CN114513371A - Attack detection method and system based on interactive data - Google Patents

Attack detection method and system based on interactive data Download PDF

Info

Publication number
CN114513371A
CN114513371A CN202210408386.4A CN202210408386A CN114513371A CN 114513371 A CN114513371 A CN 114513371A CN 202210408386 A CN202210408386 A CN 202210408386A CN 114513371 A CN114513371 A CN 114513371A
Authority
CN
China
Prior art keywords
data
information
time window
sending
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210408386.4A
Other languages
Chinese (zh)
Other versions
CN114513371B (en
Inventor
董文强
王亮
颜昕明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Wise Security Technology Co Ltd
Original Assignee
Guangzhou Wise Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Wise Security Technology Co Ltd filed Critical Guangzhou Wise Security Technology Co Ltd
Priority to CN202210408386.4A priority Critical patent/CN114513371B/en
Publication of CN114513371A publication Critical patent/CN114513371A/en
Application granted granted Critical
Publication of CN114513371B publication Critical patent/CN114513371B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The embodiment of the invention discloses an attack detection method and system based on interactive data, wherein the method comprises the following steps: recording first data sending information and first data receiving information; determining a data receiving time window according to the first data sending information, and determining a data sending time window according to the first data receiving information; acquiring second data receiving information received in the data receiving time window and second data sending information sent in the data sending time window; and determining whether the equipment is attacked or not according to the second data transmission information and the second data receiving information, and controlling data communication with other equipment in response to the judgment result of the attacked action. According to the scheme, the attack behavior caused in the data transmission link can be efficiently detected, the protection level of the security chip is increased, and the security of data storage and transmission is ensured.

Description

Attack detection method and system based on interactive data
Technical Field
The embodiment of the application relates to the technical field of chips, in particular to an attack detection method and system based on interactive data.
Background
With the development of internet and hardware technology, the role of information security in human life is more and more important, and thus the requirements on information security chip products are higher and higher. The safety chip is a device which can independently generate a secret key, encrypt and decrypt, is internally provided with an independent processor and a storage unit, can store the secret key and the characteristic data, and provides encryption and safety authentication services for data information. The safety chip supports a designated symmetric cryptographic algorithm, an asymmetric cryptographic algorithm and a hash algorithm, and simultaneously supports other international general cryptographic algorithms. The safety chip integrates a high-speed safety encryption algorithm and a communication interface, and adopts a unique data stream encryption and decryption processing mechanism to realize the synchronous encryption and decryption functions of the high-speed data stream.
In the existing chip attack detection method, physical attack is mostly detected by an additional detection circuit, for example, patent CN111670366A discloses a voltage attack detection circuit and a chip, where the voltage attack detection circuit includes: a first programmable resistance and a second programmable resistance; a first end of the first programmable resistor is connected to a power supply voltage, a second end of the first programmable resistor is connected to a ground voltage through the second programmable resistor, the first end is used for outputting a first voltage, and the second end is used for outputting a second voltage; a voltage detection circuit; for receiving the first voltage and a first reference voltage and outputting a first signal indicating whether the first voltage is greater than or equal to the first reference voltage; and is further configured to receive the second voltage and a second reference voltage and output a second signal indicating whether the second voltage is less than or equal to the second reference voltage. Although the above-mentioned manner of detecting through a hardware circuit can have good effects in physical attack prevention, software-based attacks cannot be directly detected, and in the existing detection method for software attack prevention, a complex algorithm is mostly adopted to perform data operation to ensure information security, and the manner needs to consume a large amount of computing power and is not beneficial to the deployment of distributed mobile devices.
Disclosure of Invention
The embodiment of the invention provides an attack detection method and system based on interactive data, which can be used for efficiently detecting the attack behavior caused in a data transmission link, increasing the protection level of a security chip and ensuring the security of data storage and transmission.
In a first aspect, an embodiment of the present invention provides an attack detection method based on interactive data, where the method includes:
in the process of data communication with other equipment, recording first data sending information and first data receiving information, wherein the first data sending information comprises a sending data type and encryption algorithm information of corresponding receiving equipment, and the first data receiving information comprises a receiving data type;
determining a data receiving time window according to the first data sending information, and determining a data sending time window according to the first data receiving information;
acquiring second data receiving information received in the data receiving time window and second data sending information sent in the data sending time window;
and determining whether the equipment is attacked or not according to the second data transmission information and the second data receiving information, and controlling data communication with other equipment in response to the judgment result of the attacked action.
Optionally, the determining a data receiving time window according to the first data sending information includes:
determining an encryption algorithm of the first encryption information if the first data transmission information is recorded as first encryption information, and a process of generating the first encryption information;
determining a data reception time window according to the encryption algorithm, the process, and encryption algorithm information of the reception apparatus.
Optionally, the determining a data sending time window according to the first data receiving information includes:
if the first data receiving information is recorded as second encrypted information, determining a decryption algorithm of the second encrypted information and a corresponding data buffer queue;
and determining a data sending time window according to the decryption algorithm and the data buffering condition of the data buffering queue.
Optionally, the determining whether to receive an attack behavior according to the second data transmission information and the second data reception information includes:
performing data transceiving statistics according to the second data sending information and the second data receiving information;
and determining whether the attack behavior is suffered according to the data receiving and sending statistical result.
Optionally, the determining whether to be attacked according to the statistical result of data transceiving includes:
and if the statistics result shows that the second data receiving information corresponding to the first data sending information is not received in the data receiving window, or the statistics result shows that the second data sending information corresponding to the first data receiving information is not received in the data sending window, determining the attacked behavior.
Optionally, during data communication with other devices, the encryption algorithm information of each communication device is determined according to the encryption algorithm used when data is sent to other communication devices.
Optionally, the determining the encryption algorithm information of each communication device according to the encryption algorithm used when sending data to other communication devices includes:
encryption algorithm information of each communication device is determined separately according to the class, security level, and complexity of an encryption algorithm used when transmitting data to other communication devices.
In a second aspect, an embodiment of the present invention further provides an attack detection apparatus based on interactive data, including:
the data recording module is configured to record first data sending information and first data receiving information in the process of data communication with other equipment, wherein the first data sending information comprises a sending data type and encryption algorithm information of corresponding receiving equipment, and the first data receiving information comprises a receiving data type;
a time window determining module configured to determine a data receiving time window according to the first data transmitting information, and determine a data transmitting time window according to the first data receiving information;
the data statistics module is configured to acquire second data receiving information received in the data receiving time window and second data sending information sent in the data sending time window;
and the attack judging module is configured to determine whether the attack is carried out according to the second data transmission information and the second data receiving information, and control data communication with other equipment in response to the judgment result of the attack.
In a third aspect, an embodiment of the present invention further provides an attack detection device based on interactive data, where the device includes:
one or more processors;
a storage device for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement the attack detection method based on the interaction data according to the embodiment of the invention.
In a fourth aspect, the present invention further provides a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a method for attack detection based on interaction data according to the present invention.
In a fifth aspect, the present application further provides a computer program product, where the computer program product includes a computer program, where the computer program is stored in a computer-readable storage medium, and at least one processor of the device reads from the computer-readable storage medium and executes the computer program, so that the device executes the attack detection method based on interaction data according to the present application.
In the embodiment of the invention, in the process of data communication with other equipment, first data sending information and first data receiving information are recorded, wherein the first data sending information comprises a sending data type and encryption algorithm information of corresponding receiving equipment, and the first data receiving information comprises a receiving data type; determining a data receiving time window according to the first data sending information, and determining a data sending time window according to the first data receiving information; acquiring second data receiving information received in the data receiving time window and second data sending information sent in the data sending time window; and determining whether the attack is carried out or not according to the second data transmission information and the second data receiving information, and controlling data communication with other equipment in response to the judgment result of the attack. According to the scheme, the attack behavior caused in the data transmission link can be efficiently detected, the protection level of the security chip is increased, and the security of data storage and transmission is ensured.
Drawings
Fig. 1 is a flowchart of an attack detection method based on interactive data according to an embodiment of the present invention;
fig. 2 is a schematic diagram of determining different data receiving time windows according to an embodiment of the present invention;
fig. 3 is a flowchart of another attack detection method based on interactive data according to an embodiment of the present invention;
fig. 4 is a block diagram of an attack detection apparatus based on interactive data according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.
Detailed Description
The embodiments of the present invention will be described in further detail with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad invention. It should be further noted that, for convenience of description, only some structures, not all structures, relating to the embodiments of the present invention are shown in the drawings.
The terms first, second and the like in the description and in the claims of the present application are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that embodiments of the application may be practiced in sequences other than those illustrated or described herein, and that the terms "first," "second," and the like are generally used herein in a generic sense and do not limit the number of terms, e.g., the first term can be one or more than one. In addition, "and/or" in the specification and claims means at least one of connected objects, a character "/" generally means that a preceding and succeeding related objects are in an "or" relationship.
Fig. 1 is a flowchart of an attack detection method based on interactive data according to an embodiment of the present invention, which specifically includes the following steps:
step S101, in the process of data communication with other equipment, recording first data sending information and first data receiving information, wherein the first data sending information comprises a sending data type and encryption algorithm information of corresponding receiving equipment, and the first data receiving information comprises a receiving data type.
After the terminal equipment which currently contains the security chip is started, the data communication condition of the terminal equipment is detected. For example, it may be determined whether the current terminal device performs data communication with other devices based on a data transceiving state of the communication module or listening to the communication port.
When data communication with other equipment is determined, first data sending information and first data receiving information are recorded, wherein the first data sending information comprises a sending data type and encryption algorithm information of corresponding receiving equipment, and the first data receiving information comprises a receiving data type. The first data sending information is information determined according to data sent by current terminal equipment; the first data reception information is information determined according to data currently received by the terminal device. The first data transmission information and the first data reception information may be information generated by recording for one or more data packets individually.
In one embodiment, recording the content in the record of the data transmission information includes transmitting a data type and encryption algorithm information of a corresponding receiving device; the reception data type is included in the record of the data reception information. The sending data type and the receiving data type comprise a plurality of different type division modes, and preferably, the type division is performed according to the scheme based on whether the sending data and the receiving data are encrypted data or not. If the sending data or the receiving data are recorded in the sending data information and the receiving data information corresponding to the encrypted data, the corresponding type can be exemplarily characterized as the type of the encrypted data.
In one embodiment, the encryption algorithm information is indicative of data encryption with other devices with which the current terminal device is communicating. Specifically, in the course of performing data communication with other devices, encryption algorithm information of each communication device is determined based on an encryption algorithm used when transmitting data to the other communication devices, respectively. In one embodiment, the determining encryption algorithm information of each communication device separately according to an encryption algorithm used when transmitting data to other communication devices includes: the encryption algorithm information of each communication device is determined according to the class, security level and complexity of the encryption algorithm used when transmitting data to other communication devices, respectively. Such as recording the category, security level, and complexity of the encryption algorithm, respectively, in the encryption algorithm information. The category of the encryption algorithm can comprise an asymmetric encryption algorithm, a symmetric encryption algorithm, a hash algorithm and the like, the security level can be obtained according to the security evaluation results of different algorithms by industry standards, and the complexity can be calibrated according to the specific complexity of different algorithms, such as high, medium and low complexity. In other words, in the present embodiment, in the recording of the data transmission information, in addition to the transmission data type, the encryption algorithm information of the corresponding receiving device is further recorded.
Step S102, determining a data receiving time window according to the first data sending information, and determining a data sending time window according to the first data receiving information.
In one embodiment, when performing attack detection, a data receiving time window is determined according to the first data sending information, and a data sending time window is determined according to the first data receiving information. The data receiving time window and the data transmitting time window are determined time intervals, such as [ Tr1, Tr2] and [ Ts1, Ts2], respectively.
Optionally, the determining a data receiving time window according to the first data sending information includes: determining an encryption algorithm of the first encryption information if the first data transmission information is recorded as first encryption information, and a process of generating the first encryption information; determining a data reception time window according to the encryption algorithm, the process, and encryption algorithm information of the reception apparatus. Specifically, when it is determined that the transmitted data is the encryption information, an encryption algorithm is correspondingly determined, and a process of generating the encryption information is performed. Examples of encryption algorithms used include AES, DES, 3DES, RSA, DSA, ECC, MD5, SHA1, HMAC, and the like. In one embodiment, when the current terminal device executes different functional scenes, different processes are respectively created to encrypt and send data, and the different processes correspond to different functional programs. For example, a car networking scene program, a security camera shooting scene program, etc. Preferably, when the reception time window is determined, the above-described encryption algorithm for the data transmission information, the process status, and the encryption algorithm information of the reception device are combined to determine the reception time window. Different encryption algorithms, process conditions, and encryption algorithm information of the receiving device correspond to different data reception time windows. Specifically, the data receiving time window is exemplified by [ Tr1, Tr2], Tr1 represents the starting time of receiving data, and the interval range represented by [ Tr1, Tr2] is the time coverage range in which data statistics can be performed subsequently. In one embodiment, the higher the complexity of the current encryption algorithm is, the higher the complexity of the decryption algorithm of the corresponding receiving device is, the longer the corresponding Tr1 is from the time interval of data transmission; the higher the delay response grade of the program function corresponding to the progress is, the larger the numerical value of Tr2 is, namely the larger the interval range of [ Tr1, Tr2] is; the encryption algorithm information of the receiving device takes the recorded content as the security level as an example, and the higher the corresponding security level is, the larger the value of Tr1 is. As shown in fig. 2, fig. 2 is a schematic diagram of a determined different data receiving time window according to an embodiment of the present invention, as shown in the drawing, a data sending time point is 1021, and for data sent at the time point, for recording different first data sending information, the determined time windows are exemplarily a window 1022 and a window 1023, and as shown in the drawing, time start points and time intervals of the two windows 1022 and 1023 are different.
Optionally, the determining a data sending time window according to the first data receiving information includes: if the first data receiving information is recorded as second encrypted information, determining a decryption algorithm of the second encrypted information and a corresponding data buffer queue; and determining a data sending time window according to the decryption algorithm and the data buffering condition of the data buffering queue. Specifically, different decryption algorithms correspond to different processing times, the higher the complexity of the decryption algorithm, the longer the processing time for data is, exemplarily, taking the finally determined data sending time window as [ Ts1, Ts2] as an example, and different decryption algorithms respectively correspond to different T values. Illustratively, the T value for the DES algorithm is recorded as Tdes. The data buffering condition of the data buffering queue includes buffer data occupancy of the buffer, where different occupancy correspond to different T values, and if the buffer data occupancy is 50%, the corresponding T value is T0.5, where Tdes and T0.5 are specific time values, and taking a timestamp of received data as Tm as an example, Ts1= (Tm + Tdes + T0.5) = 0.8, and Ts2= (Tm + Tdes + T0.5) = 2.
On the basis of the technical scheme, if the determined data receiving information and the determined data sending information are non-encrypted information, the determination of the time window and the subsequent attack detection process are not correspondingly carried out.
Step S103, acquiring second data receiving information received in the data receiving time window and second data sending information sent in the data sending time window.
In one embodiment, after the data receiving time window and the data sending time window are determined, the interactive data in the data receiving time window and the data sending time window are obtained, and the sum of the interactive data is counted.
And step S104, determining whether the equipment is attacked or not according to the second data transmission information and the second data receiving information, and controlling data communication with other equipment in response to the judgment result of the attacked behavior.
In one embodiment, the determining whether to be attacked according to the second data transmission information and the second data reception information includes: performing data transceiving statistics according to the second data sending information and the second data receiving information; and determining whether the attack behavior is suffered according to the data receiving and sending statistical result. Specifically, the determining whether the attack behavior is suffered according to the data transceiving statistical result includes: and if the statistics result shows that the second data receiving information corresponding to the first data sending information is not received in the data receiving window, or the statistics result shows that the second data sending information corresponding to the first data receiving information is not received in the data sending window, determining the attacked behavior. The second data receiving information corresponding to the first data sending information may be response feedback information of the first data sending information, or information obtained after processing operation is performed on the opposite terminal device based on the first data sending information; the second data sending information corresponding to the first data receiving information is information of a result which is obtained by performing corresponding processing based on the first data receiving information and needs to be sent to the opposite terminal.
In one embodiment, data communication with other devices is controlled in response to the determination of the hacked action. Specifically, if it is counted that the second data receiving information corresponding to the first data sending information is not received in the data receiving window, the communication connection between the current terminal device and all other devices is correspondingly disconnected, and if it is counted that the second data sending information corresponding to the first data receiving information is not received in the data sending window, the network communication link connection between the current terminal device and all other devices is disconnected.
As can be seen from the above, in the process of performing data communication with other devices, first data transmission information and first data reception information are recorded, where the first data transmission information includes a transmission data type and encryption algorithm information of a corresponding reception device, and the first data reception information includes a reception data type; determining a data receiving time window according to the first data sending information, and determining a data sending time window according to the first data receiving information; acquiring second data receiving information received in the data receiving time window and second data sending information sent in the data sending time window; and determining whether the equipment is attacked or not according to the second data transmission information and the second data receiving information, and controlling data communication with other equipment in response to the judgment result of the attacked action. According to the scheme, corresponding time windows are set for the sent data information and the received data information, statistics of data receiving and sending is carried out in the time windows to detect the attack behaviors, the attack behaviors of the current terminal equipment security chip can be efficiently detected in the data transmission link, when the fact that corresponding data receiving and sending do not exist in the set time windows is found, the attack behaviors are determined to be received, the protection level of the security chip is increased, and the security of data storage and transmission is guaranteed.
On the basis of the technical scheme, the attack detection method based on the interactive data can be started or closed through the set safety command. If the attack detection of the interactive data is started after the security command is started at a certain time in the data communication process, the detection means set by the scheme is not carried out after the function is correspondingly closed.
Fig. 3 is a flowchart of another attack detection method based on interactive data according to an embodiment of the present invention. On the basis of the above technical solution, a preferred example is given, as shown in fig. 3, specifically including:
step S301, in the process of performing data communication with other devices, recording first data transmission information and first data reception information, where the first data transmission information includes a transmission data type and encryption algorithm information of a corresponding reception device, and the first data reception information includes a reception data type.
Step S302, if the first data transmission information is recorded as first encryption information, determining an encryption algorithm of the first encryption information, and generating a process of the first encryption information.
Step S303, determining a data receiving time window according to the encryption algorithm, the process and the encryption algorithm information of the receiving device.
Step S304, if the first data receiving information is recorded as second encryption information, determining a decryption algorithm of the second encryption information and a corresponding data buffer queue.
Step S305, determining a data sending time window according to the decryption algorithm and the data buffering condition of the data buffering queue.
Step S306, obtaining the second data receiving information received in the data receiving time window, and the second data sending information sent in the data sending time window.
Step S307, performing data transceiving statistics according to the second data transmission information and the second data reception information, and if it is counted that the second data reception information corresponding to the first data transmission information is not received in the data reception window, or the second data transmission information corresponding to the first data reception information is not counted in the data transmission window, determining that the attack action is taken.
As can be seen from the above, in the process of performing data communication with other devices, first data transmission information and first data reception information are recorded, where the first data transmission information includes a transmission data type and encryption algorithm information of a corresponding reception device, and the first data reception information includes a reception data type; determining a data receiving time window according to the first data sending information, and determining a data sending time window according to the first data receiving information; acquiring second data receiving information received in the data receiving time window and second data sending information sent in the data sending time window; and determining whether the equipment is attacked or not according to the second data transmission information and the second data receiving information, and controlling data communication with other equipment in response to the judgment result of the attacked action. According to the scheme, the corresponding time windows are set for the sent data information and the received data information, statistics of data receiving and sending is carried out in the time windows to detect the attack behaviors, efficient detection can be carried out on the attack behaviors of the current terminal equipment security chip in the data transmission link and the current terminal equipment security chip, when the fact that corresponding data receiving and sending do not exist in the set time windows is found, the attack behaviors are determined to be received, the protection level of the security chip is increased, and the security of data storage and transmission is guaranteed.
Fig. 4 is a block diagram of a structure of an attack detection apparatus based on interactive data according to an embodiment of the present invention, where the apparatus is configured to execute an attack detection method based on interactive data according to an embodiment of the data receiving end, and has functional modules and beneficial effects corresponding to the execution method. As shown in fig. 4, the system specifically includes: a data recording module 101, a time window determining module 102, a data statistics module 103 and an attack judging module 104, wherein,
a data recording module 101 configured to record first data transmission information and first data reception information during data communication with other devices, where the first data transmission information includes a transmission data type and encryption algorithm information of a corresponding reception device, and the first data reception information includes a reception data type;
a time window determining module 102 configured to determine a data receiving time window according to the first data transmitting information, and determine a data transmitting time window according to the first data receiving information;
the data statistics module 103 is configured to obtain second data receiving information received in the data receiving time window and second data sending information sent in the data sending time window;
and the attack judging module 104 is configured to determine whether the device is attacked according to the second data transmission information and the second data receiving information, and control data communication with other devices in response to a judgment result of the attacked behavior.
According to the scheme, in the process of data communication with other equipment, first data sending information and first data receiving information are recorded, wherein the first data sending information comprises a sending data type and encryption algorithm information of corresponding receiving equipment, and the first data receiving information comprises a receiving data type; determining a data receiving time window according to the first data sending information, and determining a data sending time window according to the first data receiving information; acquiring second data receiving information received in the data receiving time window and second data sending information sent in the data sending time window; and determining whether the attack is carried out or not according to the second data transmission information and the second data receiving information, and controlling data communication with other equipment in response to the judgment result of the attack. According to the scheme, the attack behavior caused in the data transmission link can be efficiently detected, the protection level of the security chip is increased, and the security of data storage and transmission is ensured. The specific method functions executed by the modules are respectively as follows:
in one possible embodiment, the determining a data receiving time window according to the first data transmission information includes:
determining an encryption algorithm of the first encryption information if the first data transmission information is recorded as first encryption information, and a process of generating the first encryption information;
determining a data reception time window according to the encryption algorithm, the process, and encryption algorithm information of the reception apparatus.
In one possible embodiment, the determining a data transmission time window according to the first data reception information includes:
if the first data receiving information is recorded as second encrypted information, determining a decryption algorithm of the second encrypted information and a corresponding data buffer queue;
and determining a data sending time window according to the decryption algorithm and the data buffering condition of the data buffering queue.
In a possible embodiment, the determining whether to be attacked according to the second data transmission information and the second data reception information includes:
performing data transceiving statistics according to the second data sending information and the second data receiving information;
and determining whether the attack behavior is suffered or not according to the data receiving and sending statistical result.
In a possible embodiment, the determining whether to be attacked according to the statistical result of data transceiving includes:
and if the statistics result shows that the second data receiving information corresponding to the first data sending information is not received in the data receiving window, or the statistics result shows that the second data sending information corresponding to the first data receiving information is not received in the data sending window, determining the attacked behavior.
In one possible embodiment, the encryption algorithm information of each communication device is determined separately from the encryption algorithm used when transmitting data to the other communication device during data communication with the other device.
In one possible embodiment, the determining encryption algorithm information of each communication device according to an encryption algorithm used when transmitting data to other communication devices includes:
the encryption algorithm information of each communication device is determined according to the class, security level and complexity of the encryption algorithm used when transmitting data to other communication devices, respectively.
Fig. 5 is a schematic structural diagram of an attack detection apparatus based on interaction data according to an embodiment of the present invention, as shown in fig. 5, the apparatus includes a processor 201, a memory 202, an input device 203, and an output device 204; the number of the processors 201 in the device may be one or more, and one processor 201 is taken as an example in fig. 5; the processor 201, the memory 202, the input device 203 and the output device 204 in the apparatus may be connected by a bus or other means, and fig. 5 illustrates the connection by a bus as an example. The memory 202 is a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the attack detection method based on interaction data in the embodiment of the present invention. The processor 201 executes various functional applications and data processing of the device by running software programs, instructions and modules stored in the memory 202, that is, implements the attack detection method based on the interactive data. The input device 203 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function controls of the apparatus. The output device 204 may include a display device such as a display screen.
Embodiments of the present invention also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a method for interactive data-based attack detection, the method including:
in the process of data communication with other equipment, recording first data sending information and first data receiving information, wherein the first data sending information comprises a sending data type and encryption algorithm information of corresponding receiving equipment, and the first data receiving information comprises a receiving data type;
determining a data receiving time window according to the first data sending information, and determining a data sending time window according to the first data receiving information;
acquiring second data receiving information received in the data receiving time window and second data sending information sent in the data sending time window;
and determining whether the equipment is attacked or not according to the second data transmission information and the second data receiving information, and controlling data communication with other equipment in response to the judgment result of the attacked action.
From the above description of the embodiments, it is obvious for those skilled in the art that the embodiments of the present invention can be implemented by software and necessary general hardware, and certainly can be implemented by hardware, but the former is a better implementation in many cases. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions to make a computer device (which may be a personal computer, a service, or a network device) perform the methods described in the embodiments of the present invention.
It should be noted that, in the embodiment of the attack detection apparatus based on interactive data, each unit and each module included in the above-mentioned embodiment are only divided according to functional logic, but are not limited to the above-mentioned division, as long as the corresponding function can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the embodiment of the invention.
In some possible embodiments, various aspects of the methods provided by the present application may also be implemented in a form of a program product including program code for causing a computer device to perform the steps in the methods according to various exemplary embodiments of the present application described above in this specification when the program product runs on the computer device, for example, the computer device may perform the attack detection method based on interactive data described in the embodiments of the present application. The program product may be implemented using any combination of one or more readable media.
It should be noted that the foregoing is only a preferred embodiment of the present invention and the technical principles applied. Those skilled in the art will appreciate that the embodiments of the present invention are not limited to the specific embodiments described herein, and that various obvious changes, adaptations, and substitutions are possible, without departing from the scope of the embodiments of the present invention. Therefore, although the embodiments of the present invention have been described in more detail through the above embodiments, the embodiments of the present invention are not limited to the above embodiments, and many other equivalent embodiments may be included without departing from the concept of the embodiments of the present invention, and the scope of the embodiments of the present invention is determined by the scope of the appended claims.

Claims (10)

1. An attack detection method based on interactive data is characterized by comprising the following steps:
in the process of data communication with other equipment, recording first data sending information and first data receiving information, wherein the first data sending information comprises a sending data type and encryption algorithm information of corresponding receiving equipment, and the first data receiving information comprises a receiving data type;
determining a data receiving time window according to the first data sending information, and determining a data sending time window according to the first data receiving information;
acquiring second data receiving information received in the data receiving time window and second data sending information sent in the data sending time window;
and determining whether the equipment is attacked or not according to the second data transmission information and the second data receiving information, and controlling data communication with other equipment in response to the judgment result of the attacked action.
2. The attack detection method based on interactive data according to claim 1, wherein the determining a data receiving time window according to the first data transmission information comprises:
determining an encryption algorithm of the first encryption information if the first data transmission information is recorded as first encryption information, and a process of generating the first encryption information;
determining a data reception time window according to the encryption algorithm, the process, and encryption algorithm information of the reception apparatus.
3. The attack detection method based on interactive data according to claim 1, wherein the determining a data transmission time window according to the first data receiving information comprises:
if the first data receiving information is recorded as second encrypted information, determining a decryption algorithm of the second encrypted information and a corresponding data buffer queue;
and determining a data sending time window according to the decryption algorithm and the data buffering condition of the data buffering queue.
4. The attack detection method based on the interaction data according to any one of claims 1 to 3, wherein the determining whether to suffer from an attack or not according to the second data transmission information and the second data reception information comprises:
performing data transceiving statistics according to the second data sending information and the second data receiving information;
and determining whether the attack behavior is suffered according to the data receiving and sending statistical result.
5. The attack detection method based on the interactive data as claimed in claim 4, wherein the determining whether the attack action is taken according to the statistical result of data transceiving comprises:
and if the statistics result shows that the second data receiving information corresponding to the first data sending information is not received in the data receiving window, or the statistics result shows that the second data sending information corresponding to the first data receiving information is not received in the data sending window, determining the attacked behavior.
6. The attack detection method based on interactive data according to claim 1, characterized in that in performing data communication with other devices, the encryption algorithm information of each communication device is determined separately according to the encryption algorithm used when transmitting data to the other communication devices.
7. The attack detection method based on interactive data according to claim 6, wherein the determining encryption algorithm information of each communication device separately according to the encryption algorithm used when transmitting data to other communication devices comprises:
encryption algorithm information of each communication device is determined separately according to the class, security level, and complexity of an encryption algorithm used when transmitting data to other communication devices.
8. An attack detection device based on interactive data, comprising:
the data recording module is configured to record first data sending information and first data receiving information in a data communication process with other equipment, wherein the first data sending information comprises a sending data type and encryption algorithm information of corresponding receiving equipment, and the first data receiving information comprises a receiving data type;
a time window determining module configured to determine a data receiving time window according to the first data transmitting information, and determine a data transmitting time window according to the first data receiving information;
the data statistics module is configured to acquire second data receiving information received in the data receiving time window and second data sending information sent in the data sending time window;
and the attack judging module is configured to determine whether the equipment is attacked or not according to the second data sending information and the second data receiving information, and control data communication with other equipment in response to the judgment result of the attacked.
9. An attack detection device based on interaction data, the device comprising: one or more processors; storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement a method of interactive data based attack detection as claimed in any one of claims 1 to 7.
10. A storage medium containing computer-executable instructions for performing a method of interaction data based attack detection according to any one of claims 1-7 when executed by a computer processor.
CN202210408386.4A 2022-04-19 2022-04-19 Attack detection method and system based on interactive data Active CN114513371B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210408386.4A CN114513371B (en) 2022-04-19 2022-04-19 Attack detection method and system based on interactive data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210408386.4A CN114513371B (en) 2022-04-19 2022-04-19 Attack detection method and system based on interactive data

Publications (2)

Publication Number Publication Date
CN114513371A true CN114513371A (en) 2022-05-17
CN114513371B CN114513371B (en) 2022-07-12

Family

ID=81555156

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210408386.4A Active CN114513371B (en) 2022-04-19 2022-04-19 Attack detection method and system based on interactive data

Country Status (1)

Country Link
CN (1) CN114513371B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090161874A1 (en) * 2005-12-07 2009-06-25 Jee Sook Eun Key Management Method for Security and Device for Controlling Security Channel In Epon
US20150237067A1 (en) * 2013-06-05 2015-08-20 Beijing Blue I.T. Technologies Co., Ltd. Method and apparatus for detecting attack on server
CN107707527A (en) * 2017-09-01 2018-02-16 清华大学 A kind of detection method, read-write terminal and the system of smart card relay attack
CN109756515A (en) * 2019-03-01 2019-05-14 重庆邮电大学 Black hole attack detection and method for tracing based on suspicious degree accumulation
CN110830514A (en) * 2019-12-12 2020-02-21 四川大学 Detection method for collusion-based false data injection attack of smart power grid
US20200145433A1 (en) * 2019-12-26 2020-05-07 Intel Corporation Methods and arrangements for message time series intrusion detection for in-vehicle network security
CN111385332A (en) * 2018-12-29 2020-07-07 顺丰科技有限公司 Internet of things equipment, Internet of things platform access method and equipment
CN112399411A (en) * 2019-07-31 2021-02-23 上海华为技术有限公司 Method for authenticating access network equipment and related equipment
CN114070593A (en) * 2021-11-09 2022-02-18 全球能源互联网研究院有限公司 Virtual network safety management and control method based on multi-stage alarm and linkage defense
CN114079579A (en) * 2021-10-21 2022-02-22 北京天融信网络安全技术有限公司 Malicious encrypted flow detection method and device

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090161874A1 (en) * 2005-12-07 2009-06-25 Jee Sook Eun Key Management Method for Security and Device for Controlling Security Channel In Epon
US20150237067A1 (en) * 2013-06-05 2015-08-20 Beijing Blue I.T. Technologies Co., Ltd. Method and apparatus for detecting attack on server
CN107707527A (en) * 2017-09-01 2018-02-16 清华大学 A kind of detection method, read-write terminal and the system of smart card relay attack
CN111385332A (en) * 2018-12-29 2020-07-07 顺丰科技有限公司 Internet of things equipment, Internet of things platform access method and equipment
CN109756515A (en) * 2019-03-01 2019-05-14 重庆邮电大学 Black hole attack detection and method for tracing based on suspicious degree accumulation
CN112399411A (en) * 2019-07-31 2021-02-23 上海华为技术有限公司 Method for authenticating access network equipment and related equipment
CN110830514A (en) * 2019-12-12 2020-02-21 四川大学 Detection method for collusion-based false data injection attack of smart power grid
US20200145433A1 (en) * 2019-12-26 2020-05-07 Intel Corporation Methods and arrangements for message time series intrusion detection for in-vehicle network security
CN114079579A (en) * 2021-10-21 2022-02-22 北京天融信网络安全技术有限公司 Malicious encrypted flow detection method and device
CN114070593A (en) * 2021-11-09 2022-02-18 全球能源互联网研究院有限公司 Virtual network safety management and control method based on multi-stage alarm and linkage defense

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘昌明等: "《基于挑战/响应机制的动态口令系统的设计》", 《计算机与数字工程》 *

Also Published As

Publication number Publication date
CN114513371B (en) 2022-07-12

Similar Documents

Publication Publication Date Title
US8948377B2 (en) Encryption device, encryption system, encryption method, and encryption program
CN113067828A (en) Message processing method and device, server, computer equipment and storage medium
CN112640365B (en) Controller area network CAN bus secure communication method and device
KR101608815B1 (en) Method and system for providing service encryption in closed type network
CN114531239B (en) Data transmission method and system for multiple encryption keys
CN115208697A (en) Adaptive data encryption method and device based on attack behavior
CN114491611B (en) Security chip anti-attack method and device based on backup data
CN114520727B (en) Security chip data protection method and system
CN115208701B (en) Data packet selective encryption method and device
CN111741268B (en) Video transmission method, device, server, equipment and medium
CN113923655A (en) Data decryption receiving method and device based on adjacent nodes
CN114528602A (en) Security chip operation method and device based on attack detection behavior
EP4080818A1 (en) Communication method and device, ecu, vehicle and storage medium
CN113992427A (en) Data encryption sending method and device based on adjacent nodes
CN114513371B (en) Attack detection method and system based on interactive data
CN115102701B (en) Multi-chip data encryption and decryption processing method and device
CN110213292B (en) Data sending method and device and data receiving method and device
CN107682335A (en) Data transmission method, service end and computer-readable recording medium
CN115001865B (en) Communication processing method and system, client, communication server and supervision server
CN113938883B (en) Data encryption sending method and device based on intermediate node
CN115208570A (en) Encryption method and device based on dynamic replacement of secret key
CN115021919A (en) SSL negotiation method, device, equipment and computer readable storage medium
Wang et al. Traffic controller: A practical approach to block network covert timing channel
CN110855628A (en) Data transmission method and system
KR20160038935A (en) Secure communication apparatus and method of distribute network protocol message

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant