining the attack source, closing the service port to service the attack source so as to avoid the intrusion of the original network system, and performing false service interaction with the attack source by using the redundant port on the basis, thereby obtaining the relevant information of the attack source on the basis of prolonging the attack time of the attack source and consuming the attack resource of the attack source so as to defend the attack source subsequently; in a word, the embodiment can realize active defense, and avoid the defect of high hysteresis caused by passive defense in the prior art.
Example IV
Fig. 6 is a schematic structural diagram of a computing device according to a fourth embodiment of the present invention, and the specific embodiment of the present invention is not limited to the specific implementation of the computing device.
As shown in fig. 6, the computing device may include: a processor 602, a communication interface Communications Interface, a memory 606, and a communication bus 608.
Wherein: processor 602, communication interface 604, and memory 606 perform communication with each other via communication bus 608. Communication interface 604 is used to communicate with network elements of other devices, such as clients or other servers. The processor 602 is configured to execute the program 610, and may specifically perform relevant steps in the method embodiments described above.
In particular, program 610 may include program code including computer-operating instructions.
The processor 602 may be a central processing unit CPU, or an Application-specific integrated Circuit ASIC (Application SPECIFIC INTEGRATED Circuit), or one or more integrated circuits configured to implement embodiments of the present invention. The one or more processors included by the computing device may be the same type of processor, such as one or more CPUs; but may also be different types of processors such as one or more CPUs and one or more ASICs.
A memory 606 for storing a program 610. The memory 606 may comprise high-speed RAM memory or may further comprise non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 610 may be specifically operable to cause the processor 602 to:
Configuring at least one redundant port, and enabling the redundant port and a service port to be in an open state;
monitoring scanning behaviors for the redundant ports;
judging whether a scanning source of the scanning behavior is an attack source or not according to the scanning behavior;
If yes, closing the service port to perform service on the scanning source, and performing false service interaction with the scanning source through the redundant port.
In an alternative embodiment, program 610 may be specifically configured to cause processor 602 to:
judging whether a scanning source of the scanning behavior is an attack source or not according to the number of redundant ports corresponding to the scanning behavior;
and/or judging whether the scanning source of the scanning behavior is an attack source according to the scanning path corresponding to the scanning behavior.
In an alternative embodiment, program 610 may be specifically configured to cause processor 602 to:
And if the number of the redundant ports corresponding to the scanning behaviors exceeds a first preset threshold, determining the scanning source of the scanning behaviors as an attack source.
In an alternative embodiment, program 610 may be specifically configured to cause processor 602 to:
And if the scanning path corresponding to the scanning behavior is a preset path, determining a scanning source of the scanning behavior as an attack source.
In an alternative embodiment, the preset path includes at least one of the following paths:
the method comprises the steps of sequentially scanning ports of different categories of the same IP, sequentially scanning ports of the same category of different IPs, and scanning according to the priority order of the ports.
In an alternative embodiment, program 610 may be specifically configured to cause processor 602 to:
After the service port is closed to perform false service interaction on the service of the scanning source and the scanning source through the redundant port, determining the access time of the last access of the scanning source, and judging whether the difference value between the access time and the current time exceeds a second preset threshold value;
if yes, opening the service port to service the scanning source.
In an alternative embodiment, program 610 may be specifically configured to cause processor 602 to:
Acquiring historical attack behavior data, and counting attack frequencies of candidate ports according to the historical attack behavior data;
and selecting at least one port from the candidate ports as a redundant port according to the attack frequency.
Therefore, the embodiment is only provided with redundant ports on the basis of the network system, and the defending cost is low; the attack source is accurately determined according to the attack behaviors aiming at the redundant ports; after determining the attack source, closing the service port to service the attack source so as to avoid the intrusion of the original network system, and performing false service interaction with the attack source by using the redundant port on the basis, thereby obtaining the relevant information of the attack source on the basis of prolonging the attack time of the attack source and consuming the attack resource of the attack source so as to defend the attack source subsequently; in a word, the embodiment can realize active defense, and avoid the defect of high hysteresis caused by passive defense in the prior art.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with the teachings herein. The required structure for a construction of such a system is apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It will be appreciated that the teachings of the present invention described herein may be implemented in a variety of programming languages, and the above description of specific languages is provided for disclosure of enablement and best mode of the present invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the above description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments can be used in any combination.
Various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functionality of some or all of the components according to embodiments of the present invention may be implemented in practice using a microprocessor or Digital Signal Processor (DSP). The present invention can also be implemented as an apparatus or device program (e.g., a computer program and a computer program product) for performing a portion or all of the methods described herein. Such a program embodying the present invention may be stored on a computer readable medium, or may have the form of one or more signals. Such signals may be downloaded from an internet website, provided on a carrier signal, or provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specifically stated.
Claims (8)
1. A method of network security defense, comprising:
Configuring at least one redundant port, and enabling the redundant port and a service port to be in an open state;
monitoring scanning behaviors for the redundant ports;
judging whether a scanning source of the scanning behavior is an attack source or not according to the scanning behavior;
If yes, closing the service port to perform service on the scanning source, and performing false service interaction with the scanning source through the redundant port; determining the last access time of the scanning source, and judging whether the difference value between the access time and the current time exceeds a second preset threshold value; if yes, opening the service port to service the scanning source;
Wherein said configuring at least one redundant port further comprises: acquiring historical attack behavior data, and counting attack frequencies of candidate ports according to the historical attack behavior data; and selecting at least one port from the candidate ports as a redundant port according to the attack frequency.
2. The method of claim 1, wherein determining whether a scan source of the scan behavior is an attack source according to the scan behavior further comprises:
judging whether a scanning source of the scanning behavior is an attack source or not according to the number of redundant ports corresponding to the scanning behavior;
and/or judging whether the scanning source of the scanning behavior is an attack source according to the scanning path corresponding to the scanning behavior.
3. The method of claim 2, wherein the determining whether the scan source of the scan behavior is an attack source according to the number of redundant ports corresponding to the scan behavior further comprises:
And if the number of the redundant ports corresponding to the scanning behaviors exceeds a first preset threshold, determining the scanning source of the scanning behaviors as an attack source.
4. The method of claim 2, wherein the determining whether the scan source of the scan behavior is an attack source according to the scan path corresponding to the scan behavior further comprises:
And if the scanning path corresponding to the scanning behavior is a preset path, determining a scanning source of the scanning behavior as an attack source.
5. The method of claim 4, wherein the preset path comprises at least one of the following paths:
the method comprises the steps of sequentially scanning ports of different categories of the same IP, sequentially scanning ports of the same category of different IPs, and scanning according to the priority order of the ports.
6. A network security defense device, comprising:
The configuration module is suitable for configuring at least one redundant port and enabling the redundant port and the service port to be in an open state;
a monitoring module adapted to monitor scanning behavior for the redundant ports;
the judging module is suitable for judging whether a scanning source of the scanning behavior is an attack source according to the scanning behavior;
the defending module is suitable for closing the service port to service the scanning source if the scanning source of the scanning behavior is an attack source and performing false service interaction with the scanning source through the redundant port; determining the last access time of the scanning source, and judging whether the difference value between the access time and the current time exceeds a second preset threshold value; if yes, opening the service port to service the scanning source;
Wherein said configuring at least one redundant port further comprises: acquiring historical attack behavior data, and counting attack frequencies of candidate ports according to the historical attack behavior data; and selecting at least one port from the candidate ports as a redundant port according to the attack frequency.
7. A computing device, comprising: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform operations corresponding to the network security defense method according to any one of claims 1-5.
8. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the network security defense method of any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010935335.8A CN114244543B (en) | 2020-09-08 | 2020-09-08 | Network security defense method, device, computing equipment and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010935335.8A CN114244543B (en) | 2020-09-08 | 2020-09-08 | Network security defense method, device, computing equipment and computer storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114244543A CN114244543A (en) | 2022-03-25 |
| CN114244543B true CN114244543B (en) | 2024-05-03 |
Family
ID=80742449
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010935335.8A Active CN114244543B (en) | 2020-09-08 | 2020-09-08 | Network security defense method, device, computing equipment and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114244543B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721442A (en) * | 2016-01-22 | 2016-06-29 | 耿童童 | Spurious response system and method based on dynamic variation and network security system and method |
| CN106330944A (en) * | 2016-08-31 | 2017-01-11 | 杭州迪普科技有限公司 | Method and device for recognizing malicious system vulnerability scanner |
| CN109218327A (en) * | 2018-10-15 | 2019-01-15 | 西安电子科技大学 | Initiative type safeguard technology based on cloud container |
| CN109347794A (en) * | 2018-09-06 | 2019-02-15 | 国家电网有限公司 | A kind of Web server safety defense method |
| CN109995727A (en) * | 2017-12-30 | 2019-07-09 | 中国移动通信集团河北有限公司 | Penetration attack behavior active protection method, device, equipment and medium |
| CN111314300A (en) * | 2020-01-17 | 2020-06-19 | 广州华多网络科技有限公司 | Malicious scanning IP detection method, system, device, equipment and storage medium |
| CN111385236A (en) * | 2018-12-27 | 2020-07-07 | 北京卫达信息技术有限公司 | Dynamic defense system based on network spoofing |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11184377B2 (en) * | 2019-01-30 | 2021-11-23 | Palo Alto Networks (Israel Analytics) Ltd. | Malicious port scan detection using source profiles |
-
2020
- 2020-09-08 CN CN202010935335.8A patent/CN114244543B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721442A (en) * | 2016-01-22 | 2016-06-29 | 耿童童 | Spurious response system and method based on dynamic variation and network security system and method |
| CN106330944A (en) * | 2016-08-31 | 2017-01-11 | 杭州迪普科技有限公司 | Method and device for recognizing malicious system vulnerability scanner |
| CN109995727A (en) * | 2017-12-30 | 2019-07-09 | 中国移动通信集团河北有限公司 | Penetration attack behavior active protection method, device, equipment and medium |
| CN109347794A (en) * | 2018-09-06 | 2019-02-15 | 国家电网有限公司 | A kind of Web server safety defense method |
| CN109218327A (en) * | 2018-10-15 | 2019-01-15 | 西安电子科技大学 | Initiative type safeguard technology based on cloud container |
| CN111385236A (en) * | 2018-12-27 | 2020-07-07 | 北京卫达信息技术有限公司 | Dynamic defense system based on network spoofing |
| CN111314300A (en) * | 2020-01-17 | 2020-06-19 | 广州华多网络科技有限公司 | Malicious scanning IP detection method, system, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114244543A (en) | 2022-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10534906B1 (en) | Detection efficacy of virtual machine-based analysis with application specific events | |
| US20210152520A1 (en) | Network Firewall for Mitigating Against Persistent Low Volume Attacks | |
| Carroll et al. | A game theoretic investigation of deception in network security | |
| US8549645B2 (en) | System and method for detection of denial of service attacks | |
| AU2004289001B2 (en) | Method and system for addressing intrusion attacks on a computer system | |
| US20150381638A1 (en) | System and Method for Identifying Unauthorized Activities on a Computer System using a Data Structure Model | |
| CN109194684B (en) | Method and device for simulating denial of service attack and computing equipment | |
| US20040030931A1 (en) | System and method for providing enhanced network security | |
| US20170155683A1 (en) | Remedial action for release of threat data | |
| US20210021611A1 (en) | Inline malware detection | |
| Ramesh et al. | Identification of phishing webpages and its target domains by analyzing the feign relationship | |
| Hayatle et al. | Dempster-shafer evidence combining for (anti)-honeypot technologies | |
| CN112532631A (en) | Equipment safety risk assessment method, device, equipment and medium | |
| CN112242974A (en) | Attack detection method and device based on behaviors, computing equipment and storage medium | |
| Anderson et al. | Parameterizing moving target defenses | |
| US20230344861A1 (en) | Combination rule mining for malware signature generation | |
| CN114244543B (en) | Network security defense method, device, computing equipment and computer storage medium | |
| CN116170225A (en) | System testing method, device, equipment and storage medium based on network target range | |
| Alserhani et al. | Detection of coordinated attacks using alert correlation model | |
| Goyal et al. | Application of Deep Learning in Honeypot Network for Cloud Intrusion Detection | |
| CN114640484A (en) | Network security countermeasure method and device and electronic equipment | |
| WO2021015941A1 (en) | Inline malware detection | |
| Rajarajan et al. | A decoy framework to protect server from wireless network worms | |
| Hiruta et al. | Ids alert priority determination based on traffic behavior | |
| CN116094847B (en) | Honeypot identification method, honeypot identification device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |