CN114285663A - Method, device, equipment and medium for managing attack source address - Google Patents
Method, device, equipment and medium for managing attack source address Download PDFInfo
- Publication number
- CN114285663A CN114285663A CN202111628564.6A CN202111628564A CN114285663A CN 114285663 A CN114285663 A CN 114285663A CN 202111628564 A CN202111628564 A CN 202111628564A CN 114285663 A CN114285663 A CN 114285663A
- Authority
- CN
- China
- Prior art keywords
- attack source
- source addresses
- attack
- real
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000007726 management method Methods 0.000 claims description 46
- 238000004590 computer program Methods 0.000 description 16
- 238000012545 processing Methods 0.000 description 15
- 238000010586 diagram Methods 0.000 description 10
- 230000015654 memory Effects 0.000 description 10
- 230000006399 behavior Effects 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000013480 data collection Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000013500 data storage Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008450 motivation Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000000758 substrate Substances 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present disclosure provides a method for managing an attack source address, including: acquiring log data of a plurality of honeypot systems, wherein the log data comprises a plurality of attack source addresses; respectively acquiring autonomous domain information and longitude and latitude information of a plurality of attack source addresses; determining a plurality of real attack source addresses in a plurality of attack source addresses according to the autonomous domain information and the latitude and longitude information; and managing a plurality of real attack source addresses according to a preset management rule. The disclosure also provides a management device, equipment and storage medium for attacking the source address.
Description
Technical Field
The present disclosure relates to the field of network behavior monitoring and network behavior management, and more particularly, to a method, an apparatus, a device, and a medium for managing an attack source address.
Background
With the continuous development of network technologies, the types of network intrusion technologies are increasing day by day, and therefore, it is a new challenge to correspondingly and timely upgrade security protection technologies in order to cope with continuously updated network intrusion behaviors.
In implementing the disclosed concept, the inventors found that there are at least the following problems in the related art: in the prior art, the method for obtaining the network intrusion behavior related information by performing characteristic analysis on massive network access information may cause a certain hysteresis to the upgrade of the network security protection technology, thereby generating an influence of poor security protection effect of the protection technology.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a method, apparatus, device, and medium for managing an attack source address.
According to a first aspect of the present disclosure, there is provided a method for managing an attack source address, including: acquiring log data of a plurality of honeypot systems, wherein the log data comprises a plurality of attack source addresses; respectively acquiring autonomous domain information and longitude and latitude information of the attack source addresses; determining a plurality of real attack source addresses in the plurality of attack source addresses according to the autonomous domain information and the latitude and longitude information; and managing the real attack source addresses according to a preset management rule.
According to an embodiment of the present disclosure, the determining a true attack source address of the attack source addresses according to the autonomous domain information and the latitude and longitude information includes: counting longitude and latitude information of the attack source addresses to obtain a plurality of first sets, wherein each first set comprises a plurality of first attack source addresses with the same longitude and latitude information; and respectively counting the autonomous domain information of a plurality of first attack source addresses in the plurality of first sets to obtain a plurality of second sets, wherein each second set comprises a plurality of real attack source addresses with the same longitude and latitude information and different autonomous domain information.
According to an embodiment of the present disclosure, the obtaining the autonomous domain information and the latitude and longitude information of the plurality of attack source addresses respectively includes: respectively acquiring attack types of the attack source addresses; and acquiring the autonomous domain information and the longitude and latitude information of the attack source address under the condition that the attack type of the attack source address is determined to be a preset attack type.
According to an embodiment of the present disclosure, the managing the plurality of real attack source addresses according to a preset management rule includes: respectively acquiring a plurality of attack times of attacking the honeypot systems by the real attack source addresses; determining the priorities of the real attack source addresses according to the attack times; and under the condition that the priority of the real attack source address is determined to meet the preset condition, managing the real attack source address through the firewall.
According to an embodiment of the present disclosure, the managing, by a firewall, the real attack source address includes: and writing the real attack source address into the firewall through an application program interface of the firewall, so that the firewall blocks the attack of the real attack source address.
According to an embodiment of the disclosure, the acquiring log data of a plurality of honeypot systems includes: and simultaneously acquiring a plurality of log data of the honeypot systems through a plurality of data acquisition servers respectively.
According to an embodiment of the present disclosure, the method further comprises: and displaying the distribution condition of the real attack source addresses on a map according to the latitude and longitude information of the real attack source addresses.
A second aspect of the present disclosure provides a management apparatus for attacking a source address, including: the honeypot system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring log data of a plurality of honeypot systems, and the log data comprises a plurality of attack source addresses; the second acquisition module is used for respectively acquiring the autonomous domain information and the longitude and latitude information of the attack source addresses; the determining module is used for determining a plurality of real attack source addresses in the plurality of attack source addresses according to the autonomous domain information and the latitude and longitude information; and the management module is used for managing the real attack source addresses according to a preset management rule.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the above-described method of managing an attack source address.
The fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described method of managing an attack source address.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an application scenario diagram of a method, apparatus, device, medium, and program product for managing an attack source address according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a method of managing an attack source address according to an embodiment of the disclosure;
fig. 3 schematically shows a block diagram of a structure of a management apparatus that attacks a source address according to an embodiment of the present disclosure; and
fig. 4 schematically shows a block diagram of an electronic device adapted to implement a method of managing an attack source address according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
The embodiment of the disclosure provides a management method of attack source addresses, which includes the steps of obtaining log data of a plurality of honeypot systems, wherein the log data comprises the attack source addresses; respectively acquiring autonomous domain information and longitude and latitude information of a plurality of attack source addresses; determining a plurality of real attack source addresses in a plurality of attack source addresses according to the autonomous domain information and the latitude and longitude information; and managing a plurality of real attack source addresses according to a preset management rule.
Fig. 1 schematically shows an application scenario diagram of a method, an apparatus, a device, a medium, and a program product for managing an attack source address according to an embodiment of the present disclosure.
As shown in fig. 1, the application scenario 100 according to this embodiment may include a network 110, an egress router 120, a firewall 130, a core switch 140, a management zone 150, and data centers 161, 162, 160. The management area 150 includes a Web server, a data processing server, and a data storage server. The data centers 161, 162, 163 include data collection servers, IPv4 honeypot systems, and IPv6 honeypot systems.
Network 110 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few. The server single network card is connected to the core switch 140.
The IPv4 honeypot system and the IPv6 honeypot system are deployed on different network segments of a plurality of data centers, and attack source addresses can be trapped through the honeypot systems. The data acquisition server is deployed in a plurality of data centers, and attack source addresses of the honeypot system can be acquired through the data acquisition server. The data collected by the data collection server is temporarily stored in the data collection server. The data processing server acquires data temporarily stored in the plurality of data acquisition servers and stores the acquired data in the data storage server. And the data processing server summarizes and processes the data in the data storage server so as to realize the management of the attack source address.
It should be noted that the management method for the attack source address provided by the embodiment of the present disclosure may be generally executed by a server in the management area 150. Accordingly, the management device for attacking the source address provided by the embodiment of the present disclosure may be generally disposed in a server in the management area 150. The management method for the attack source address provided by the embodiment of the present disclosure may also be executed by a server or a server cluster that is different from the server in the management area 150 and is capable of communicating with the server in the management area 150. Accordingly, the management device for attacking the source address provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster that is different from the server in the management area 150 and is capable of communicating with the server in the management area 150.
It should be understood that the number of networks, egress routers, firewalls, core switches and servers in fig. 1 are merely illustrative. There may be any number of networks, egress routers, firewalls, core switches and servers, as desired for the implementation.
Fig. 2 schematically shows a flow chart of a method of managing an attack source address according to an embodiment of the present disclosure.
As shown in fig. 2, the method for managing an attack source address of this embodiment includes operations S210 to S230.
In operation S210, log data of a plurality of honeypot systems is obtained, the log data including a plurality of attack source addresses.
Honeypot systems are deployed on different network segments of multiple data centers. The honeypot system is provided with hosts and network services or information which are used as baits, and induces an illegal attacker to attack the honeypot system, so that the information of the attacker is obtained, the attack behavior of the attacker is captured and analyzed, the attack intention and the motivation are conjectured, and the illegal attack security protection system capable of defending the attacker is established.
The attack source address includes an IPv4 address and an IPv6 address.
In the disclosed embodiment, operation S210, obtaining log data of a plurality of honeypot systems includes: and simultaneously acquiring a plurality of log data of a plurality of honeypot systems through a plurality of data acquisition servers respectively.
The data acquisition servers simultaneously acquire log data of the honeypot systems at a preset frequency. For example, the plurality of data collection servers acquire log data from the plurality of honeypot systems at a frequency of 5 min/time. Each acquired data may be generated into a data file, which may be named after the time at which acquisition began.
The data processing server simultaneously acquires the log data acquired by the plurality of data acquisition servers. The frequency of the data processing server acquiring the log data from the plurality of data acquisition servers and the frequency of the plurality of data acquisition servers acquiring the log data from the plurality of honeypot systems can be the same or different.
Under the condition that the frequency of the data processing server for acquiring the log data from the plurality of data acquisition servers is the same as the frequency of the data processing server for acquiring the log data from the plurality of honeypot systems, the data processing server directly acquires the log data from the plurality of data acquisition servers and combines the acquired log data.
Under the condition that the frequency of the data processing server for acquiring the log data from the plurality of data acquisition servers is different from the frequency of the data acquisition servers for acquiring the log data from the plurality of honeypot systems, the data processing server can respectively acquire and combine the log data acquired by the plurality of data acquisition servers at the same time according to the names of the data files temporarily stored in the data acquisition servers. For example, the plurality of data acquisition servers acquire log data from the plurality of honeypot systems at a frequency of 5 min/time, and the data processing server acquires data files from the plurality of data acquisition servers at a frequency of 10 min/time. The plurality of data acquisition servers respectively store 10:00 acquired log data and 10:05 acquired log data. The data processing server acquires all log data stored in the plurality of data acquisition servers at a ratio of 10:07, merges the log data acquired at a ratio of 10:00, and merges the log data acquired at a ratio of 10: 05.
In operation S220, autonomous domain information and longitude and latitude information of a plurality of attack source addresses are respectively obtained.
The Autonomous domain information is an Autonomous System (AS) number. In the case where it is determined that a plurality of attack source addresses have the same AS number, the plurality of attack source addresses use a unified routing protocol. The longitude and latitude information is a geographic coordinate for initiating the attack, and the attack initiated by the attack source addresses is sent from the same place under the condition that the attack source addresses are determined to have the same address coordinate.
In this embodiment of the present disclosure, in operation S220, obtaining autonomous domain information and longitude and latitude information of a plurality of attack source addresses respectively includes: respectively acquiring attack types of a plurality of attack source addresses; and acquiring the autonomous domain information and the longitude and latitude information of the attack source address under the condition that the attack type of the attack source address is determined to be the preset attack type.
The honeypot system comprises log data of a plurality of attack types, and the attack types with reference values need to be screened out from the attack types. For example, attack source address for SSH ports and attack source address for database ports.
Illustratively, before acquiring the autonomous domain information and the latitude and longitude information of the attack source address, the data of the scanning port needs to be screened out. The log data contains a large amount of data of the scanning port, but the data of the scanning port is irrelevant to the analysis of attack behaviors.
Identifying the attack type requires extracting src _ ip from log data to obtain the attack source address. For the IPv4 address, selecting a corresponding field according to the specific content of the log file to identify the attack type. The attack type is identified from the protocol field for IPv6 addresses.
In operation S230, a plurality of real attack source addresses among the plurality of attack source addresses are determined according to the autonomous domain information and the latitude and longitude information.
In this embodiment of the present disclosure, in operation S230, determining a real attack source address in the multiple attack source addresses according to the autonomous domain information and the latitude and longitude information, includes: counting longitude and latitude information of a plurality of attack source addresses to obtain a plurality of first sets, wherein each first set comprises a plurality of first attack source addresses with the same longitude and latitude information; and respectively counting the autonomous domain information of a plurality of first attack source addresses in a plurality of first sets to obtain a plurality of second sets, wherein each second set comprises a plurality of real attack source addresses with the same longitude and latitude information and different autonomous domain information.
Illustratively, 10 attack source addresses A-J are obtained, wherein the 10 attack source addresses comprise 5 IPv4 addresses A-E and 5 IPv6 addresses F-J. Counting the longitude and latitude information of the 10 attack source addresses to obtain two first sets S1And S2. First set S1Including IPv4 addresses A-C and IPv6 addresses F-H, a first set S2Including IPv4 addresses D-E and IPv6 addresses I-K. Respectively counting the first set S1And S2Obtaining a second set S by the autonomous domain information of the medium attack source address3. Second set S3The method comprises an IPv4 address A and an IPv6 address F, wherein the longitude and latitude information of the IPv4 address A and the IPv6 address F are the same, but the autonomous domain information is different. Understandably, the IPv4 address a and the IPv6 address F simultaneously launch attacks from the same site to the honeypot system, but the IPv4 address a and the IPv6 address F do not use the same routing protocol. In this case, the attack initiated by the IPv4 address a and the IPv6 address F can be considered as a real attack, and the IPv4 address a and the IPv6 address F are real attack source addresses.
In operation S240, a plurality of real attack source addresses are managed according to a preset management rule.
In this embodiment of the present disclosure, in operation S240, according to a preset management rule, managing a plurality of real attack source addresses includes: respectively acquiring a plurality of attack times of a plurality of real attack source addresses attacking a plurality of honeypot systems; determining the priority of a plurality of real attack source addresses according to a plurality of attack times; and under the condition that the priority of the real attack source address is determined to meet the preset condition, managing the real attack source address through the firewall.
The attack times of the plurality of real attack source addresses to the honeypot system are counted, and the real attack source addresses with higher attack times to the honeypot system have higher priority. The real attack source with higher priority is the attack source address which needs to be managed intensively.
Illustratively, the plurality of real attack source addresses can be ranked according to the attack times, and the real attack source addresses ranked in the top 100 can be managed through the firewall. And writing the real attack source address into the firewall through an application program interface of the firewall, and blocking the written real attack source address by the firewall so that the firewall blocks the attack from the real attack source address.
For example, the plurality of true attack source addresses may be ranked according to the number of attacks by a quicksort function. And constructing an array according to the attack times initiated by all real attack source addresses. The array is divided into three sub-arrays and a reference is set. And determining the position of each datum in each subdata according to the reference, and directly inserting the datum into the corresponding position of the subarray. And finally splicing the three subdata. Through the quick-cksort function, a plurality of real attack source addresses can be ranked quickly, and the sorting time is shortened.
As a management method for optional attack source addresses, the method further comprises the following steps: and displaying the distribution condition of the real attack source addresses on a map according to the latitude and longitude information of the real attack source addresses.
The distribution situation of the real attack source address can be visualized through the Web server. And marking the real attack source address on a world map according to the geographic coordinate information of the real attack source address.
The method for managing the attack source address can rapidly analyze the real attack source address from massive log data and safely manage the real attack source address. Because the honeypot systems are arranged on a plurality of network segments of the data center, the attack source addresses are trapped through the honeypot systems, and all access information which is attack behaviors can be directly acquired. Therefore, the characteristic analysis of the access information in the log data is not needed, and then the access information related to the attack behavior is determined. Therefore, the management method for the attack source address can acquire the latest attack information in time and quickly analyze the attack information so as to update the protection strategy of the protection wall in time and ensure the effectiveness of the protection strategy of the firewall.
Based on the management method of the attack source address, the disclosure also provides a management device of the attack source address. The apparatus will be described in detail below with reference to fig. 3.
Fig. 3 schematically shows a block diagram of a structure of a management apparatus that attacks a source address according to an embodiment of the present disclosure.
As shown in fig. 3, the management apparatus 300 for attacking a source address of this embodiment includes a first obtaining module 310, a second obtaining module 320, a determining module 330, and a management module 340.
The first obtaining module 310 is configured to obtain log data of a plurality of honeypot systems, where the log data includes a plurality of attack source addresses. In an embodiment, the first obtaining module 310 may be configured to perform the operation S210 described above, and is not described herein again.
The second obtaining module 320 is configured to obtain autonomous domain information and longitude and latitude information of the plurality of attack source addresses, respectively. In an embodiment, the second obtaining module 320 may be configured to perform the operation S220 described above, which is not described herein again.
The determining module 330 is configured to determine a plurality of real attack source addresses in the plurality of attack source addresses according to the autonomous domain information and the latitude and longitude information. In an embodiment, the determining module 330 may be configured to perform the operation S230 described above, which is not described herein again.
According to an embodiment of the present disclosure, the first obtaining module 310 is specifically configured to simultaneously obtain, by a plurality of data collecting servers, a plurality of log data of a plurality of honeypot systems, respectively.
The second acquisition module 320 includes a first acquisition unit and a first determination unit. The first obtaining unit is used for respectively obtaining attack types of a plurality of attack source addresses. The determining unit is used for acquiring the autonomous domain information and the longitude and latitude information of the attack source address under the condition that the attack type of the attack source address is determined to be the preset attack type.
The determining module 330 includes a first statistical unit and a second statistical unit. The first statistical unit is used for counting the longitude and latitude information of the attack source addresses to obtain a plurality of first sets, and each first set comprises a plurality of first attack source addresses with the same longitude and latitude information. The second statistical unit is used for respectively counting the autonomous domain information of the first attack source addresses in the first sets to obtain a plurality of second sets, and each second set comprises a plurality of real attack source addresses with the same longitude and latitude information and different autonomous domain information.
The management module 340 includes a second obtaining unit, a second determining unit, and a third determining unit. The second obtaining unit is used for respectively obtaining a plurality of attack times of a plurality of real attack source addresses attacking a plurality of honeypot systems. The second determining unit is used for determining the priorities of the real attack source addresses according to the attack times. The third determining unit is used for managing the real attack source address through the firewall under the condition that the priority of the real attack source address is determined to meet the preset condition. The third determining unit is further specifically configured to write the real attack source address into the firewall through an application program interface of the firewall, so that the firewall blocks an attack of the real attack source address.
The device 300 for managing an attack source address further includes a display module, configured to display a distribution situation of real attack source addresses on a map according to longitude and latitude information of a plurality of real attack source addresses.
According to the embodiment of the present disclosure, any plurality of the first obtaining module 310, the second obtaining module 320, the determining module 330, and the managing module 340 may be combined and implemented in one module, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the first obtaining module 310, the second obtaining module 320, the determining module 330, and the managing module 340 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or may be implemented in any one of three implementations of software, hardware, and firmware, or in a suitable combination of any of them. Alternatively, at least one of the first obtaining module 310, the second obtaining module 320, the determining module 330 and the managing module 340 may be at least partially implemented as a computer program module, which when executed may perform a corresponding function.
Fig. 4 schematically shows a block diagram of an electronic device adapted to implement a method of managing an attack source address according to an embodiment of the disclosure.
As shown in fig. 4, an electronic device 400 according to an embodiment of the present disclosure includes a processor 401 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)402 or a program loaded from a storage section 408 into a Random Access Memory (RAM) 403. Processor 401 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 401 may also include onboard memory for caching purposes. Processor 401 may include a single processing unit or multiple processing units for performing the different actions of the method flows in accordance with embodiments of the present disclosure.
In the RAM 403, various programs and data necessary for the operation of the electronic apparatus 400 are stored. The processor 401, ROM 402 and RAM 403 are connected to each other by a bus 404. The processor 401 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 402 and/or the RAM 403. Note that the programs may also be stored in one or more memories other than the ROM 402 and RAM 403. The processor 401 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, electronic device 400 may also include an input/output (I/O) interface 405, input/output (I/O) interface 405 also being connected to bus 404. Electronic device 400 may also include one or more of the following components connected to I/O interface 405: an input section 406 including a keyboard, a mouse, and the like; an output section 407 including a display device such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 408 including a hard disk and the like; and a communication section 409 including a network interface card such as a LAN card, a modem, or the like. The communication section 409 performs communication processing via a network such as the internet. A driver 410 is also connected to the I/O interface 405 as needed. A removable medium 411 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 410 as necessary, so that a computer program read out therefrom is mounted into the storage section 408 as necessary.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include ROM 402 and/or RAM 403 and/or one or more memories other than ROM 402 and RAM 403 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the management method for attacking the source address provided by the embodiment of the disclosure.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 401. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed in the form of a signal on a network medium, downloaded and installed through the communication section 409, and/or installed from the removable medium 411. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 409, and/or installed from the removable medium 411. The computer program, when executed by the processor 401, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (10)
1. A management method for attacking a source address comprises the following steps:
acquiring log data of a plurality of honeypot systems, wherein the log data comprises a plurality of attack source addresses;
respectively acquiring autonomous domain information and longitude and latitude information of the attack source addresses;
determining a plurality of real attack source addresses in the plurality of attack source addresses according to the autonomous domain information and the latitude and longitude information; and
and managing the real attack source addresses according to a preset management rule.
2. The management method of claim 1, wherein the determining a true attack source address of the plurality of attack source addresses according to the autonomous domain information and the latitude and longitude information comprises:
counting longitude and latitude information of the attack source addresses to obtain a plurality of first sets, wherein each first set comprises a plurality of first attack source addresses with the same longitude and latitude information; and
and respectively counting the autonomous domain information of a plurality of first attack source addresses in the plurality of first sets to obtain a plurality of second sets, wherein each second set comprises a plurality of real attack source addresses with the same longitude and latitude information and different autonomous domain information.
3. The management method according to claim 1, wherein the obtaining autonomous domain information and longitude and latitude information of the attack source addresses respectively comprises:
respectively acquiring attack types of the attack source addresses; and
and under the condition that the attack type of the attack source address is determined to be a preset attack type, acquiring the autonomous domain information and the longitude and latitude information of the attack source address.
4. The management method according to claim 1, wherein the managing the plurality of real attack source addresses according to a preset management rule comprises:
respectively acquiring a plurality of attack times of attacking the honeypot systems by the real attack source addresses;
determining the priorities of the real attack source addresses according to the attack times; and
and under the condition that the priority of the real attack source address is determined to meet the preset condition, managing the real attack source address through the firewall.
5. The management method of claim 4, wherein the managing the real attack source address through a firewall comprises:
and writing the real attack source address into the firewall through an application program interface of the firewall, so that the firewall blocks the attack of the real attack source address.
6. The management method of claim 1, wherein the obtaining log data of a plurality of honeypot systems comprises:
and simultaneously acquiring a plurality of log data of the honeypot systems through a plurality of data acquisition servers respectively.
7. The management method of claim 1, wherein the method further comprises: and displaying the distribution condition of the real attack source addresses on a map according to the latitude and longitude information of the real attack source addresses.
8. A management apparatus that attacks a source address, comprising:
the honeypot system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring log data of a plurality of honeypot systems, and the log data comprises a plurality of attack source addresses;
the second acquisition module is used for respectively acquiring the autonomous domain information and the longitude and latitude information of the attack source addresses;
the determining module is used for determining a plurality of real attack source addresses in the plurality of attack source addresses according to the autonomous domain information and the latitude and longitude information; and
and the management module is used for managing the real attack source addresses according to a preset management rule.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the management method of any of claims 1-7.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform a method of managing according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111628564.6A CN114285663A (en) | 2021-12-28 | 2021-12-28 | Method, device, equipment and medium for managing attack source address |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111628564.6A CN114285663A (en) | 2021-12-28 | 2021-12-28 | Method, device, equipment and medium for managing attack source address |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114285663A true CN114285663A (en) | 2022-04-05 |
Family
ID=80877153
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111628564.6A Pending CN114285663A (en) | 2021-12-28 | 2021-12-28 | Method, device, equipment and medium for managing attack source address |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114285663A (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110185425A1 (en) * | 2010-01-22 | 2011-07-28 | National Taiwan University Of Science & Technology | Network attack detection devices and methods |
| US20130340079A1 (en) * | 2012-06-14 | 2013-12-19 | Kddi Corporation | System and method for real-time reporting of anomalous internet protocol attacks |
| CN108833197A (en) * | 2018-04-10 | 2018-11-16 | 中国科学院信息工程研究所 | A kind of active probe method based on cloud and test platform |
| CN109981346A (en) * | 2019-02-21 | 2019-07-05 | 清华大学 | Cyberspace coordinate system creation method and device based on autonomous system |
| CN111314285A (en) * | 2019-12-18 | 2020-06-19 | 北京邮电大学 | Method and device for detecting route prefix attack |
| CN112688933A (en) * | 2020-12-21 | 2021-04-20 | 赛尔网络有限公司 | Attack type analysis method, device, equipment and medium for IPv6 |
| CN112738003A (en) * | 2019-10-14 | 2021-04-30 | 中国电信股份有限公司 | Malicious address management method and device |
| CN112804226A (en) * | 2021-01-08 | 2021-05-14 | 光通天下网络科技股份有限公司 | IP data processing method, device, equipment and medium |
-
2021
- 2021-12-28 CN CN202111628564.6A patent/CN114285663A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110185425A1 (en) * | 2010-01-22 | 2011-07-28 | National Taiwan University Of Science & Technology | Network attack detection devices and methods |
| US20130340079A1 (en) * | 2012-06-14 | 2013-12-19 | Kddi Corporation | System and method for real-time reporting of anomalous internet protocol attacks |
| CN108833197A (en) * | 2018-04-10 | 2018-11-16 | 中国科学院信息工程研究所 | A kind of active probe method based on cloud and test platform |
| CN109981346A (en) * | 2019-02-21 | 2019-07-05 | 清华大学 | Cyberspace coordinate system creation method and device based on autonomous system |
| CN112738003A (en) * | 2019-10-14 | 2021-04-30 | 中国电信股份有限公司 | Malicious address management method and device |
| CN111314285A (en) * | 2019-12-18 | 2020-06-19 | 北京邮电大学 | Method and device for detecting route prefix attack |
| CN112688933A (en) * | 2020-12-21 | 2021-04-20 | 赛尔网络有限公司 | Attack type analysis method, device, equipment and medium for IPv6 |
| CN112804226A (en) * | 2021-01-08 | 2021-05-14 | 光通天下网络科技股份有限公司 | IP data processing method, device, equipment and medium |
Non-Patent Citations (3)
| Title |
|---|
| V.K SOUNDAR RAJAM: "Autonomous system based traceback mechanism for DDoS attack", 《2013 FIFTH INTERNATIONAL CONFERENCE ON ADVANCED COMPUTING (ICOAC)》 * |
| 邓攀;王勇;: "IPv6网络拓扑发现方法研究", 桂林航天工业高等专科学校学报, no. 02 * |
| 邓攀;王勇;: "IPv6网络拓扑发现方法研究", 桂林航天工业高等专科学校学报, no. 02, 15 June 2008 (2008-06-15) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20170223033A1 (en) | Multi-Node Affinity-Based Examination for Computer Network Security Remediation | |
| EP3287927B1 (en) | Non-transitory computer-readable recording medium storing cyber attack analysis support program, cyber attack analysis support method, and cyber attack analysis support device | |
| CN111327451B (en) | System for identifying and assisting in the creation and implementation of network service configurations using Hidden Markov Models (HMMs) | |
| US10581914B2 (en) | Method and system of mitigating network attacks | |
| US9825982B1 (en) | System and method for monitoring network vulnerabilities | |
| US8959571B2 (en) | Automated policy builder | |
| US10158733B2 (en) | Automated DPI process | |
| CN107579874B (en) | Method and device for detecting data collection missing report of flow collection equipment | |
| US20200106742A1 (en) | Methods and Systems for Efficient Network Protection | |
| AU2015200808B2 (en) | Method and system for providing a robust and efficient virtual asset vulnerability management and verification service | |
| CN111131320A (en) | Asset identification method, device, system, medium, and program product | |
| US10110626B2 (en) | Biology based techniques for handling information security and privacy | |
| CN110188543A (en) | White list library, white list program library update method and industrial control system | |
| US11677768B2 (en) | Apparatuses, methods, and computer program products for automatic improved network architecture generation | |
| CN111835788B (en) | Information data distribution method and device | |
| CN114041276A (en) | Security policy enforcement and visibility for network architectures that mask external source addresses | |
| CN112688933A (en) | Attack type analysis method, device, equipment and medium for IPv6 | |
| US11516138B2 (en) | Determining network flow direction | |
| CN110611673B (en) | IP credit calculation method, device, electronic equipment and medium | |
| CN114285663A (en) | Method, device, equipment and medium for managing attack source address | |
| CN114884748A (en) | Network attack monitoring method and device, electronic equipment and storage medium | |
| CN113297241A (en) | Method, device, equipment, medium and program product for judging network flow | |
| WO2023073952A1 (en) | Security analysis device, security analysis method, and computer-readable recording medium | |
| US20180176287A1 (en) | Method for denominating move groups of applications | |
| Sulthana | Controlling vulnerabilities in open-source libraries through different tools and techniques |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |