CN114598525A - IP automatic blocking method and device for network attack - Google Patents
IP automatic blocking method and device for network attack Download PDFInfo
- Publication number
- CN114598525A CN114598525A CN202210222312.1A CN202210222312A CN114598525A CN 114598525 A CN114598525 A CN 114598525A CN 202210222312 A CN202210222312 A CN 202210222312A CN 114598525 A CN114598525 A CN 114598525A
- Authority
- CN
- China
- Prior art keywords
- access
- address
- log data
- risk
- network security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/146—Tracing the source of attacks
Abstract
The application discloses a method for automatically blocking an IP (Internet protocol) aiming at network attack, which comprises the following steps: acquiring log data of a plurality of network security devices, and analyzing the acquired log data into a uniform format; analyzing the analyzed log data, determining all matched target log data according to a configuration strategy, and acquiring a corresponding access IP address; and for each piece of target log data, performing risk evaluation on the access IP address corresponding to the target log data, determining whether the access IP address is high risk or not, and sealing the high-risk access IP address. By applying the method and the device, the information of the plurality of secure network devices can be effectively integrated to identify the network attack, and the attack IP can be automatically blocked.
Description
Technical Field
The present application relates to computer network technologies, and in particular, to a method and an apparatus for automatically blocking an IP for a network attack.
Background
With the rapid development of informatization technology, the network security threat is rising day by day, and the service continuity and data security of the medical health industry are directly influenced. How to continuously operate on the basis of network security management and a technical system becomes an important subject of network security research in the medical and health industry, and network security attack and protection are important bases of security operation, so that identifying attack and effectively blocking attack IP are important links of network security operation.
At present, most organizations purchase a large amount of network security devices, and the attack of an application layer is blocked by WAF; utilizing a network firewall to filter attack IP; through IDS/IPS, attack behaviors are detected and blocked, but most of the safety devices come from different manufacturers, linkage is difficult to form, and the total potential energy of the safety devices cannot be developed to the maximum extent. Meanwhile, the action of the blocking IP formed on a single safety device is basically based on a single threat IP library, the current IP and the threat IP library are compared to form a blocking or releasing decision, the decision mechanism is relatively single, meanwhile, the alarm data of the network safety event of each device has redundancy and repeatability, the uniform safety situation cannot be effectively associated and analyzed, and heavy management cost is brought to network safety management personnel.
Disclosure of Invention
The application provides a method and a device for automatically blocking an IP (Internet protocol) for network attack, which can effectively synthesize information of a plurality of secure network devices to identify the network attack and automatically block the IP for attack.
In order to achieve the purpose, the following technical scheme is adopted in the application:
a method for automatically blocking an IP against network attacks comprises the following steps:
acquiring log data of a plurality of network security devices, and analyzing the acquired log data into a uniform format;
analyzing the analyzed log data, determining all target log data matched with a preset configuration strategy, and acquiring corresponding access IP addresses;
and for each piece of target log data, performing risk evaluation on the access IP address corresponding to the target log data, determining whether the access IP address is high risk or not, and sealing the high-risk access IP address.
Preferably, the acquiring log data of a plurality of network security devices includes:
enabling a syslog protocol in the network security devices, and configuring the log level and/or the log type to be collected; the network security devices send log data to be collected to an rsyslog server through a syslog protocol according to configuration, and unified storage management of logs is carried out;
and reading log data of the plurality of network security devices from the rsyslog server.
Preferably, before performing risk assessment on the IP address corresponding to the target log data, the method further includes:
judging whether the access IP address corresponding to the target log data is in a preset IP address white list or not, if so, determining that the access IP address corresponding to the target log data is a low-risk IP address, and not performing risk evaluation on the access IP address corresponding to the target log data; otherwise, continuing to execute the operation of risk assessment on the access IP address corresponding to the target log data.
Preferably, the performing risk assessment on the access IP address corresponding to the log data includes:
and judging whether the access IP address corresponding to the log data is in a preset IP address blacklist, if so, determining that the corresponding IP address is a high-risk access IP address.
Preferably, the performing risk assessment on the access IP address corresponding to the log data includes:
and determining a weighted evaluation value of the access IP address according to the attribution, the usage, the access resource, the access frequency and/or the access duration of the IP address of the access IP address, determining the access IP address with high risk when the weighted evaluation value is greater than or equal to a set risk threshold, and determining the access IP address with low risk when the weighted evaluation value is less than the set risk threshold.
Preferably, before said notifying said plurality of network security devices to block high risk access IP addresses, the method further comprises:
determining whether a scanning behavior exists in an access request of an application system where honeypots are located according to the honeypots which are arranged in advance, and if so, determining a source IP of the corresponding access request as a high-risk access IP address; wherein the honeypot is pre-deployed at a number of ports on an application system in a business access scenario.
Preferably, before performing risk assessment on the access IP address corresponding to the target log data, the method further includes: and carrying out deduplication processing on the access IP address.
Preferably, before performing the deduplication process, the method further comprises: and carrying out private key encryption verification on the equipment for carrying out the deduplication processing, and executing the operation for carrying out the deduplication processing after the verification is passed.
Preferably, the blocking of the high risk IP address comprises:
pushing a high-risk access IP address to a preset enterprise net shield in a POST mode through an API interface mode, wherein the enterprise net shield carries out global prohibition on the received high-risk access IP address;
and for the network security equipment without the API, pushing the high-risk IP address to the corresponding network security equipment in a mode of simulating an SSH command, and carrying out global prohibition by the corresponding network security equipment according to the received IP address.
Preferably, the preset account and the equipment execute the operation of forbidding the high-risk access IP address.
Preferably, after said blocking the high risk IP address, the method further comprises: and for the access IP address which is forbidden, carrying out unsealing processing after the forbidden time reaches a set time threshold.
Preferably, after said blocking of the high risk access IP address, the method further comprises: and sending early warning information to a network security administrator for the forbidden access IP address.
Preferably, the early warning information includes: blocked access IP address, evaluation time, evaluation as a cause of high risk.
Preferably, the analyzing the analyzed log data to determine all target log data matched with the preset configuration policy includes:
and searching the analyzed log according to the configuration strategy according to the value of the key field in the log with the uniform format, and determining the target log data.
An apparatus for IP auto-block against cyber-attacks, comprising: the system comprises a log data acquisition module, a log data analysis module, a risk evaluation module and a blocking module;
the log data acquisition module is used for acquiring log data of a plurality of network security devices;
the log data analysis module is used for analyzing the acquired log data into a uniform format;
the log data analysis module is used for analyzing the analyzed log data, determining all target log data matched with a preset configuration strategy and acquiring a corresponding access IP address;
the risk evaluation module is used for carrying out risk evaluation on an access IP address corresponding to each piece of target log data and determining whether the access IP address is high risk or not;
and the blocking module is used for blocking the high-risk access IP address.
Preferably, the device further includes a deduplication module, configured to perform deduplication processing on all target log data matched by the log data analysis module, and provide the target log data subjected to deduplication processing to the risk assessment module.
Preferably, the device further comprises an early warning module, configured to send early warning information to a network security administrator for the blocked access IP address.
Preferably, the apparatus further includes a decapsulating module, configured to perform decapsulation processing on the blocked access IP address after the blocking time reaches a set time threshold.
According to the technical scheme, the log data of the network security equipment are acquired, and the acquired log data are analyzed into a uniform format; analyzing the analyzed log data, and determining all matched target log data according to a configuration strategy; and for each piece of target log data, performing risk evaluation on the access IP address corresponding to the target log data, determining whether the access IP address is high risk, and blocking the high-risk access IP address. By the processing, whether the access IP address is high-risk or not can be judged by utilizing the log data of the plurality of network security devices, and the high-risk access IP address is forbidden, so that the information of the plurality of network security devices can be effectively integrated to identify network attacks, and the attack IP is automatically forbidden.
Drawings
Fig. 1 is a basic flowchart of a method for automatically blocking an IP for network attack in the present application;
fig. 2 is a specific flowchart of an IP automatic blocking method for network attack in the embodiment of the present application;
fig. 3 is a schematic diagram of a basic structure of an IP automatic block device for network attack in the present application.
Detailed Description
For the purpose of making the objects, technical means and advantages of the present application more apparent, the present application will be described in further detail with reference to the accompanying drawings.
Fig. 1 is a basic flowchart of a method for automatically blocking an IP for a network attack in the present application. As shown in fig. 1, the method includes:
And 102, analyzing the analyzed log data, determining all target log data matched with a preset configuration strategy, and acquiring a corresponding access IP address.
And 103, for each piece of target log data, performing risk evaluation on the access IP address corresponding to the target log data, determining whether the corresponding access IP address is high-risk, and forbidding the high-risk access IP address.
The basic flow shown in fig. 1 ends up so far. Specific implementations of the present application are illustrated by the following specific examples.
Fig. 2 is a specific flowchart of an IP automatic blocking method for network attack in the embodiment of the present application. As shown in fig. 2, the method includes:
In the method, the information of the plurality of network security devices needs to be integrated to identify the network attack, and the information of the network security devices based on the attack identification is mainly log data, so that the log data of the plurality of network security devices is obtained in the step. Network security devices with sales permission on the market all support a log export function, and particularly, log export modes supported by each security device are different, and the log export modes include various forms such as a database, a text file, a Syslog, a Simple Network Management Protocol (SNMP), a REST API and the like. This step may derive log data for each network security device in the existing manner.
In more detail, a syslog protocol is started in the network security equipment, the log level or the log type needing to be collected is configured, and the log level or the log type is sent to an rsyslog server side through the syslog protocol to perform unified log storage management; the rsyslog server stores the log files as different local log files according to log types or source IP for distinguishing; and reading the saved log data from the rsyslog server. Wherein, the log data can be obtained by real-time reading.
In addition, in the identification of the network attack, besides the log data of the network security device is used most basically, information can be obtained by manual input or input of third-party threat information for identifying the network attack.
Specifically, in order to prevent the collected logs from being missed, while collecting log data of the network security equipment, threat disposal is performed regularly in a mode of manually monitoring each security equipment, an access IP address is reported, and according to the threat degree of the reported access IP address, the received access IP is selected to be put into a blacklist or directly used as a high-risk address.
Alternatively, information may also be obtained from a third party threat intelligence API for identifying cyber attacks. The method comprises the steps of performing joint defense joint control in real time with threat situations of an industry network security supervisor and a supervision mechanism, matching internet network flow, receiving malicious label IP, and selecting to place the received access IP into a blacklist or directly serve as a high-risk address according to label levels, so that rapid treatment is performed before attack is implemented.
In this step, when the log data of each network security device is acquired, the full amount of log data may be directly acquired, or the potentially risky log data identified by the network security device may be acquired. Which data to acquire can be set according to actual needs.
For newly acquired log data, a write mode (schema on write) is adopted, the log data can be analyzed before storage, the analysis speed is increased, and therefore attack IP can be matched earlier for subsequent processing.
In the step, all logs are standardized by analyzing the collected log data. Specifically, a json or custom field analysis mode may be configured, all log data may be standardized and converted into a unified format, for example, the json format, and the standardized and analyzed log data may be stored for subsequent field analysis.
Step 203, analyzing the analyzed log data, determining all target log data matched with a preset configuration strategy, and acquiring a corresponding access IP address.
For the logs represented by the uniform format, the key fields of the logs can be extracted according to the configured rules, and the unstructured logs are converted into structured data. And then, searching by using the key field of the log, determining the log matched with the configuration strategy as a target log, and acquiring a corresponding access IP address. And for the matched target log, saving important fields such as a target address, a target URL, a source IP, a source MAC address and the like.
The analysis of the log data to extract the key fields has the advantages that: the key fields can be used for statistical analysis of log data. The device for log analysis can index the key fields of the log and the original log, and a user can search the key fields and the original log.
Specifically, in order to analyze and retrieve log data, the key fields and full texts of the log can be indexed, the log is stored as a plurality of index files in time dimension, and a user can conveniently decide how long the log is reserved. The index file can be stored in a distributed mode, and copies exist, so that high availability is guaranteed. Even if the information of the key fields in the log is not extracted, the instant field statistical analysis work can be finished in a post extraction mode. In addition, the equipment for log analysis can also support the correlation analysis of logs from different sources based on the information.
For the logs with the extracted key fields, the key fields of the logs can be used for searching, the logs matched with the configuration strategy are determined to be used as target logs, and corresponding access IP addresses are obtained.
For example, when the attack logs need to be matched, the search may be performed according to the configuration policy, specifically, the search log may be a log whose source is WAF and which has keywords such as an attack IP, an attack source, a server IP, and an attack URL, and the subsequent processing may be performed using the log matched by the search as a target log. Or when the high risk of the flow needs to be analyzed, the logs with the log source of 360 degrees and with the keywords of rogue popularization, botnet, remote control trojan, black market tool, stealing trojan and the like can be retrieved, and the retrieved and matched logs are used as target logs for subsequent processing.
In addition, the device for log analysis can also provide a WEB interface, and custom dashboard analysis can be added to the interface according to log sources, such as analysis of the access condition of the waf, the blocking condition of the waf, the intrusion condition of the waf, and the like.
Several target log entries may be matched according to the configuration policy, via step 203. Step 206 may be performed directly for all target log entries in the basic flow. However, considering that log data originates from a plurality of different network security devices, and different devices may have duplicated data, in order to improve processing efficiency, it is preferable that the process including this step performs data deduplication.
And step 204, performing deduplication processing on the target log data determined in step 203.
Specifically, the target log entry matched in step 203 may be reported in a webhook manner for deduplication processing. In order to ensure the security, preferably, a data deduplication interface can be developed in advance, a private key encryption verification method is performed on the interface, the security of interface calling is enhanced, the interface supports white list policy configuration, and normal calling is avoided being mistakenly sealed.
The deduplication processing operation may specifically include: after the reported target log data is obtained, the repeated duplicate removal work is carried out in the historical reported target log by using fields such as the target IP and the like, unnecessary resource waste caused by repeated prohibition of the same IP is avoided, the log after repeated duplicate removal can be converted into a text file with a specified format for storage, and the next operation is waited. Specifically, the target log reported in history may be stored in a set location, for example, in a temporary table; comparing the target IP field of the target log reported this time with the target IP field of each log in the temporary table, if the same target IP exists, not storing the target log reported this time in the temporary table, and directly discarding; otherwise, the reported target log is stored in a temporary table. The temporary table may store a target log reported and deduplicated within a set time, and the set time may be according to a need, for example, a log reported on the same day is stored.
After steps 203 or 204, step 206 may be performed directly, or step 205 may be performed before step 206 for white list filtering in order to prevent the influence of the ip error on the daily service application.
In order to prevent the influence of missealing the IP address on daily service application, an IP address white list may be established in advance, and the IP address white list may include a CDN node, an internal IP address, a partner IP address, a temporary IP address, and the like.
For each piece of target log data, firstly judging whether the corresponding access IP address is located in an IP address white list, if so, directly releasing the access IP address, and not carrying out risk evaluation; otherwise, step 206 is performed for the target log data and its access IP address (i.e., target IP). The IP address white list may be maintained manually, with the white list automatically reset daily.
And step 206, for each piece of target log data, performing risk assessment on the access IP address corresponding to the target log data, and determining whether the access IP address is high risk.
For each target log data, comprehensive assignment of the ip address can be given by utilizing multiple dimensions such as ip attribution, purposes, access resources, access frequency and duration in the log analysis result in a weighted evaluation mode, so that risk evaluation is performed. Specifically, a weighted evaluation value of the access IP address may be calculated according to the IP address attribution, usage, access resource, access frequency, and/or access duration of the access IP address corresponding to each target log data, and when the weighted evaluation value is greater than or equal to a set risk threshold, the access IP address is determined to be a high-risk access IP address, and when the weighted evaluation value is less than the set risk threshold, the access IP address is determined to be a low-risk access IP address.
When the weighted evaluation is performed, assignment conditions of different dimensions can be modified according to specific conditions, for example, assuming that a risk threshold is 5, an assignment that an ip address is homed abroad can be 4, an access resource path of the ip address does not exist and contains sensitive words such as phpMyAdmin, and the like, and an assignment can be 5. The assignment can be modified according to different environments, for example, in an attack and defense exercise stage, the ip address attribution can be assigned to a specific area, and meanwhile, an ip with an abnormal resource path is accessed, the assignment is 5, and the ip is judged to be a high-risk ip.
In performing the weighted evaluation, the access resource mainly includes the destination IP, such as the patient system, the general service system, etc. is accessed. For high value systems, such as hospital registration systems, the weight is relatively high and can be generally classified into three grades (important, general). A matrix of assignments is formed based on the number of access systems and the number of critical programs accessing the systems. For access frequency, the higher the frequency, the larger the assignment may be. Specifically, the assignment of weighted evaluation may be performed after the access frequency and the access resource are combined. The access duration is generally the longer the duration is above a set time, the larger the value is generally assigned; the setting time is mainly the basic time for performing general operations, for example, the average time for filling basic information in the registration system is about 10 minutes, then the setting time is 10 minutes, and after 10 minutes, the longer the duration, the larger the value is generally assigned.
In addition to risk assessment in the manner described above, it may also be performed using an IP address blacklist. Specifically, an IP address blacklist may be preset, and whether an access IP address corresponding to the log data is in the preset IP address blacklist is determined, if yes, the corresponding IP address is determined to be a high-risk access IP address; if not, the risk assessment may proceed with the visited IP address. The IP address in the IP address blacklist may be from a regulatory agency threat intelligence and anti-fraud system ("vendor"), such as a malicious attack IP, vendor IP, etc., or may be an IP address entered manually in step 101 or from a third party threat intelligence API.
In addition, honeypots can be arranged at a plurality of ports on the application system in a business access scene in advance, for example, honeypots can be arranged at ports of the application system such as an official website, an Office Automation (OA) and a registration in a hospital business access scene, so that illegal users are attracted to attack. When the access request is sent to the application system, whether the corresponding access request has scanning behavior or not is judged according to each set honeypot, and if yes, the source IP of the access request is determined to be a high-risk access IP address.
This step requires a blocking operation for the ip determined to be high risk.
The automatic blocking can be realized by a network threat information joint defense disposal platform net shield k01, a firewall, a WAF, a CDN and the like of the public security department, and can also be realized by any network security equipment.
And after receiving the high-risk ip to be blocked, regularly and automatically linking with the one or more safety devices or systems, wherein the linkage mode can comprise an API (application programming interface) and an SSH (secure Shell).
API mode: the API interface is enabled to push the ip needing to be blocked to the network security device (such as K01) in a POST mode, and the corresponding network security device completes the global blocking and the blocking time setting.
SSH mode: if the related security equipment has no API (application programming interface), the IP can be pushed to the security equipment in a mode of simulating an SSH (secure Shell) command, and the global automatic blocking is realized. For example, on some firewalls without an API interface, multiple address group objects may be defined in advance and set as the source addresses of the block policy. And calling the shell of the SSH through a requests module of the python, and writing the IP needing to be blocked into the address group object according to the format conforming to the command line of the firewall per se.
In order to ensure the separation of authority and minimum authority, the automatic sealing can be completed by establishing an independent account on the sealed device for sealing operation and only allowing a specific device to use.
And step 208, sending early warning information to a network security administrator for the forbidden access IP address.
In the step, the forbidden information is sent to the network security administrator in an early warning mode, the sending route can be in the form of short messages, mails and telephones, and the format of the early warning information can include but is not limited to forbidden IP, evaluation time, reason for evaluating high-risk IP and the like. The network security administrator can roughly judge the security condition of the current system according to the characteristic time period of the intuitive perception of the early warning information and the number of the system forbidden IPs.
Meanwhile, the background records detailed information of the forbidden IP, including information of a source place, behaviors and the like, so that an attack report can be conveniently formed for further analysis, and an IP risk assessment assignment model is dynamically adjusted according to the forbidden and unblocked conditions.
And step 209, for the access IP address which is sealed and forbidden, unsealing is automatically carried out after the time threshold value is exceeded by the sealing and the forbidden.
Due to the fact that the execution mechanism of some application programs has a non-standardization problem, the alarm of the security device is punished, and therefore the non-attack ip is subjected to false sealing. Meanwhile, in the current hospital visiting scene, most of the visits of users to the hospital system are inquiry and registration services. Based on the fact that mobile network and home broadband IP allocation are dynamic, IP addresses are likely to change after one attack, and the IP addresses automatically blocked by the user can be allocated to a user who normally accesses a hospital system, so that the deblocking strategy is very important.
The specific implementation manner of decapsulation is substantially the same as the way of decapsulation, and ip is decapsulated by means of API and SSH, respectively. After the IP is automatically sealed, the IP information is stored in an automatic sealed IP library and a time label is printed, the sealing effective period is set to be 12 hours, an overtime automatic unsealing strategy is adopted, and meanwhile, the sealing effective period can be flexibly configured according to the actual operation condition.
The flow shown in fig. 2 ends up so far. The specific implementation of the automatic block method provided by the application is given by the flow shown in fig. 2, the dependence on the same manufacturer of the security devices is broken through, the logs of the security devices are collected in a centralized manner, the logs are subjected to correlation real-time analysis, an IP multi-dimensional risk assessment strategy is established, the decision of accessing IP automatic block or release is finally realized, and malicious attack and 0day attack behaviors are effectively prevented.
The foregoing is a specific implementation of the blocking method in this application. The application also provides a device for automatically blocking the IP aiming at the network attack, which can be used for realizing the blocking method. Fig. 3 is a schematic diagram of a basic structure of the sealing device. As shown in fig. 3, the apparatus includes: the system comprises a log data acquisition module, a log data analysis module, a risk evaluation module and a blocking module.
The log data acquisition module is used for acquiring log data of a plurality of network security devices. And the log data analysis module is used for analyzing the acquired log data into a uniform format. And the log data analysis module is used for analyzing the analyzed log data, determining all target log data matched with a preset configuration strategy and acquiring a corresponding access IP address. And the risk evaluation module is used for carrying out risk evaluation on the access IP address corresponding to each piece of target log data and determining whether the access IP address is high risk or not. And the blocking module is used for blocking the high-risk access IP address.
Optionally, the apparatus may further include a deduplication module, configured to perform deduplication processing on all target log data matched by the log data analysis module, and provide the deduplicated target log data to the risk assessment module.
Optionally, the apparatus may further include an early warning module, configured to send early warning information to a network security administrator for the forbidden access IP address.
Optionally, the apparatus may further include a decapsulation module, configured to perform decapsulation processing on the blocked access IP address after the blocking time reaches a set time threshold.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (18)
1. A method for automatically blocking an IP aiming at network attack is characterized by comprising the following steps:
acquiring log data of a plurality of network security devices, and analyzing the acquired log data into a uniform format;
analyzing the analyzed log data, determining all target log data matched with a preset configuration strategy, and acquiring corresponding access IP addresses;
and for each piece of target log data, performing risk evaluation on the access IP address corresponding to the target log data, determining whether the access IP address is high risk or not, and sealing the high-risk access IP address.
2. The method of claim 1, wherein obtaining log data for a plurality of network security devices comprises:
enabling a syslog protocol in the network security devices, and configuring the log level and/or the log type to be collected; the network security devices send log data to be collected to an rsyslog server through a syslog protocol according to configuration, and unified storage management of logs is carried out;
and reading log data of the plurality of network security devices from the rsyslog server.
3. The method of claim 1, wherein before performing risk assessment on the IP address corresponding to the target log data, the method further comprises:
judging whether the access IP address corresponding to the target log data is in a preset IP address white list or not, if so, determining that the access IP address corresponding to the target log data is a low-risk IP address, and not performing risk evaluation on the access IP address corresponding to the target log data; otherwise, continuing to execute the operation of risk assessment on the access IP address corresponding to the target log data.
4. The method of claim 1, wherein the risk assessment of the access IP address corresponding to the log data comprises:
and judging whether the access IP address corresponding to the log data is in a preset IP address blacklist, if so, determining that the corresponding IP address is a high-risk access IP address.
5. The method according to claim 1 or 4, wherein the risk assessment of the access IP address corresponding to the log data comprises:
and determining a weighted evaluation value of the access IP address according to the attribution, the usage, the access resource, the access frequency and/or the access duration of the IP address of the access IP address, determining the access IP address with high risk when the weighted evaluation value is greater than or equal to a set risk threshold, and determining the access IP address with low risk when the weighted evaluation value is less than the set risk threshold.
6. The method of claim 1, wherein prior to said notifying the plurality of network security devices to block high risk access IP addresses, the method further comprises:
determining whether a scanning behavior exists in an access request of an application system where honeypots are located according to the honeypots which are arranged in advance, and if so, determining a source IP of the corresponding access request as a high-risk access IP address; wherein the honeypot is pre-deployed at a number of ports on an application system in a business access scenario.
7. The method of claim 1, wherein before performing risk assessment on the access IP address corresponding to the target log data, the method further comprises: and carrying out deduplication processing on the access IP address.
8. The method of claim 7, wherein prior to performing the deduplication process, the method further comprises: and carrying out private key encryption verification on the equipment for carrying out the deduplication processing, and executing the operation for carrying out the deduplication processing after the verification is passed.
9. The method of claim 1, wherein the blocking of high risk IP addresses comprises:
pushing a high-risk access IP address to a preset enterprise net shield in a POST mode through an API interface mode, wherein the enterprise net shield carries out global prohibition on the received high-risk access IP address;
and for the network security equipment without the API, pushing the high-risk IP address to the corresponding network security equipment in a mode of simulating an SSH command, and carrying out global prohibition by the corresponding network security equipment according to the received IP address.
10. The method according to claim 1 or 9, characterized in that the operations of blocking the access IP address with high risk are executed by presetting accounts and devices.
11. The method of claim 1, wherein after said blocking the high risk IP address, the method further comprises: and for the access IP address which is forbidden, carrying out unsealing processing after the forbidden time reaches a set time threshold.
12. The method of claim 1, wherein after said blocking the high risk access IP address, the method further comprises: and sending early warning information to a network security administrator for the forbidden access IP address.
13. The method of claim 12, wherein the pre-warning information comprises: blocked access IP address, evaluation time, evaluation as a cause of high risk.
14. The method of claim 1, wherein analyzing the parsed log data to determine all target log data that match a preset configuration policy comprises:
and searching the analyzed log according to the configuration strategy according to the value of the key field in the log with the uniform format, and determining the target log data.
15. An apparatus for automatically blocking an IP against a network attack, comprising: the system comprises a log data acquisition module, a log data analysis module, a risk evaluation module and a blocking module;
the log data acquisition module is used for acquiring log data of a plurality of network security devices;
the log data analysis module is used for analyzing the acquired log data into a uniform format;
the log data analysis module is used for analyzing the analyzed log data, determining all target log data matched with a preset configuration strategy and acquiring a corresponding access IP address;
the risk evaluation module is used for carrying out risk evaluation on an access IP address corresponding to each piece of target log data and determining whether the access IP address is high risk or not;
and the blocking module is used for blocking the high-risk access IP address.
16. The apparatus according to claim 15, wherein the apparatus further comprises a deduplication module, configured to perform deduplication processing on all target log data matched by the log data analysis module, and provide the deduplicated target log data to the risk assessment module.
17. The apparatus of claim 15, further comprising an early warning module configured to send early warning information to a network security administrator for the blocked access IP address.
18. The apparatus of claim 15, further comprising a decapsulating module configured to perform decapsulation processing on the blocked access IP address after the blocking time reaches a set time threshold.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210222312.1A CN114598525A (en) | 2022-03-09 | 2022-03-09 | IP automatic blocking method and device for network attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210222312.1A CN114598525A (en) | 2022-03-09 | 2022-03-09 | IP automatic blocking method and device for network attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114598525A true CN114598525A (en) | 2022-06-07 |
Family
ID=81815792
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210222312.1A Pending CN114598525A (en) | 2022-03-09 | 2022-03-09 | IP automatic blocking method and device for network attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114598525A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115022056A (en) * | 2022-06-09 | 2022-09-06 | 国网湖南省电力有限公司 | Intelligent handling method for network attack behaviors of power grid system |
| CN115208647A (en) * | 2022-07-05 | 2022-10-18 | 南京领行科技股份有限公司 | Attack behavior handling method and device |
| CN115766201A (en) * | 2022-11-11 | 2023-03-07 | 北京哈工信息产业股份有限公司 | Solution for rapidly blocking large number of IP addresses |
| CN115913665A (en) * | 2022-11-01 | 2023-04-04 | 国家管网集团北方管道有限责任公司 | Network security early warning method and device based on serial port firewall |
| CN115913683A (en) * | 2022-11-07 | 2023-04-04 | 中国联合网络通信集团有限公司 | Risk access record generation method, device, equipment and storage medium |
| CN116455642A (en) * | 2023-04-21 | 2023-07-18 | 杭州虎符网络有限公司 | Access risk real-time auditing method and system based on log analysis |
| CN116545645A (en) * | 2023-03-20 | 2023-08-04 | 中国华能集团有限公司北京招标分公司 | IP address blocking method |
| CN117201189A (en) * | 2023-11-03 | 2023-12-08 | 北京微步在线科技有限公司 | Firewall linkage method and device, computer equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106506243A (en) * | 2016-12-19 | 2017-03-15 | 武汉虹信通信技术有限责任公司 | A kind of webmaster method for diagnosing faults based on daily record data |
| CN110650038A (en) * | 2019-09-12 | 2020-01-03 | 国家电网有限公司 | Security event log collecting and processing method and system for multiple classes of supervision objects |
| CN111866016A (en) * | 2020-07-29 | 2020-10-30 | 中国平安财产保险股份有限公司 | Log analysis method and system |
| CN112084249A (en) * | 2020-09-11 | 2020-12-15 | 浙江立元科技有限公司 | Access record extraction method and device |
| WO2021093051A1 (en) * | 2019-11-15 | 2021-05-20 | 网宿科技股份有限公司 | Ip address assessment method and system, and device |
| CN113254964A (en) * | 2021-06-02 | 2021-08-13 | 杭州趣链科技有限公司 | Log security certificate storage method and device, electronic equipment and storage medium |
| CN114006748A (en) * | 2021-10-28 | 2022-02-01 | 国网山东省电力公司信息通信公司 | Network security comprehensive monitoring method, system, equipment and storage medium |
| CN114143064A (en) * | 2021-11-26 | 2022-03-04 | 国网四川省电力公司信息通信公司 | Multi-source network security alarm event tracing and automatic processing method and device |
-
2022
- 2022-03-09 CN CN202210222312.1A patent/CN114598525A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106506243A (en) * | 2016-12-19 | 2017-03-15 | 武汉虹信通信技术有限责任公司 | A kind of webmaster method for diagnosing faults based on daily record data |
| CN110650038A (en) * | 2019-09-12 | 2020-01-03 | 国家电网有限公司 | Security event log collecting and processing method and system for multiple classes of supervision objects |
| WO2021093051A1 (en) * | 2019-11-15 | 2021-05-20 | 网宿科技股份有限公司 | Ip address assessment method and system, and device |
| CN111866016A (en) * | 2020-07-29 | 2020-10-30 | 中国平安财产保险股份有限公司 | Log analysis method and system |
| CN112084249A (en) * | 2020-09-11 | 2020-12-15 | 浙江立元科技有限公司 | Access record extraction method and device |
| CN113254964A (en) * | 2021-06-02 | 2021-08-13 | 杭州趣链科技有限公司 | Log security certificate storage method and device, electronic equipment and storage medium |
| CN114006748A (en) * | 2021-10-28 | 2022-02-01 | 国网山东省电力公司信息通信公司 | Network security comprehensive monitoring method, system, equipment and storage medium |
| CN114143064A (en) * | 2021-11-26 | 2022-03-04 | 国网四川省电力公司信息通信公司 | Multi-source network security alarm event tracing and automatic processing method and device |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115022056A (en) * | 2022-06-09 | 2022-09-06 | 国网湖南省电力有限公司 | Intelligent handling method for network attack behaviors of power grid system |
| CN115022056B (en) * | 2022-06-09 | 2023-11-21 | 国网湖南省电力有限公司 | Intelligent network attack behavior handling method for power grid system |
| CN115208647A (en) * | 2022-07-05 | 2022-10-18 | 南京领行科技股份有限公司 | Attack behavior handling method and device |
| CN115913665A (en) * | 2022-11-01 | 2023-04-04 | 国家管网集团北方管道有限责任公司 | Network security early warning method and device based on serial port firewall |
| CN115913683A (en) * | 2022-11-07 | 2023-04-04 | 中国联合网络通信集团有限公司 | Risk access record generation method, device, equipment and storage medium |
| CN115766201A (en) * | 2022-11-11 | 2023-03-07 | 北京哈工信息产业股份有限公司 | Solution for rapidly blocking large number of IP addresses |
| CN116545645A (en) * | 2023-03-20 | 2023-08-04 | 中国华能集团有限公司北京招标分公司 | IP address blocking method |
| CN116455642A (en) * | 2023-04-21 | 2023-07-18 | 杭州虎符网络有限公司 | Access risk real-time auditing method and system based on log analysis |
| CN116455642B (en) * | 2023-04-21 | 2023-11-21 | 杭州虎符网络有限公司 | Access risk real-time auditing method and system based on log analysis |
| CN117201189A (en) * | 2023-11-03 | 2023-12-08 | 北京微步在线科技有限公司 | Firewall linkage method and device, computer equipment and storage medium |
| CN117201189B (en) * | 2023-11-03 | 2024-01-30 | 北京微步在线科技有限公司 | Firewall linkage method and device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114598525A (en) | IP automatic blocking method and device for network attack | |
| US8375120B2 (en) | Domain name system security network | |
| US9762543B2 (en) | Using DNS communications to filter domain names | |
| CN112637220B (en) | Industrial control system safety protection method and device | |
| CN111600856B (en) | Safety system of operation and maintenance of data center | |
| CN101176331B (en) | Computer network intrusion detection system and method | |
| KR101010302B1 (en) | Security management system and method of irc and http botnet | |
| CN111800395A (en) | Threat information defense method and system | |
| US20130081141A1 (en) | Security threat detection associated with security events and an actor category model | |
| KR102222377B1 (en) | Method for Automatically Responding to Threat | |
| CN110896386B (en) | Method, device, storage medium, processor and terminal for identifying security threat | |
| CN107733699B (en) | Internet asset security management method, system, device and readable storage medium | |
| CN111510463B (en) | Abnormal behavior recognition system | |
| US20230231885A1 (en) | Multi-perspective security context per actor | |
| CN106470203B (en) | Information acquisition method and device | |
| CN113595981B (en) | Method and device for detecting threat of uploading file and computer readable storage medium | |
| KR100977827B1 (en) | Apparatus and method detecting connection mailcious web server system | |
| KR20170052779A (en) | Method and apparatus for security enhancement based on java agent | |
| US11683337B2 (en) | Harvesting fully qualified domain names from malicious data packets | |
| CN113852625A (en) | Weak password monitoring method, device, equipment and storage medium | |
| CN113518067A (en) | Security analysis method based on original message | |
| KR20200054495A (en) | Method for security operation service and apparatus therefor | |
| CN116991680B (en) | Log noise reduction method and electronic equipment | |
| Ghazzawi et al. | Design and Implementation of an Efficient Intrusion Response System for 5G RAN Baseband Units | |
| Abusamrah et al. | Next-Generation Firewall, Deep Learning Endpoint Protection and Intelligent SIEM Integration |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |