CN114531294A - Network anomaly sensing method and device, terminal and storage medium - Google Patents
Network anomaly sensing method and device, terminal and storage medium Download PDFInfo
- Publication number
- CN114531294A CN114531294A CN202210187343.8A CN202210187343A CN114531294A CN 114531294 A CN114531294 A CN 114531294A CN 202210187343 A CN202210187343 A CN 202210187343A CN 114531294 A CN114531294 A CN 114531294A
- Authority
- CN
- China
- Prior art keywords
- honey mark
- data
- honey
- host
- initial file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 235000012907 honey Nutrition 0.000 claims abstract description 174
- 230000002159 abnormal effect Effects 0.000 claims abstract description 54
- 238000000586 desensitisation Methods 0.000 claims abstract description 45
- 230000001960 triggered effect Effects 0.000 claims abstract description 12
- 238000003780 insertion Methods 0.000 claims description 25
- 230000037431 insertion Effects 0.000 claims description 25
- 238000004590 computer program Methods 0.000 claims description 18
- 230000008569 process Effects 0.000 description 11
- 230000005856 abnormality Effects 0.000 description 6
- 230000006399 behavior Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000008447 perception Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000001939 inductive effect Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000873 masking effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application is applicable to the technical field of network security, and provides a network anomaly sensing method, a device, a terminal and a storage medium, wherein the method comprises the following steps: generating a plurality of honey mark data based on the honey mark initial file and desensitization data; after the configuration of the honey mark data in at least one host in the host cluster is completed, if target honey mark data in a target host receives an attack operation of an attacker, acquiring an abnormal feedback request triggered by the target host based on the target honey mark data, wherein the abnormal feedback request comprises associated information of the attack operation; and analyzing and obtaining the abnormal information of the network where the host computer cluster is located based on the abnormal feedback request. According to the scheme, the attacked information of the intranet host in the host cluster can be sensed in effective time, and the timeliness and effectiveness of abnormal sensing early warning are improved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a terminal, and a storage medium for sensing a network anomaly.
Background
With the continuous development and application of the internet and industrial control networks, the importance of information security and network security becomes more and more important in enterprises and governments.
However, the traditional network security defense technology cannot extract effective attack data from unknown network attacks, so that abnormal perception early warning cannot be performed. At present, a mature honeypot technology has a certain threat traceability effect, but the existing honeypot environment is simpler, the system version is lower, and the honeypot environment is easier to identify by attackers. Moreover, for an attacker who has attacked the intranet, the attacked information of the intranet host in the host cluster cannot be sensed in effective time, and the timeliness and the effectiveness of abnormal sensing and early warning are lacked.
Disclosure of Invention
The embodiment of the application provides a network anomaly sensing method, a network anomaly sensing device, a network anomaly sensing terminal and a storage medium, and aims to solve the problems that the attacked information of an intranet host in a host cluster cannot be sensed in an effective time and the timeliness and effectiveness of anomaly sensing early warning are lacked in the prior art.
A first aspect of an embodiment of the present application provides a network anomaly sensing method, which is applied to a network anomaly sensing device, and the method includes:
generating a plurality of honey mark data based on the honey mark initial file and desensitization data;
after the configuration of the honey mark data in at least one host machine in the host machine cluster is completed, if target honey mark data in a target host machine receives attack operation of an attacker, acquiring an abnormal feedback request triggered by the target host machine based on the target honey mark data, wherein the abnormal feedback request comprises associated information of the attack operation;
and analyzing and obtaining the abnormal information of the network where the host computer cluster is located based on the abnormal feedback request.
A second aspect of the embodiments of the present application provides a network anomaly sensing apparatus, including:
the generating module is used for generating a plurality of honey mark data based on the honey mark initial file and the desensitization data;
the acquisition module is used for acquiring an abnormal feedback request triggered by a target host machine based on target honey mark data if the target honey mark data in the target host machine receives attack operation of an attacker after the configuration of the honey mark data in at least one host machine in a host machine cluster is completed, wherein the abnormal feedback request comprises associated information of the attack operation;
and the analysis module is used for analyzing and obtaining the abnormal information of the network where the host computer cluster is located based on the abnormal feedback request.
A third aspect of embodiments of the present application provides a terminal, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the method according to the first aspect when executing the computer program.
A fourth aspect of embodiments of the present application provides a computer-readable storage medium, in which a computer program is stored, which, when executed by a processor, performs the steps of the method according to the first aspect.
A fifth aspect of the present application provides a computer program product, which, when run on a terminal, causes the terminal to perform the steps of the method of the first aspect described above.
As can be seen from the above, in the embodiment of the present application, a plurality of honey mark data are generated based on the honey mark initial file and the desensitization data, and after the configuration of the honey mark data in at least one host in the host cluster is completed, an attacker is induced to trigger the honey mark bait; if target honey mark data in the target host machine receive attack operation of an attacker, an abnormal feedback request triggered by the target host machine based on the target honey mark data is obtained, information is returned, abnormal information of a network where the host machine cluster is located is obtained through analysis based on the abnormal feedback request, the sunk intranet assets are located, sensing of network abnormality is achieved, attacked information of the intranet host machine in the host machine cluster is sensed in effective time, and timeliness and effectiveness of abnormal sensing early warning are improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.
Fig. 1 is a first flowchart of a network anomaly awareness method according to an embodiment of the present application;
fig. 2 is a second flowchart of a network anomaly awareness method according to an embodiment of the present application;
fig. 3 is a structural diagram of a network anomaly sensing apparatus according to an embodiment of the present application;
fig. 4 is a structural diagram of a terminal according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the present application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the specification of the present application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
As used in this specification and the appended claims, the term "if" may be interpreted contextually as "when", "upon" or "in response to a determination" or "in response to a detection". Similarly, the phrase "if it is determined" or "if a [ described condition or event ] is detected" may be interpreted contextually to mean "upon determining" or "in response to determining" or "upon detecting [ described condition or event ]" or "in response to detecting [ described condition or event ]".
In particular implementations, the terminals described in embodiments of the present application include, but are not limited to, other portable devices such as mobile phones, laptop computers, or tablet computers having touch sensitive surfaces (e.g., touch screen displays and/or touch pads). It should also be understood that in some embodiments, the device is not a portable communication device, but is a desktop computer having a touch-sensitive surface (e.g., a touch screen display and/or touchpad).
In the discussion that follows, a terminal that includes a display and a touch-sensitive surface is described. However, it should be understood that the terminal may include one or more other physical user interface devices such as a physical keyboard, mouse, and/or joystick.
The terminal supports various applications, such as one or more of the following: a drawing application, a presentation application, a word processing application, a website creation application, a disc burning application, a spreadsheet application, a gaming application, a telephone application, a video conferencing application, an email application, an instant messaging application, an exercise support application, a photo management application, a digital camera application, a web browsing application, a digital music player application, and/or a digital video player application.
Various applications that may be executed on the terminal may use at least one common physical user interface device, such as a touch-sensitive surface. One or more functions of the touch-sensitive surface and corresponding information displayed on the terminal can be adjusted and/or changed between applications and/or within respective applications. In this way, a common physical architecture (e.g., touch-sensitive surface) of the terminal can support various applications with user interfaces that are intuitive and transparent to the user.
It should be understood that, the sequence numbers of the steps in this embodiment do not mean the execution sequence, and the execution sequence of each process should be determined by the function and the inherent logic of the process, and should not constitute any limitation to the implementation process of the embodiment of the present application.
In order to explain the technical solution described in the present application, the following description will be given by way of specific examples.
Referring to fig. 1, fig. 1 is a first flowchart of a network anomaly awareness method according to an embodiment of the present application. As shown in fig. 1, a method for sensing network anomaly is applied to a network anomaly sensing device, and the method includes the following steps:
and 101, generating a plurality of honey mark data based on the honey mark initial file and desensitization data.
The honey mark initial file may be, for example, a file in the form of a template, such as a text template in the form of a document, or a template file with execution code embedded therein.
Desensitization data is preset non-sensitive data, and damage to real sensitive data can be avoided when generating the honey labeled data. The desensitization data is, for example, data obtained by masking some sensitive words inserted in unimportant data.
When the honey mark data are generated based on the honey mark initial file and the desensitization data, the desensitization data can be directly generated after being inserted into the honey mark initial file, or the code generation can be executed after the desensitization data are inserted into the set position of the code in the honey mark initial file.
After the honey mark data is generated, the honey mark data needs to be configured on the host machine, the specific configuration mode can be that the honey mark data is placed at a set position in the host machine, or corresponding false service connection records are generated on the host machine after the honey mark data is operated, a trap is set for an attacker, and after the honey mark data is opened, accessed or touched by the attacker, the attack operation of the attacker is captured and obtained.
Wherein, the abnormal feedback request contains the relevant information of the attack operation.
The associated information is, for example, a source address of the attack operation, an attack object of the attack operation, a host address where the attack operation occurs, and the like.
After the configuration of the honey mark data in the host machine is completed, because a user in the host machine knows the information of the honey mark data, the honey mark data cannot be triggered, and the honey mark data is used as a bait to enable an external attacker to attack, so that the attack behavior possibly existing in the attacker can be captured.
And 103, analyzing and obtaining the abnormal information of the network where the host cluster is located based on the abnormal feedback request.
After the abnormal feedback request is received, analysis on attack operation of an attacker can be realized based on information fed back by the host, and network abnormality sensing is realized, so that attacked information of the intranet host in the host cluster can be sensed in effective time, and timeliness and effectiveness of abnormal sensing and early warning are improved.
Further, after the abnormal information of the network where the host cluster is located is obtained through analysis, relevant security precautionary measures can be further formulated, for example, the host is isolated so as to prevent attacks from spreading to other normal hosts.
In an optional embodiment, the information associated with the attack operation includes host information of the host and attacker information.
Correspondingly, the analyzing and obtaining the abnormal information of the network where the host cluster is located based on the abnormal feedback request includes:
determining the node position of a host in a host cluster based on host information of the host;
determining source information of attack operation in a host machine based on attacker information;
and generating a network anomaly analysis result containing the node position and the source information of the attack operation.
The host information is, for example, host IP address or MAC address information. The attacker information is, for example, information such as an attacker source address analyzed from an access request generated when an attacker accesses the honeymark data.
And generating a network anomaly analysis result, realizing the perception analysis of the network anomaly, and further isolating the host assets and customizing related precautionary measures at the first time so as to prevent an attacker from further attacking.
In the embodiment of the application, a plurality of honey mark data are generated based on the honey mark initial file and desensitization data, and after the configuration of the honey mark data in at least one host in a host cluster is completed, an attacker is induced to trigger the honey mark bait; if target honey mark data in the target host machine receive attack operation of an attacker, an abnormal feedback request triggered by the target host machine based on the target honey mark data is obtained, information is returned, abnormal information of a network where the host machine cluster is located is obtained through analysis based on the abnormal feedback request, the sunk intranet assets are located, sensing of network abnormality is achieved, attacked information of the intranet host machine in the host machine cluster is sensed in effective time, and timeliness and effectiveness of abnormal sensing early warning are improved.
The embodiment of the application also provides different implementation modes of the network anomaly sensing method.
Referring to fig. 2, fig. 2 is a second flowchart of a network anomaly awareness method according to an embodiment of the present application. As shown in fig. 2, a method for sensing network anomaly includes the following steps:
The different types of honey mark initial files contain general fields corresponding to the corresponding honey mark data types.
The common field is, for example, a common field in a pre-written program code, or a common field in a text template that identifies data, such as a data name, a data type, a data size, and the like.
The general fields contained in the honey mark initial file are changed along with the difference of the honey mark data types.
The type of the honey mark data is, for example, a service connection credential type, a shortcut type, a file type, etc.
And when the type of the honey mark data is the type of the service connection voucher, the initialized honey mark initial file comprises general fields such as service connection statements corresponding to SSH or MYSQL.
And when the type of the honey mark data is the type of the shortcut, initializing to obtain a honey mark initial file which comprises an address of the network abnormity sensing device and a field corresponding to a general statement for sending an abnormity feedback request to the address of the device through triggering of the shortcut.
When the type of the honey mark data is a file type, initializing to obtain a honey mark initial file which comprises an address of the network anomaly sensing device and a field corresponding to a general statement which triggers to send an anomaly feedback request to the address of the device after the file is opened.
As an optional implementation, the desensitization data is inserted into the honey mark initial file to obtain different types of honey mark data, including:
according to the type of the corresponding honey mark data in the honey mark initial file, determining the insertion position of the desensitization data of the corresponding type in the general field of the honey mark initial file;
and based on the insertion positions, desensitization data are inserted into the honey mark initial file to obtain different types of honey mark data.
The insertion location may be a random location, or an insertion location that matches a set field in the general field, or an insertion location that corresponds to a set field in the pre-written code.
The process can generate different types of honey mark data so as to collect related information of intranet attackers when the honey mark data are touched. Therefore, the network anomaly perception is carried out to make related precautionary measures and prevent attackers from carrying out more serious attacks.
Further, in an alternative embodiment, desensitization data is inserted into the honey mark initial file based on the insertion position, resulting in different types of honey mark data, including:
and when the corresponding honey mark data type in the honey mark initial file is the service connection certificate type, based on the insertion position, inserting the virtual service connection address corresponding to the service connection certificate into the honey mark initial file as desensitization data.
A virtual service is for example a connection service to a certain virtual database. The virtual service connection address corresponding to the service connection credential is inserted into the honey labeled initial file as desensitization data, and specifically, the virtual service connection address corresponding to the service connection credential is inserted into a service connection statement pre-written in the honey labeled initial file as desensitization data, so that a connection instruction for the virtual service is generated. Specifically, the virtual service connection address corresponding to the service connection certificate is used as desensitization data to be inserted into the honey mark data generated in the honey mark initial file to be an executable file.
The virtual service can be a fictitious service or a desensitized service with service resources isolated separately.
When the honey mark data of the service connection voucher type is assembled on the host machine, configuration personnel needs to run an executable file serving as the honey mark data on the host machine, and based on a connection instruction of the virtual service generated after the execution in the executable file, a service connection record corresponding to the virtual service, namely the service connection voucher, is generated on the host machine. And inducing an attacker to connect the virtual service based on the service connection record, so as to capture the attack behavior of the attacker and sense the network abnormality.
In an alternative embodiment, desensitization data is inserted into the honey mark initial file based on the insertion position, resulting in different types of honey mark data, including:
and when the corresponding honey mark data type in the honey mark initial file is the shortcut type, based on the insertion position, inserting the shortcut of the virtual application as desensitization data into the honey mark initial file.
Here, the shortcut of some virtual applications is preset, and the shortcut is inserted into a set insertion position in the honey mark initial file, specifically, the shortcut is inserted into a calling code which is pre-programmed in the honey mark initial file and triggers the virtual application by the shortcut.
And inducing the attacker to trigger the set virtual application by triggering the shortcut based on the generated shortcut type honey mark data, so as to capture the attack behavior of the attacker and sense the network abnormality.
In an alternative embodiment, desensitization data is inserted into the honey mark initial file based on the insertion position, resulting in different types of honey mark data, including:
and when the corresponding honey mark data type in the honey mark initial file is the file type, inserting the image data into the honey mark initial file as desensitization data based on the insertion position.
For example, image-text data such as pictures and tables are directly inserted into a honey mark initial file formed by a document template, a file is generated as honey mark data, the generated file can be renamed to be an attractive file name, an attacker is induced to open the file, the attack behavior of the attacker is captured, and the network anomaly is sensed.
The abnormal feedback request comprises relevant information of attack operation.
The implementation process of this step is the same as that of step 102 in the foregoing embodiment, and is not described here again.
And step 204, analyzing and obtaining the abnormal information of the network where the host cluster is located based on the abnormal feedback request.
The implementation process of this step is the same as the implementation process of step 103 in the foregoing embodiment, and is not described here again.
In the embodiment of the application, a plurality of honey mark data are generated based on different types of honey mark initial files and desensitization data, and after configuration of the honey mark data in at least one host in a host cluster is completed, an attacker is attracted to trigger the honey mark bait; if target honey mark data in the target host machine receive attack operation of an attacker, acquiring an abnormal feedback request triggered by the target host machine based on the target honey mark data to realize information feedback, analyzing abnormal information of a network where the host machine cluster is located based on the abnormal feedback request, positioning sink intranet assets, realizing sensing of network abnormality, sensing attacked information of the intranet host machine in the host machine cluster in effective time, and improving timeliness and effectiveness of abnormal sense early warning.
Referring to fig. 3, fig. 3 is a structural diagram of a network anomaly sensing device according to an embodiment of the present application, and for convenience of description, only a part related to the embodiment of the present application is shown.
The network anomaly awareness apparatus 300 includes:
the generation module 301 is configured to generate a plurality of honey mark data based on the honey mark initial file and the desensitization data;
an obtaining module 302, configured to, after the configuration of the honey mark data in at least one host in the host cluster is completed, obtain, if target honey mark data in a target host receives an attack operation of an attacker, an abnormal feedback request triggered by the target host based on the target honey mark data, where the abnormal feedback request includes associated information of the attack operation;
an analyzing module 303, configured to analyze, based on the abnormal feedback request, to obtain abnormal information of the network where the host cluster is located.
The generating module 301 is specifically configured to:
initializing a generation file required by honey mark data based on different honey mark data types to obtain a honey mark initial file, wherein the honey mark initial files of different types comprise general fields corresponding to the corresponding honey mark data types;
and inserting the desensitization data into the honey mark initial file to obtain the honey mark data of different types.
Wherein, the generating module 301 is more specifically configured to:
according to the type of the honey mark data corresponding to the honey mark initial file, determining the insertion position of the desensitization data of the corresponding type in the general field of the honey mark initial file;
and based on the insertion positions, the desensitization data are inserted into the honey mark initial file to obtain the honey mark data of different types.
Wherein, the generating module 301 is further specifically configured to:
and when the type of the honey mark data corresponding to the honey mark initial file is the type of the service connection certificate, based on the insertion position, inserting the virtual service connection address corresponding to the service connection certificate into the honey mark initial file as the desensitization data.
Wherein, the generating module 301 is further specifically configured to:
and when the corresponding honey mark data type in the honey mark initial file is the shortcut type, based on the insertion position, inserting the shortcut of the virtual application as the desensitization data into the honey mark initial file.
Wherein, the generating module 301 is further specifically configured to:
and when the type of the honey mark data corresponding to the honey mark initial file is a file type, based on the insertion position, inserting the graph data into the honey mark initial file as the desensitization data.
The relevant information of the attack operation includes host information and attacker information of the host, and correspondingly, the analysis module 303 is specifically configured to:
determining the node position of the host in the host cluster based on the host information of the host;
determining source information of the attack operation in the host machine based on the attacker information;
and generating a network anomaly analysis result containing the node position and the source information of the attack operation.
The network anomaly sensing device provided by the embodiment of the application can realize each process of the embodiment of the network anomaly sensing method, can achieve the same technical effect, and is not repeated here for avoiding repetition.
Fig. 4 is a structural diagram of a terminal according to an embodiment of the present application. As shown in the figure, the terminal 4 of this embodiment includes: at least one processor 40 (only one shown in fig. 4), a memory 41, and a computer program 42 stored in the memory 41 and executable on the at least one processor 40, the steps of any of the various method embodiments described above being implemented when the computer program 42 is executed by the processor 40.
The terminal 4 may be a desktop computer, a notebook, a palm computer, a cloud server, or other computing devices. The terminal 4 may include, but is not limited to, a processor 40, a memory 41. Those skilled in the art will appreciate that fig. 4 is only an example of a terminal 4 and does not constitute a limitation of terminal 4 and may include more or less components than those shown, or some components in combination, or different components, for example, the terminal may also include input output devices, network access devices, buses, etc.
The Processor 40 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 41 may be an internal storage unit of the terminal 4, such as a hard disk or a memory of the terminal 4. The memory 41 may also be an external storage device of the terminal 4, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) and the like provided on the terminal 4. Further, the memory 41 may also include both an internal storage unit and an external storage device of the terminal 4. The memory 41 is used for storing the computer program and other programs and data required by the terminal. The memory 41 may also be used to temporarily store data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-mentioned functions. Each functional unit and module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working processes of the units and modules in the system may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/terminal and method may be implemented in other ways. For example, the above-described apparatus/terminal embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.
The integrated modules/units, if implemented in the form of software functional units and sold or used as separate products, may be stored in a computer readable storage medium. Based on such understanding, all or part of the flow in the method of the embodiments described above can be realized by a computer program, which can be stored in a computer-readable storage medium and can realize the steps of the embodiments of the methods described above when the computer program is executed by a processor. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer readable medium may contain content that is subject to appropriate increase or decrease as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer readable media does not include electrical carrier signals and telecommunications signals as is required by legislation and patent practice.
The present application realizes all or part of the processes in the method of the above embodiments, and may also be implemented by a computer program product, when the computer program product runs on a terminal, the steps in the above method embodiments may be implemented when the terminal executes the computer program product.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present application and are intended to be included within the scope of the present application.
Claims (10)
1. A network anomaly awareness method is applied to a network anomaly awareness device, and comprises the following steps:
generating a plurality of honey mark data based on the honey mark initial file and desensitization data;
after the configuration of the honey mark data in at least one host machine in the host machine cluster is completed, if target honey mark data in a target host machine receives attack operation of an attacker, acquiring an abnormal feedback request triggered by the target host machine based on the target honey mark data, wherein the abnormal feedback request comprises associated information of the attack operation;
and analyzing and obtaining the abnormal information of the network where the host computer cluster is located based on the abnormal feedback request.
2. The method of claim 1, wherein generating a plurality of honey mark data based on the honey mark initial file and desensitization data comprises:
initializing a generation file required by honey mark data based on different honey mark data types to obtain a honey mark initial file, wherein the honey mark initial files of different types comprise general fields corresponding to the corresponding honey mark data types;
and inserting the desensitization data into the honey mark initial file to obtain the honey mark data of different types.
3. The method of claim 2, wherein the inserting the desensitization data into the honey mark initial file results in different types of the honey mark data, comprising:
according to the type of the honey mark data corresponding to the honey mark initial file, determining the insertion position of the desensitization data of the corresponding type in the general field of the honey mark initial file;
and based on the insertion positions, the desensitization data are inserted into the honey mark initial file to obtain the honey mark data of different types.
4. The method of claim 3, wherein said inserting said desensitization data into said honey mark initial file based on said insertion location, resulting in different types of said honey mark data, comprises:
and when the type of the honey mark data corresponding to the honey mark initial file is the type of the service connection certificate, based on the insertion position, inserting the virtual service connection address corresponding to the service connection certificate into the honey mark initial file as the desensitization data.
5. The method of claim 3, wherein said inserting said desensitization data into said honey mark initial file based on said insertion location, resulting in different types of said honey mark data, comprises:
and when the corresponding honey mark data type in the honey mark initial file is the shortcut type, based on the insertion position, inserting the shortcut of the virtual application as the desensitization data into the honey mark initial file.
6. The method of claim 3, wherein said inserting said desensitization data into said honey mark initial file based on said insertion location, resulting in different types of said honey mark data, comprises:
and when the type of the honey mark data corresponding to the honey mark initial file is a file type, based on the insertion position, inserting the graph data into the honey mark initial file as the desensitization data.
7. The method according to claim 1, wherein the information associated with the attack operation includes host information and attacker information of the host, and the analyzing the abnormal information of the network where the host cluster is located based on the abnormal feedback request includes:
determining the node position of the host in the host cluster based on the host information of the host;
determining source information of the attack operation in the host machine based on the attacker information;
and generating a network anomaly analysis result containing the node position and the source information of the attack operation.
8. A network anomaly awareness apparatus, comprising:
the generating module is used for generating a plurality of honey mark data based on the honey mark initial file and the desensitization data;
the acquisition module is used for acquiring an abnormal feedback request triggered by a target host machine based on target honey mark data if the target honey mark data in the target host machine receives attack operation of an attacker after the configuration of the honey mark data in at least one host machine in a host machine cluster is completed, wherein the abnormal feedback request comprises associated information of the attack operation;
and the analysis module is used for analyzing and obtaining the abnormal information of the network where the host computer cluster is located based on the abnormal feedback request.
9. A terminal comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the method according to any of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210187343.8A CN114531294A (en) | 2022-02-28 | 2022-02-28 | Network anomaly sensing method and device, terminal and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210187343.8A CN114531294A (en) | 2022-02-28 | 2022-02-28 | Network anomaly sensing method and device, terminal and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114531294A true CN114531294A (en) | 2022-05-24 |
Family
ID=81624953
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210187343.8A Pending CN114531294A (en) | 2022-02-28 | 2022-02-28 | Network anomaly sensing method and device, terminal and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114531294A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114969741A (en) * | 2022-06-07 | 2022-08-30 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Malicious software detection and analysis method, device, equipment and readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107046535A (en) * | 2017-03-24 | 2017-08-15 | 中国科学院信息工程研究所 | A kind of abnormality sensing and method for tracing and system |
| US20190182269A1 (en) * | 2017-12-11 | 2019-06-13 | International Business Machines Corporation | Network attack tainting and tracking |
| CN113904820A (en) * | 2021-09-27 | 2022-01-07 | 杭州安恒信息技术股份有限公司 | Network intrusion prevention method, system, computer and readable storage medium |
-
2022
- 2022-02-28 CN CN202210187343.8A patent/CN114531294A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107046535A (en) * | 2017-03-24 | 2017-08-15 | 中国科学院信息工程研究所 | A kind of abnormality sensing and method for tracing and system |
| US20190182269A1 (en) * | 2017-12-11 | 2019-06-13 | International Business Machines Corporation | Network attack tainting and tracking |
| CN113904820A (en) * | 2021-09-27 | 2022-01-07 | 杭州安恒信息技术股份有限公司 | Network intrusion prevention method, system, computer and readable storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114969741A (en) * | 2022-06-07 | 2022-08-30 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Malicious software detection and analysis method, device, equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kharraz et al. | Redemption: Real-time protection against ransomware at end-hosts | |
| Kharaz et al. | {UNVEIL}: A {Large-Scale}, automated approach to detecting ransomware | |
| TWI726749B (en) | Method for diagnosing whether network system is breached by hackers and related method for generating multiple associated data frames | |
| Yin et al. | Panorama: capturing system-wide information flow for malware detection and analysis | |
| US8850517B2 (en) | Runtime risk detection based on user, application, and system action sequence correlation | |
| CN108351936B (en) | Detecting program circumvention of virtual machines or emulators | |
| KR20180081053A (en) | Systems and Methods for Domain Generation Algorithm (DGA) Malware Detection | |
| de Lima et al. | Artificial intelligence-based antivirus in order to detect malware preventively | |
| CN111435391A (en) | Method and apparatus for automatically determining interactive GUI elements to be interacted with in GUI | |
| KR20170122548A (en) | Method and Apparatus for Recognizing APT(Advanced Persistent Threat) using Co-Relational Data Analytics | |
| US20230153439A1 (en) | Early filtering of clean file using dynamic analysis | |
| Shao et al. | Understanding in-app ads and detecting hidden attacks through the mobile app-web interface | |
| CN116340943A (en) | Application program protection method, device, equipment, storage medium and program product | |
| CN107368735B (en) | Application installation method, mobile terminal and computer readable storage medium | |
| CN108156127B (en) | Network attack mode judging device, judging method and computer readable storage medium thereof | |
| CN114531294A (en) | Network anomaly sensing method and device, terminal and storage medium | |
| Kim et al. | A study on the digital forensic investigation method of clever malware in IoT devices | |
| Creutzburg | The strange world of keyloggers-an overview, Part I | |
| CN115688112A (en) | Industrial control risk assessment method, device, equipment and storage medium | |
| CN112351008B (en) | Network attack analysis method and device, readable storage medium and computer equipment | |
| CN113765924A (en) | Safety monitoring method, terminal and equipment based on cross-server access of user | |
| Fan et al. | Quantitative analysis for privacy leak software with privacy petri net | |
| Kharraz | Techniques and Solutions for Addressing Ransomware Attacks | |
| Fan et al. | Privacy Petri net and privacy leak software | |
| Wapet | Preventing the release of illegitimate applications on mobile markets |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220524 |
|
| RJ01 | Rejection of invention patent application after publication |