CN114629691A - Data processing method, device and storage medium - Google Patents

Data processing method, device and storage medium Download PDF

Info

Publication number
CN114629691A
CN114629691A CN202210175765.3A CN202210175765A CN114629691A CN 114629691 A CN114629691 A CN 114629691A CN 202210175765 A CN202210175765 A CN 202210175765A CN 114629691 A CN114629691 A CN 114629691A
Authority
CN
China
Prior art keywords
data
honeypot
generating
instruction
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210175765.3A
Other languages
Chinese (zh)
Inventor
张晓东
孔令武
关勇
姚培
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Luoan Technology Co Ltd
Original Assignee
Beijing Luoan Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Luoan Technology Co Ltd filed Critical Beijing Luoan Technology Co Ltd
Priority to CN202210175765.3A priority Critical patent/CN114629691A/en
Publication of CN114629691A publication Critical patent/CN114629691A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a data processing method, a data processing device and a storage medium. The data processing method comprises the following steps: performing security detection on the obtained data packets, screening abnormal data packets with risks, and generating early warning information according to the abnormal data packets, wherein the data packets are flow data transmitted through a network and used for accessing target equipment; generating a data control instruction according to the early warning information based on the mapping relation with a preset honeypot system; and sending the abnormal data packet to the honeypot system according to the data control instruction, and generating response information corresponding to the abnormal data packet.

Description

Data processing method, device and storage medium
Technical Field
The present application relates to the field of information security technologies, and in particular, to a data processing method, an apparatus, and a storage medium.
Background
The key information infrastructure is the neural center of economic and social operation and is the central importance of network security. The safety of key information infrastructure is guaranteed, and the method has great significance for maintaining the national network space ownership and national safety, guaranteeing the healthy development of economy and society, and maintaining public interests and citizen legal rights and interests. At present, the network security situation faced by the key information infrastructure is getting more severe, the threat of network attack is rising, in order to protect the industrial control system of the key information infrastructure, the system can be recovered from the attacked state after being attacked, simultaneously the attacking behavior can be obtained evidence, the system can be in the active attacking position in the attacking and defending process, and on the basis, when enterprises relating to the field of the key information infrastructure construct the information system, the aim can be achieved by a mode of deploying the honeypot system.
Most honeypot systems in the market at present adopt a bypass deployment mode which does not invade protected target equipment, and although the honeypot systems have the advantage of not invading the target equipment, honeypot baits are deployed in the target equipment. That is, only the honeypot system is externally connected to the target device, and when an attacker invades the target device, there is a great uncertainty as to whether the honeypot system can be attacked or not. In the mode, on one hand, whether the honeypots can be attacked by attackers depends on the deployment ratio of the honeypots to the target devices, and if the target devices are large in number and the honeypots are small in number, the probability that the attackers attack the honeypots is small, and the attackers hardly attack the honeypot system; on the other hand, if the target device is scanned from the beginning, the attacker directly attacks the target device, and the expected target can be reached. In order to avoid this situation, most of the adopted methods deploy agent software on the target device to implement attack traffic transfer, at this time, intrusion on the target device occurs, and confidentiality, integrity and availability of the target device are damaged.
In view of the above technical problem in the prior art that the security rate is low when the honeypot system is used to protect the target device, no effective solution has been proposed at present.
Disclosure of Invention
Embodiments of the present application provide a data processing method, an apparatus, and a storage medium, so as to at least solve the technical problem in the prior art that a security rate is low when a honeypot system is used to protect a target device.
According to an aspect of an embodiment of the present application, there is provided a data processing method, including: performing security detection on the acquired data packets, screening dangerous abnormal data packets, and generating early warning information according to the abnormal data packets, wherein the data packets are flow data transmitted through a network and used for accessing the target equipment; generating a data control instruction according to the early warning information based on the mapping relation with a preset honeypot system; and sending the abnormal data packet to the honeypot system according to the data control instruction, and generating response information corresponding to the abnormal data packet.
According to another aspect of embodiments of the present application, there is also provided a storage medium including a stored program, wherein the method of any one of the above is performed by a processor when the program is run.
According to another aspect of the embodiments of the present application, there is also provided a data processing apparatus, including: the information generation module is used for carrying out security detection on the acquired data packets, screening dangerous abnormal data packets and generating early warning information according to the abnormal data packets, wherein the data packets are flow data which are used for accessing the target equipment and transmitted through the network; the instruction generation module is used for generating a data control instruction according to the early warning information based on the mapping relation with the preset honeypot system; and the data sending module is used for sending the abnormal data packet to the honeypot system according to the data control instruction and generating response information corresponding to the abnormal data packet.
According to another aspect of the embodiments of the present application, there is also provided a data processing apparatus, including: a processor; and a memory coupled to the processor for providing instructions to the processor for processing the following processing steps: performing security detection on the acquired data packets, screening dangerous abnormal data packets, and generating early warning information according to the abnormal data packets, wherein the data packets are flow data transmitted through a network and used for accessing the target equipment; generating a data control instruction according to the early warning information based on the mapping relation with a preset honeypot system; and sending the abnormal data packet to the honeypot system according to the data control instruction, and generating response information corresponding to the abnormal data packet.
In the embodiment of the application, the data auditing system screens out the abnormal data packet and generates the early warning information containing the address information according to the abnormal data packet, so that the offensive abnormal data packet can be found in time and early warning is carried out in time. And then the strategy management module generates a redirection instruction for redirecting the abnormal data packet to the honeypot system according to the address information in the early warning information, and generates a response instruction comprising the forged address of the accessed device. And then the data control module redirects the abnormal data packet to the honeypot system according to the redirection instruction, so that the technical effect of transferring the offensive abnormal data packet is realized under the condition that the target equipment is attacked. And the data control module sends response information to the user terminal of the attacker after generating the response information according to the response instruction, so that the abnormal data packet can be redirected to the honeypot system under the condition that the attacker does not sense the abnormal data packet, and meanwhile, the response of the honeypot system can be disguised as the response of the original access target of the attack data, so that the effect of falsifying and falsifying is achieved. And further, when the attack is detected, the target equipment is not influenced by the abnormal data packet any more, so that the service of the target equipment can run normally, and the aim of improving the service continuity of the target equipment is fulfilled.
Furthermore, the technical scheme can actively transfer the abnormal data packet to the honeypot system under the condition that the offensive abnormal data packet is detected, so that the uncertainty that the abnormal data packet can attack the honeypot system due to the fact that the honeypot system is arranged in the bypass deployment mode in the prior art is avoided. Therefore, the processing probability of the data processing system for processing the abnormal data packet is greatly improved, and the safety of the target equipment is ensured. In addition, the technical scheme deploys the data processing system bypass to the target equipment, thereby avoiding the data processing system from invading the service equipment corresponding to the target equipment and ensuring the confidentiality, the integrity and the availability of the service equipment corresponding to the target equipment. And the technical problem of low safety rate when the honeypot system is used for protecting the target equipment in the prior art is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a hardware block diagram of a computing device for implementing the method according to embodiment 1 of the present application;
FIG. 2 is a schematic diagram of a data processing system according to embodiment 1 of the present application;
fig. 3 is a schematic flow chart of a data processing method according to the first aspect of embodiment 1 of the present application;
fig. 4 is a relationship diagram of a mapping relationship according to the first aspect of embodiment 1 of the present application;
FIG. 5 is a further schematic flow chart diagram of a data processing method according to the first aspect of embodiment 1 of the present application;
fig. 6 is a block diagram schematically illustrating a data processing method according to the first aspect of embodiment 1 of the present application;
FIG. 7 is a schematic diagram of a further flow chart of data processing according to the first aspect of embodiment 1 of the present application;
fig. 8 is a schematic diagram of a data processing apparatus according to embodiment 2 of the present application; and
fig. 9 is a schematic diagram of a data processing apparatus according to embodiment 3 of the present application.
Detailed Description
In order to make those skilled in the art better understand the technical solutions of the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It is to be understood that the described embodiments are merely exemplary of some, and not all, of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
According to the present embodiment, there is provided a method embodiment of a data processing method, it being noted that the steps illustrated in the flowchart of the figure may be performed in a computer system such as a set of computer executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
The method embodiments provided by the present embodiment may be executed in a mobile terminal, a computer terminal, a server or a similar computing device. Fig. 1 shows a hardware configuration block diagram of a computing device for implementing the data processing method. As shown in fig. 1, the computing device may include one or more processors (which may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory for storing data, and a transmission device for communication functions. Besides, the method can also comprise the following steps: a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a power source, and/or a camera. It will be understood by those skilled in the art that the structure shown in fig. 1 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computing device may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
It should be noted that the one or more processors and/or other data processing circuitry described above may be referred to generally herein as "data processing circuitry". The data processing circuitry may be embodied in whole or in part in software, hardware, firmware, or any combination thereof. Further, the data processing circuitry may be a single, stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computing device. As referred to in the embodiments of the application, the data processing circuit acts as a processor control (e.g. selection of a variable resistance termination path connected to the interface).
The memory may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the data processing method in the embodiments of the present application, and the processor executes various functional applications and data processing by running the software programs and modules stored in the memory, that is, implementing the data processing method of the application program. The memory may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, the memory may further include memory located remotely from the processor, which may be connected to the computing device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device is used for receiving or transmitting data via a network. Specific examples of such networks may include wireless networks provided by communication providers of the computing devices. In one example, the transmission device includes a Network adapter (NIC) that can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computing device.
It should be noted here that in some alternative embodiments, the computing device shown in fig. 1 described above may include hardware elements (including circuitry), software elements (including computer code stored on a computer-readable medium), or a combination of both hardware and software elements. It should be noted that FIG. 1 is only one example of a particular specific example and is intended to illustrate the types of components that may be present in a computing device as described above.
Fig. 2 is a schematic diagram of a data processing system according to the present embodiment. Referring to fig. 2, the system includes: terminal device 100, server 200 and honeypot system 300. Wherein the terminal device 100 is, for example, a switch, and a data auditing system and a data control system are deployed on the terminal device 100. A policy management system is deployed on server 200.
The data auditing system is used for auditing the captured data packets, screening abnormal data packets, and sending the early warning information generated according to the abnormal data packets to the strategy management system of the server 200.
The policy management system is configured to generate a data control instruction according to the received early warning information and the mapping relationship related to the honeypot system 300, and send the data control instruction to the data control system.
And the data control system receives the data control instruction and executes the data control instruction.
It should be noted that the data auditing system and the data control system need to be deployed on the same terminal device or server. Besides being deployed on the server 200, the policy management system may also be deployed on the terminal device 100, and is not limited herein. However, in this embodiment, a data auditing system and a data control system are deployed in the terminal device 100, and a policy management system is deployed in the server 200 as an example.
It should be noted that the terminal device 100, the server 200, and the honeypot system 300 in the system can be applied to the above-described hardware configuration.
In the above operating environment, according to a first aspect of the present embodiment, a data processing method is provided. Fig. 3 shows a flow diagram of the method, which, with reference to fig. 3, comprises:
s302: performing security detection on the acquired data packets, screening dangerous abnormal data packets, and generating early warning information according to the abnormal data packets, wherein the data packets are flow data transmitted through a network and used for accessing the target equipment;
s304: generating a data control instruction according to the early warning information based on the mapping relation with a preset honeypot system; and
s306: and sending the abnormal data packet to the honeypot system according to the data control instruction, and generating response information corresponding to the abnormal data packet.
Specifically, referring to fig. 4, when a user accesses the device 1 protected by the data processing system through the user terminal 1 of the user, the data auditing system deployed on the terminal device 100 will obtain a data packet generated when the user terminal 1 accesses the device 1. And then the data auditing system carries out security detection on the obtained data packet according to a preset intrusion detection rule, judges whether the data packet is an abnormal data packet with risk or not, judges that the data packet is the abnormal data packet when detecting that the data packet is aggressive, and then intercepts and processes the abnormal data packet. If the data packet is detected to be not offensive, the data packet is determined to be a normal data packet without risk, and the normal data packet is transmitted to a target device (i.e., device 1) which needs to be accessed, so that the user terminal 1 can normally access the device 1.
Further, when the data auditing system determines that the data packet is an abnormal data packet, the data auditing system may compose the address information, the data information and the triggered intrusion detection rule, which are analyzed from the abnormal data packet, into early warning information (S302). The data auditing system then sends the generated early warning information to the policy management system deployed in server 200.
Further, referring to FIG. 4, the target devices protected by the data processing system include device 1 through device 4. The policy management system establishes corresponding mapping relationships with a plurality of honeypots (corresponding to honeypots 1 to 4) in the preset honeypot system 300 according to types of target devices (i.e., devices 1 to 4). Wherein the target device is, for example, a PLC device (i.e., a device type).
After receiving the warning information, the policy management system generates a data control command according to the mapping relationship between the device 1 (i.e., the target device) and the honeypot system 300 and the address information in the warning information (S304). Wherein the data control instructions include a redirect instruction and a response instruction. Specifically, the address information in the warning information includes a source address and a destination address. For example, when the user terminal 1 accesses the device 1, the source address in the generated abnormal packet is the address of the user terminal 1, and the destination address is the address of the device 1. Wherein the device 1 and the honeypot 1 of the honeypot system 300 have a mapping relation, the policy management system generates a redirection instruction for accessing the honeypot 1 of the honeypot system 300 according to the mapping relation, and generates a response instruction for returning a message to the address of the user terminal 1. Wherein the source address in the response instruction (i.e. the address of the device 1 the user terminal 1 wants to access) is the forged address of the device 1 and the real source address is the address of the honeypot 1. The policy management system then sends the data control instruction to the data control system deployed on the terminal device 100.
Further, after the data control system receives the data control command, the data control system sends the abnormal data packet to the honeypot system 300 according to the redirection command in the data control command. And the data control system generates response information according to the response instruction in the data control instruction and transmits the response information to the user terminal 1 according to the forged source address in the response instruction (S306).
As mentioned in the background, most honeypot systems on the market today employ a bypass deployment mode that does not produce intrusion on the target devices to be protected, and although providing the advantage of not intruding on the target devices, only honeypot baits are deployed in the target devices. That is, only the honeypot system is externally connected to the target device, and when an attacker invades the target device, there is a great uncertainty as to whether the honeypot system can be attacked or not. In the mode, on one hand, whether the honeypots can be attacked by attackers depends on the deployment ratio of the honeypots to the target devices, and if the target devices are large in number and the honeypots are small in number, the probability that the attackers attack the honeypots is small, and the attackers hardly attack the honeypot system; on the other hand, if the target device is scanned from the beginning, the attacker directly attacks the target device, and the target device can be reached. In order to avoid this situation, most of the adopted methods deploy agent software on the target device to implement attack traffic transfer, at this time, intrusion on the target device occurs, and confidentiality, integrity and availability of the target device are damaged.
Aiming at the technical problems, according to the technical scheme of the embodiment of the application, the data auditing system screens out the abnormal data packets and generates early warning information containing address information according to the abnormal data packets, so that the offensive abnormal data packets can be found in time and early warning can be carried out in time. And then the strategy management module generates a redirection instruction for redirecting the abnormal data packet to the honeypot system according to the address information in the early warning information, and generates a response instruction comprising the forged address of the accessed device. And then the data control module redirects the abnormal data packet to the honeypot system according to the redirection instruction, so that the technical effect of transferring the offensive abnormal data packet is realized under the condition that the target equipment is attacked. And the data control module sends response information to the user terminal of the attacker after generating the response information according to the response instruction, so that the abnormal data packet can be redirected to the honeypot system under the condition that the attacker does not sense the abnormal data packet, and meanwhile, the response of the honeypot system can be disguised as the response of the original access target of the attack data, so that the effect of falsifying is achieved. And further, when the attack is detected, the target equipment is not influenced by the abnormal data packet any more, so that the service of the target equipment can run normally, and the aim of improving the service continuity of the target equipment is fulfilled.
Furthermore, the technical scheme can actively transfer the abnormal data packet to the honeypot system under the condition that the offensive abnormal data packet is detected, so that the uncertainty that the abnormal data packet can attack the honeypot system due to the fact that the honeypot system is arranged in the bypass deployment mode in the prior art is avoided. Therefore, the processing probability of the data processing system for processing the abnormal data packet is greatly improved, and the safety of the target equipment is ensured. In addition, the technical scheme deploys the data processing system bypass to the target equipment, thereby avoiding the data processing system from invading the service equipment corresponding to the target equipment and ensuring the confidentiality, the integrity and the availability of the service equipment corresponding to the target equipment. And the technical problem of low safety rate when the honeypot system is used for protecting the target equipment in the prior art is solved.
Optionally, the operation of performing security detection on the acquired data packets, screening abnormal data packets with risks, and generating early warning information according to the abnormal data packets includes: decoding the data packet to obtain a corresponding first source address, a corresponding first destination address and corresponding data information, wherein the data information is instruction information in the data packet; detecting the data packets through a preset intrusion detection rule, and screening to obtain abnormal data packets, wherein the abnormal data packets are data packets with safety risks; and generating early warning information according to the data information, the first source address, the first destination address and the triggered intrusion detection rule in the abnormal data packet.
Specifically, the data auditing system unpacks the captured data packet, and then decodes the content in the unpacked data packet to obtain a source address (i.e., a first source address), a destination address (i.e., a first destination address) and data information in the data packet. Wherein the data information is instruction information of the access target device. And the data auditing system is preset with intrusion detection rules. Such as an Intrusion Detection System (IDS). After the data auditing system obtains the data packets, the data packets are detected through intrusion detection rules, whether the data packets are abnormal data packets with safety risks or not is judged, and therefore the abnormal data packets are screened out from all the captured data packets.
The preset intrusion detection rules are various types of intrusion detection rules, wherein each intrusion detection rule has different intrusion judgment conditions, and when the data packet conforms to one intrusion detection rule, the data auditing system judges the data packet as an abnormal data packet and records the intrusion detection rule triggered by the abnormal data packet.
Further, the data auditing system generates early warning information from the source address (i.e., the first source address), the destination address (i.e., the first destination address), the data information and the triggered detection rule analyzed from the abnormal data packet, and sends the early warning information to a policy management system deployed in the server 200.
Therefore, according to the technical scheme, all data packets are subjected to safety detection, abnormal data packets with risks are screened out, and early warning information is generated according to the abnormal data packets. Therefore, by the mode, the safety of the target equipment is protected in real time, the early warning information is sent in time to deal with the equipment attacker, and the safety of the equipment is ensured.
Optionally, the operation of generating the data control instruction according to the early warning information based on a mapping relationship with a preset honeypot system includes: acquiring a first destination address in the early warning information, and generating a redirection instruction according to a preset mapping strategy, wherein the redirection instruction is used for redirecting the first destination address to a corresponding honeypot in the honeypot system; and acquiring a first source address in the early warning information, and generating a response instruction according to a preset mapping strategy, wherein a second source address in the response instruction is a first destination address obtained by forging a honeypot address in the honeypot system, and the mapping strategy is used for indicating the mapping relation between the first destination address and the honeypot system.
Specifically, the policy management system is pre-set with a mapping policy, where the mapping policy is used to indicate a mapping relationship between the first destination address and the honeypot system 300. Referring to fig. 4, for example, in the mapping policy, a mapping relationship is established between the address of device 1 (i.e., the first destination address) and the address of honeypot 1, and a mapping relationship is established between the address of device 2 and the address of honeypot 2. Similarly, the addresses of the device 3 and the device 4 are respectively mapped with the addresses of the honeypot 3 and the honeypot 4.
After the policy management system receives the early warning information sent by the data auditing system, the first destination address in the early warning information (i.e., the address of the device 1) is obtained first, and then whether the address of the device 1 (i.e., the first destination address) is mapped with the honeypot system 300 (i.e., whether a mapping policy exists) is detected, and when the address of the device 1 (i.e., the first destination address) is detected to have been mapped with the address of the honeypot 1 of the honeypot system 300 in advance. The policy management system generates a redirection instruction according to the mapping policy. That is, the policy management system generates a redirection instruction to access honeypot 1 of honeypot system 300, based on the instruction that originally intended to access the address of device 1 (i.e., the first destination address).
Further, the policy management system obtains the first source address (i.e., the address of the user terminal 1) in the early warning information, and generates a response instruction for sending response information to the address of the user terminal 1 according to the mapping policy, thereby reminding the user terminal 1 of successful access to the device 1. Wherein the response instruction is used to generate the response information. And wherein the source address in the response instruction is the address of honeypot 1 of honeypot system 300 and the destination address (i.e., the second destination address) is the address of user terminal 1.
Since the data packet generated when the user terminal 1 accesses the device 1 is an abnormal data packet with risk, the policy management system forges the address of the honeypot 1 in the response instruction, and forges the address of the device 1 which the user terminal 1 originally wants to access. The source address (i.e. the second source address) in the response instruction then becomes the address of the device 1 obtained after the falsification, but its actual source address is also the address of the honeypot 1 of the honeypot system 300.
Then, the policy management system sends the data control command including the redirection command and the response command to the data control system deployed on the terminal system 100 through the preset API for interaction.
Therefore, the technical scheme generates the mapping strategy by pre-establishing the mapping relation between the target equipment and the honeypot system 300. Therefore, the redirection instruction and the response instruction are quickly generated according to the mapping strategy, and then the abnormal data packet is quickly redirected and response information is sent according to the redirection instruction and the response instruction, so that the data processing efficiency is improved.
Optionally, the generating, according to the early warning information, a data control instruction based on a mapping relationship with a preset honeypot system further includes: acquiring a first destination address in the early warning information, determining a honeypot in a honeypot system of which the device type is the same as that of target equipment according to the device type of the target equipment corresponding to the first destination address, and generating a redirection instruction, wherein the redirection instruction is used for redirecting the first destination address to the corresponding honeypot in the honeypot system; and acquiring a first source address in the early warning information, and generating a response instruction, wherein a second source address in the response instruction is a first destination address obtained by forging a honeypot address in the honeypot system, and the mapping policy is used for indicating the mapping relation between the first destination address and the honeypot system.
Specifically, after receiving the warning information sent by the data auditing system, the policy management system first obtains a first destination address (e.g., the address of the device 1) in the warning information, then detects whether the address of the device 1 (i.e., the first destination address) has a mapping relationship with the honeypot system 300 (i.e., whether a mapping policy exists), and when detecting that the address of the device 1 (i.e., the first destination address) has not previously established a mapping relationship with the address of the honeypot 1 of the honeypot system 300. The policy management module will obtain the device type of the device 1, randomly select a honeypot (e.g. honeypot 1) with the same type as the device 1 from the honeypot system, and establish a mapping relationship between the device 1 and the honeypot 1. And then the strategy management system generates a redirection instruction according to the mapping relation. That is, the policy management system generates a redirection instruction to access honeypot 1 of honeypot system 300, based on the instruction that originally intended to access the address of device 1 (i.e., the first destination address).
Furthermore, when the address (i.e., the first destination address) of the device 1 has not previously been mapped with the address of the honeypot 1 of the honeypot system 300, and the policy management module has not detected a honeypot of the same type as the device 1, the policy management module randomly selects a honeypot and maps the device 1 with the randomly selected honeypot
Further, the policy management system obtains the first source address (for example, the address of the user terminal 1) in the early warning information, and generates a response instruction for sending response information to the address of the user terminal 1 according to the mapping relationship, so as to remind the user terminal 1 of successful access to the device 1. Wherein the response instruction is used to generate the response information. Wherein the source address in the response instruction is the address of honeypot 1 of the honeypot system and the destination address (i.e. the second destination address) is the address of the user terminal 1.
Since the packet generated when the user terminal 1 accesses the device 1 is a risky abnormal packet, the policy management system forges the address of the honeypot 1 (i.e., the second source address) of the honeypot system in the response instruction into the address of the device 1 that the user terminal 1 originally intends to access. The source address (i.e. the second source address) in the response command then becomes the address of the device 1 obtained after the forgery, but its actual source address is also the address of the honeypot 1 of the honeypot system 300.
Then, the policy management system sends the data control command including the redirection command and the response command to the data control system deployed on the terminal system 100 through the preset API for interaction.
Therefore, in the technical scheme, when the target device does not establish a mapping relationship with the honeypot system 300 in advance (i.e., when no mapping policy exists), the same type of honeypot as the accessed target device can still be selected at random for matching, so that the redirection instruction and the response instruction are generated according to the mapping relationship matched at random. The problem that the mapping relation is not established in advance due to the fact that the proportion of the number of the target devices to the number of the honeypots is not equal is solved. Furthermore, according to the technical scheme, the abnormal data packet can be quickly redirected and response information can be sent by generating the redirection instruction and the response instruction, so that the data processing efficiency is improved.
Optionally, the operation of sending the abnormal data packet to the honeypot system according to the data control instruction and generating response information corresponding to the abnormal data packet includes: receiving a data control instruction corresponding to the abnormal data packet; redirecting the first destination address of the abnormal data packet to the honeypot system according to a redirection instruction in the data control instruction; and generating a corresponding second source address according to a response instruction in the data control instruction, and returning response information corresponding to the abnormal data packet to the first source address according to the second source address, wherein the first source address is a second destination address in the response instruction.
Specifically, the data management system receives a data control instruction sent by the policy management system through a northbound interface, queries a redirection instruction and a response instruction in the data control instruction through a southbound interface, and then acquires the redirection instruction in the data control instruction. For example, the user terminal 1 (i.e., the first source address) has transmitted a packet for access (i.e., an abnormal packet) to the address of the device 1 (i.e., the first destination address), intending to access the device 1. The data management system redirects the destination address (i.e., the first destination address) in the abnormal packet to honeypot 1 of honeypot system 300 according to the redirection instruction, thereby transmitting the abnormal packet of user terminal 1 (i.e., the first source address) to honeypot 1 of honeypot system 300.
Further, the data management system acquires a response instruction in the data control instruction. The data management system generates response information according to the response instruction, and generates a source address (i.e., a second source address) and a destination address (i.e., a second destination address) to transmit the response information according to the response instruction. Wherein the generated second source address is the address of the device 1 that was forged from the honeypot 1 of the honeypot system 300. That is, although the device 1 is an address that the user terminal 1 originally intends to access, the data management system forges the second source address (i.e., the honeypot 1 of the honeypot system 300) carried in the response information according to the response command and forges the second source address as the address of the device 1 that the user terminal 1 originally intends to access, before the honeypot 1 of the honeypot system 300 transmits the response information to the user terminal 1, because the abnormal packet generated when the user terminal 1 accesses the device 1 is transmitted to the honeypot 1 of the honeypot system 300. Therefore, after the data control system transmits the response information to the user terminal 1 (i.e., the second destination address) through the honeypot 1, the source address of the transmission response information (i.e., the second source address) received by the user terminal 1 is displayed as the address of the device 1, but actually the source address of the transmission response information (the address of the honeypot 1 of the honeypot system 300. the second source address displayed by the user terminal 1 is a forged address (i.e., the address of the device 1).
It should be noted that, when the user terminal 1 accesses the device 1, the address of the user terminal 1 is the first source address, and the address of the device 1 is the first destination address. And then when the device 1 returns a response message to the user terminal 1, the device 1 is the second source address, and the user terminal 1 is the second destination address. That is, the first source address and the second destination address are the same address, and the first destination address and the second source address are the same address. Namely, the first source address in the exception packet is the second destination address in the response command, and the first destination address in the exception packet is the second source address in the response command.
Therefore, in the technical scheme, the abnormal data packet is redirected to the honeypot system 300, the response information with the forged address information is returned to the user terminal, the actual source address (namely, the address of the honeypot) in the response information is hidden, the attacker is confused, the equipment safety is protected, the attacker cannot attack the accessed target equipment through the abnormal data packet, and the information of the attacker is collected through the honeypot system 300.
Optionally, the operation of creating a mapping policy includes: determining the equipment type of the target equipment and each honeypot type of the honeypot system; and establishing a mapping relation between the target equipment with the same type and the honeypots of the honeypot system.
In particular, a policy management system of a data processing system needs to create a mapping policy before the data processing system can be applied. Referring to FIG. 4, a honeypot system includes honeypots 1-4, and target devices protected by a data processing system include devices 1-4. The policy management system acquires honeypot types (for example, application types) of honeypots 1 to 4, then acquires device types of devices 1 to 4, and matches honeypots of the same type with a target device, thereby establishing a mapping relationship. For example, honeypot 1 is the same type as device 1, the policy management system establishes a mapping relationship between honeypot 1 and device 1. I.e. the address of the device 1 is mapped with the address of the honeypot 1. Wherein the device type is an application type of the target device. For example, the target device is a PLC device (i.e., a device type), the policy management system establishes a mapping relationship between the PLC honeypot (i.e., a honeypot type) and the PLC device.
Therefore, according to the technical scheme, the mapping relation is established between the target equipment and the honeypot with the same equipment type, so that the target equipment is more attached to the honeypot, when response information is returned to the user terminal, the forged address information obtained by the user terminal is highly similar to the address of the equipment which is originally required to be accessed, the fake address information is prevented from being discovered by the user terminal with the offensive nature, and the user terminal can be puzzled.
Optionally, before performing security detection on the acquired data packet, the method further includes: and acquiring the data packet through preset terminal equipment, and carrying out mirror image processing on the data packet.
Specifically, when the user terminal 1 accesses the device 1, a data packet is generated, and then the terminal device 100, for example, a switch, acquires the data packet and mirrors the data packet to a physical port or a virtual port of a pre-specified switch, and the data auditing system acquires the data packet from the physical port or the virtual port and then performs security detection on the data packet. The data auditing system acquires data packets from the physical port or the virtual port as mirror image data.
Therefore, according to the technical scheme, the acquired data packet is subjected to mirror image processing, then the mirror image data is subjected to security detection, and the data packet can be directly ignored under the condition that the data packet has no security risk. In addition, the technical scheme can realize flow load balance and realize multi-line support by carrying out mirror image processing on the data packet under the condition of too large data flow.
In addition, referring to fig. 5, the data control system and the data auditing system usually run on the same hardware device (e.g., a switch), but in order to achieve flexible management, the policy management system may also be deployed on other devices, and meanwhile, data is transmitted between the systems in an encrypted manner, so as to prevent the data control instruction from being stolen or tampered.
Referring to fig. 6 and 7, the flow of processing the packet includes the following steps:
(1) the data auditing system identifies abnormal data packets which are abnormally accessed from the whole network, and generates early warning information which can be identified by the strategy management system according to the abnormal data packets;
(2) the strategy management system generates a data control instruction according to the instruction protocol of the data control system by combining the mapping relation between the target equipment and the honeypot system according to the early warning information;
(3) after receiving the data control instruction, the northbound interface of the data control system transmits the data control instruction to a specific operating system and hardware equipment (such as a switch) through the southbound interface, so as to achieve the purpose of controlling the abnormal data packet.
In the data control system, the northbound interface is an API interface interacting with the policy management system, and the southbound interface is a special protocol interface providing an interface for inquiring distribution instructions for a specific operating system and hardware equipment (such as a switch) with data distribution capability.
Further, referring to fig. 1, according to a second aspect of the present embodiment, there is provided a storage medium. The storage medium comprises a stored program, wherein the method of any of the above is performed by a processor when the program is run.
Therefore, according to the embodiment, the data auditing system screens out the abnormal data packets and generates the early warning information containing the address information according to the abnormal data packets, so that the offensive abnormal data packets can be found in time and early warning can be performed in time. And then the strategy management module generates a redirection instruction for redirecting the abnormal data packet to the honeypot system according to the address information in the early warning information, and generates a response instruction comprising the forged address of the accessed device. And then the data control module redirects the abnormal data packet to the honeypot system according to the redirection instruction, so that the technical effect of transferring the offensive abnormal data packet is realized under the condition that the target equipment is attacked. And the data control module sends response information to the user terminal of the attacker after generating the response information according to the response instruction, so that the abnormal data packet can be redirected to the honeypot system under the condition that the attacker does not sense the abnormal data packet, and meanwhile, the response of the honeypot system can be disguised as the response of the original access target of the attack data, so that the effect of falsifying and falsifying is achieved. And further, when the attack is detected, the target equipment is not influenced by the abnormal data packet any more, so that the service of the target equipment can run normally, and the aim of improving the service continuity of the target equipment is fulfilled.
Furthermore, the technical scheme can actively transfer the abnormal data packet to the honeypot system under the condition that the offensive abnormal data packet is detected, so that the uncertainty that the abnormal data packet can attack the honeypot system due to the fact that the honeypot system is arranged in the bypass deployment mode in the prior art is avoided. Therefore, the processing probability of the data processing system for processing the abnormal data packet is greatly improved, and the safety of the target equipment is ensured. In addition, the technical scheme deploys the data processing system bypass to the target equipment, thereby avoiding the data processing system from invading the service equipment corresponding to the target equipment and ensuring the confidentiality, the integrity and the availability of the service equipment corresponding to the target equipment. And the technical problem of low safety rate when the honeypot system is used for protecting the target equipment in the prior art is solved.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
Through the description of the foregoing embodiments, it is clear to those skilled in the art that the method according to the foregoing embodiments may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
Fig. 8 shows a data processing device 800 according to the present embodiment, which device 800 corresponds to the method according to the first aspect of embodiment 1. Referring to fig. 8, the apparatus 800 includes: the information generating module 810 is configured to perform security detection on the obtained data packets, screen abnormal data packets with risks, and generate early warning information according to the abnormal data packets, where the data packets are traffic data transmitted through a network and used for accessing a target device; the instruction generating module 820 is used for generating a data control instruction according to the early warning information based on the mapping relation with the preset honeypot system; and a data sending module 830, configured to send the abnormal data packet to the honeypot system according to the data control instruction, and generate response information corresponding to the abnormal data packet.
Optionally, the information generating module 810 includes: the data decoding submodule is used for decoding the data packet to obtain a corresponding first source address, a corresponding first destination address and corresponding data information, wherein the data information is instruction information in the data packet; the data screening submodule is used for detecting the data packets according to a preset intrusion detection rule and screening abnormal data packets, wherein the abnormal data packets are data packets with security risks; and the information generation submodule is used for generating early warning information according to the data information, the first source address, the first destination address and the triggered intrusion detection rule in the abnormal data packet.
Optionally, the instruction generating module 820 includes: the first generation submodule is used for acquiring a first destination address in the early warning information and generating a redirection instruction according to a preset mapping strategy, wherein the redirection instruction is used for redirecting the first destination address to a corresponding honeypot in the honeypot system; and the second generation submodule is used for acquiring a first source address in the early warning information and generating a response instruction according to a preset mapping strategy, wherein the second source address in the response instruction is a first destination address obtained by forging a honeypot address in the honeypot system, and the mapping strategy is used for indicating the mapping relation between the first destination address and the honeypot system.
Optionally, the instruction generating module 820 further includes: the third generation submodule is used for acquiring a first destination address in the early warning information, determining a honeypot in the honeypot system of which the device type is the same as that of the target device according to the device type of the target device corresponding to the first destination address, and generating a redirection instruction, wherein the redirection instruction is used for redirecting the first destination address to the corresponding honeypot in the honeypot system; and the fourth generation submodule is used for acquiring the first source address in the early warning information and generating a response instruction, wherein the second source address in the response instruction is a first destination address obtained by forging the honeypot address in the honeypot system, and the mapping strategy is used for indicating the mapping relation between the first destination address and the honeypot system.
Optionally, the data sending module 830 includes: the instruction receiving submodule is used for receiving a data control instruction corresponding to the abnormal data packet; the redirection submodule is used for redirecting the first destination address of the abnormal data packet to the honeypot system according to the redirection instruction in the data control instruction; and the fifth generation submodule is used for generating a corresponding second source address according to a response instruction in the data control instruction, and returning response information corresponding to the abnormal data packet to the first source address according to the second source address, wherein the first source address is a second destination address in the response instruction.
Optionally, the operation of creating a mapping policy includes: the first determining module is used for determining the equipment type of the target equipment and each honeypot type of the honeypot system; and the relation establishing module is used for establishing a mapping relation between the target equipment with the same type and the honeypots of the honeypot system.
Optionally, before performing security detection on the acquired data packet, the method further includes: and the mirror image processing module is used for acquiring the data packet through preset terminal equipment and carrying out mirror image processing on the data packet.
Therefore, according to the embodiment, the data auditing system screens out the abnormal data packets and generates the early warning information containing the address information according to the abnormal data packets, so that the offensive abnormal data packets can be found in time and early warning can be performed in time. And then the strategy management module generates a redirection instruction for redirecting the abnormal data packet to the honeypot system according to the address information in the early warning information, and generates a response instruction comprising the forged address of the accessed device. And then the data control module redirects the abnormal data packet to the honeypot system according to the redirection instruction, so that the technical effect of transferring the offensive abnormal data packet is realized under the condition that the target equipment is attacked. And the data control module sends response information to the user terminal of the attacker after generating the response information according to the response instruction, so that the abnormal data packet can be redirected to the honeypot system under the condition that the attacker does not sense the abnormal data packet, and meanwhile, the response of the honeypot system can be disguised as the response of the original access target of the attack data, so that the effect of falsifying is achieved. And further, when the attack is detected, the target equipment is not influenced by the abnormal data packet any more, so that the service of the target equipment can run normally, and the aim of improving the service continuity of the target equipment is fulfilled.
Further, according to the technical scheme, under the condition that the offensive abnormal data packet is detected, the abnormal data packet can be actively transferred to the honeypot system, and the uncertainty that the abnormal data packet can attack the honeypot system due to the fact that the honeypot system is arranged in the bypass deployment mode in the prior art is avoided. Therefore, the processing probability of the data processing system for processing the abnormal data packet is greatly improved, and the safety of the target equipment is ensured. In addition, the technical scheme deploys the data processing system bypass to the target equipment, thereby avoiding the data processing system from invading the service equipment corresponding to the target equipment and ensuring the confidentiality, the integrity and the availability of the service equipment corresponding to the target equipment. And the technical problem of low safety rate when the honeypot system is used for protecting the target equipment in the prior art is solved.
Example 3
Fig. 9 shows a data processing device 900 according to the first aspect of the present embodiment, the device 900 corresponding to the method according to the first aspect of embodiment 1. Referring to fig. 9, the apparatus 900 includes: a processor 910; and a memory 920 coupled to the processor 910 for providing instructions to the processor 910 to process the following steps: performing security detection on the acquired data packets, screening dangerous abnormal data packets, and generating early warning information according to the abnormal data packets, wherein the data packets are flow data transmitted through a network and used for accessing the target equipment; generating a data control instruction according to the early warning information based on the mapping relation with a preset honeypot system; and sending the abnormal data packet to the honeypot system according to the data control instruction, and generating response information corresponding to the abnormal data packet.
Optionally, the operation of performing security detection on the obtained data packets, screening abnormal data packets with risks, and generating early warning information according to the abnormal data packets includes: decoding the data packet to obtain a corresponding first source address, a corresponding first destination address and corresponding data information, wherein the data information is instruction information in the data packet; detecting the data packets through a preset intrusion detection rule, and screening to obtain abnormal data packets, wherein the abnormal data packets are data packets with safety risks; and generating early warning information according to the data information, the first source address, the first destination address and the triggered intrusion detection rule in the abnormal data packet.
Optionally, the operation of generating the data control instruction according to the early warning information based on a mapping relationship with a preset honeypot system includes: acquiring a first destination address in the early warning information, and generating a redirection instruction according to a preset mapping strategy, wherein the redirection instruction is used for redirecting the first destination address to a corresponding honeypot in the honeypot system; and acquiring a first source address in the early warning information, and generating a response instruction according to a preset mapping strategy, wherein a second source address in the response instruction is a first destination address obtained by forging a honeypot address in the honeypot system, and the mapping strategy is used for indicating the mapping relation between the first destination address and the honeypot system.
Optionally, the generating, according to the early warning information, a data control instruction based on a mapping relationship with a preset honeypot system further includes: acquiring a first destination address in the early warning information, determining a honeypot in a honeypot system of which the device type is the same as that of target equipment according to the device type of the target equipment corresponding to the first destination address, and generating a redirection instruction, wherein the redirection instruction is used for redirecting the first destination address to the corresponding honeypot in the honeypot system; and acquiring a first source address in the early warning information, and generating a response instruction, wherein a second source address in the response instruction is a first destination address obtained by forging a honeypot address in the honeypot system, and the mapping policy is used for indicating the mapping relationship between the first destination address and the honeypot system.
Optionally, the operation of sending the abnormal data packet to the honeypot system according to the data control instruction and generating response information corresponding to the abnormal data packet includes: receiving a data control instruction corresponding to the abnormal data packet; redirecting the first destination address of the abnormal data packet to the honeypot system according to a redirection instruction in the data control instruction; and generating a corresponding second source address according to a response instruction in the data control instruction, and returning response information corresponding to the abnormal data packet to the first source address according to the second source address, wherein the first source address is a second destination address in the response instruction.
Optionally, the operation of creating a mapping policy includes: determining the equipment type of the target equipment and each honeypot type of the honeypot system; and establishing a mapping relation between the target equipment with the same type and the honeypots of the honeypot system.
Optionally, before performing security detection on the acquired data packet, the method further includes: and acquiring the data packet through preset terminal equipment, and carrying out mirror image processing on the data packet.
Therefore, according to the embodiment, the data auditing system screens out the abnormal data packets and generates the early warning information containing the address information according to the abnormal data packets, so that the offensive abnormal data packets can be found in time and early warning can be performed in time. And then the strategy management module generates a redirection instruction for redirecting the abnormal data packet to the honeypot system according to the address information in the early warning information, and generates a response instruction comprising the forged address of the accessed device. And then the data control module redirects the abnormal data packet to the honeypot system according to the redirection instruction, so that the technical effect of transferring the offensive abnormal data packet is realized under the condition that the target equipment is attacked. And the data control module sends response information to the user terminal of the attacker after generating the response information according to the response instruction, so that the abnormal data packet can be redirected to the honeypot system under the condition that the attacker does not sense the abnormal data packet, and meanwhile, the response of the honeypot system can be disguised as the response of the original access target of the attack data, so that the effect of falsifying and falsifying is achieved. And further, when the attack is detected, the target equipment is not influenced by the abnormal data packet any more, so that the service of the target equipment can run normally, and the aim of improving the service continuity of the target equipment is fulfilled.
Furthermore, the technical scheme can actively transfer the abnormal data packet to the honeypot system under the condition that the offensive abnormal data packet is detected, so that the uncertainty that the abnormal data packet can attack the honeypot system due to the fact that the honeypot system is arranged in the bypass deployment mode in the prior art is avoided. Therefore, the processing probability of the data processing system for processing the abnormal data packet is greatly improved, and the safety of the target equipment is ensured. In addition, the technical scheme deploys the data processing system bypass to the target equipment, thereby avoiding the data processing system from invading the service equipment corresponding to the target equipment and ensuring the confidentiality, the integrity and the availability of the service equipment corresponding to the target equipment. And the technical problem of low safety rate when the honeypot system is used for protecting the target equipment in the prior art is solved.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed coupling or direct coupling or communication connection between each other may be an indirect coupling or communication connection through some interfaces, units or modules, and may be electrical or in other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (10)

1. A data processing method, comprising:
carrying out security detection on the acquired data packets, screening abnormal data packets with risks, and generating early warning information according to the abnormal data packets, wherein the data packets are flow data which are used for accessing target equipment and transmitted through a network;
generating a data control instruction according to the early warning information based on a mapping relation with a preset honeypot system; and
and sending the abnormal data packet to the honeypot system according to the data control instruction, and generating response information corresponding to the abnormal data packet.
2. The method of claim 1, wherein the operations of performing security detection on the obtained data packets, screening abnormal data packets with risks, and generating early warning information according to the abnormal data packets include:
decoding the data packet to obtain a corresponding first source address, a corresponding first destination address and corresponding data information, wherein the data information is instruction information in the data packet;
detecting the data packets through a preset intrusion detection rule, and screening to obtain abnormal data packets, wherein the abnormal data packets are data packets with safety risks; and
and generating early warning information according to the data information, the first source address, the first destination address and the triggered intrusion detection rule in the abnormal data packet.
3. The method of claim 1, wherein the operation of generating data control instructions according to the early warning information based on the mapping relationship with the preset honeypot system comprises:
acquiring a first destination address in the early warning information, and generating a redirection instruction according to a preset mapping strategy, wherein the redirection instruction is used for redirecting the first destination address to a corresponding honeypot in a honeypot system; and
acquiring a first source address in the early warning information, and generating a response instruction according to a preset mapping strategy, wherein a second source address in the response instruction is a first destination address obtained by forging a honeypot address in the honeypot system, and the mapping strategy is used for indicating a mapping relation between the first destination address and the honeypot system.
4. The method of claim 3, wherein generating data control instructions according to the early warning information based on a mapping relationship with a preset honeypot system further comprises:
acquiring a first destination address in the early warning information, determining honeypots in the honeypot system with the same device type as that of target devices according to the device type of the target devices corresponding to the first destination address, and generating a redirection instruction, wherein the redirection instruction is used for redirecting the first destination address to corresponding honeypots in the honeypot system; and
and acquiring a first source address in the early warning information, and generating a response instruction, wherein a second source address in the response instruction is a first destination address obtained by forging a honeypot address in the honeypot system, and the mapping policy is used for indicating the mapping relationship between the first destination address and the honeypot system.
5. The method of claim 4, wherein the operation of sending the exception packet to the honeypot system according to the data control instruction and generating response information corresponding to the exception packet comprises:
receiving a data control instruction corresponding to the abnormal data packet;
redirecting the first destination address of the abnormal data packet to a honeypot system according to a redirection instruction in the data control instruction; and
and generating a corresponding second source address according to a response instruction in the data control instruction, and returning response information corresponding to the abnormal data packet to the first source address according to the second source address, wherein the first source address is a second destination address in the response instruction.
6. The method of claim 4, wherein the act of creating the mapping policy comprises:
determining the device type of the target device and each honeypot type of the honeypot system; and
and establishing a mapping relation between the target equipment with the same type and the honeypots of the honeypot system.
7. The method according to claim 1, wherein before performing security detection on the acquired data packet, further comprising: and acquiring the data packet through preset terminal equipment, and carrying out mirror image processing on the data packet.
8. A storage medium comprising a stored program, wherein the method of any one of claims 1 to 7 is performed by a processor when the program is run.
9. A data processing apparatus, comprising:
the information generation module is used for carrying out security detection on the acquired data packets, screening abnormal data packets with risks and generating early warning information according to the abnormal data packets, wherein the data packets are flow data which are used for accessing the target equipment and transmitted through a network;
the instruction generation module is used for generating a data control instruction according to the early warning information based on the mapping relation with a preset honeypot system; and
and the data sending module is used for sending the abnormal data packet to the honeypot system according to the data control instruction and generating response information corresponding to the abnormal data packet.
10. A data processing apparatus, characterized by comprising:
a processor; and
a memory coupled to the processor for providing instructions to the processor for processing the following processing steps:
performing security detection on the obtained data packets, screening abnormal data packets with risks, and generating early warning information according to the abnormal data packets, wherein the data packets are flow data transmitted through a network and used for accessing target equipment;
generating a data control instruction according to the early warning information based on a mapping relation with a preset honeypot system; and
and sending the abnormal data packet to the honeypot system according to the data control instruction, and generating response information corresponding to the abnormal data packet.
CN202210175765.3A 2022-02-25 2022-02-25 Data processing method, device and storage medium Pending CN114629691A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210175765.3A CN114629691A (en) 2022-02-25 2022-02-25 Data processing method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210175765.3A CN114629691A (en) 2022-02-25 2022-02-25 Data processing method, device and storage medium

Publications (1)

Publication Number Publication Date
CN114629691A true CN114629691A (en) 2022-06-14

Family

ID=81899422

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210175765.3A Pending CN114629691A (en) 2022-02-25 2022-02-25 Data processing method, device and storage medium

Country Status (1)

Country Link
CN (1) CN114629691A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115118473A (en) * 2022-06-20 2022-09-27 中国联合网络通信集团有限公司 Data processing method, device, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109347881A (en) * 2018-11-30 2019-02-15 东软集团股份有限公司 Network protection method, apparatus, equipment and storage medium based on network cheating
CN112995162A (en) * 2021-02-07 2021-06-18 深信服科技股份有限公司 Network traffic processing method and device, electronic equipment and storage medium
CN113949520A (en) * 2020-06-29 2022-01-18 奇安信科技集团股份有限公司 Method, apparatus, computer device and readable storage medium for spoof trapping

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109347881A (en) * 2018-11-30 2019-02-15 东软集团股份有限公司 Network protection method, apparatus, equipment and storage medium based on network cheating
CN113949520A (en) * 2020-06-29 2022-01-18 奇安信科技集团股份有限公司 Method, apparatus, computer device and readable storage medium for spoof trapping
CN112995162A (en) * 2021-02-07 2021-06-18 深信服科技股份有限公司 Network traffic processing method and device, electronic equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115118473A (en) * 2022-06-20 2022-09-27 中国联合网络通信集团有限公司 Data processing method, device, equipment and storage medium
CN115118473B (en) * 2022-06-20 2023-07-14 中国联合网络通信集团有限公司 Data processing method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
Hassan et al. Security threats in Bluetooth technology
CN110445770B (en) Network attack source positioning and protecting method, electronic equipment and computer storage medium
US10701036B2 (en) System, method, and computer program for preventing infections from spreading in a network environment using dynamic application of a firewall policy
KR100604604B1 (en) Method for securing system using server security solution and network security solution, and security system implementing the same
US7624434B2 (en) System for providing firewall capabilities to a communication device
US20150007316A1 (en) Rootkit detection by using hw resources to detect inconsistencies in network traffic
US20040103314A1 (en) System and method for network intrusion prevention
US20210367756A1 (en) Methods, systems, and media for using dynamic public key infrastructure to send and receive encrypted messages
EP3952240A1 (en) Blockchain-based network security system and processing method
CN106034302B (en) Security monitoring method and device for wireless local area network hotspot and communication system
WO2005015871A1 (en) Method, program and system for automatically detecting malicius computer network reconnaissance
EP3433971A1 (en) Methods, systems, and media for using dynamic public key infrastructure to send and receive encrypted messages
CN108418780A (en) Filter method and device, system, the dns server of IP address
US8341735B2 (en) Method and arrangement for automatically controlling access between a computer and a communication network
CN114629691A (en) Data processing method, device and storage medium
Hasan et al. Towards a threat model and privacy analysis for V2P in 5G networks
CN113660222A (en) Situation awareness defense method and system based on mandatory access control
Alotaibi et al. Mobile computing security: issues and requirements
CN114448888B (en) Financial network mimicry routing method and device
TW202027460A (en) Dynamic protection method for network node and network protection server
KR101663935B1 (en) System and method for protecting against phishing and pharming
CN113411296B (en) Situation awareness virtual link defense method, device and system
US11936738B2 (en) System, method, and computer program product for managing a connection between a device and a network
CN111683063B (en) Message processing method, system, device, storage medium and processor
WO2021181391A1 (en) System and method for finding, tracking, and capturing a cyber-attacker

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20220614